From ca6b7340714c6161337f508978b9834722be58dc Mon Sep 17 00:00:00 2001
From: Rain <6818611+Rain@users.noreply.github.com>
Date: Sat, 8 Oct 2022 18:04:01 -0400
Subject: firewall: T4612: Support arbitrary netmasks

Add support for arbitrary netmasks on source/destination addresses in
firewall rules. This is particularly useful with DHCPv6-PD when the
delegated prefix changes periodically.
---
 interface-definitions/firewall.xml.in                      |  4 ++++
 .../include/firewall/address-mask-ipv6.xml.i               | 14 ++++++++++++++
 interface-definitions/include/firewall/address-mask.xml.i  | 14 ++++++++++++++
 3 files changed, 32 insertions(+)
 create mode 100644 interface-definitions/include/firewall/address-mask-ipv6.xml.i
 create mode 100644 interface-definitions/include/firewall/address-mask.xml.i

(limited to 'interface-definitions')

diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 773e86f00..2ac9ca31b 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -411,6 +411,7 @@
                   #include <include/firewall/geoip.xml.i>
                   #include <include/firewall/source-destination-group-ipv6.xml.i>
                   #include <include/firewall/port.xml.i>
+                  #include <include/firewall/address-mask-ipv6.xml.i>
                 </children>
               </node>
               <node name="source">
@@ -422,6 +423,7 @@
                   #include <include/firewall/geoip.xml.i>
                   #include <include/firewall/source-destination-group-ipv6.xml.i>
                   #include <include/firewall/port.xml.i>
+                  #include <include/firewall/address-mask-ipv6.xml.i>
                 </children>
               </node>
               #include <include/firewall/common-rule.xml.i>
@@ -575,6 +577,7 @@
                   #include <include/firewall/geoip.xml.i>
                   #include <include/firewall/source-destination-group.xml.i>
                   #include <include/firewall/port.xml.i>
+                  #include <include/firewall/address-mask.xml.i>
                 </children>
               </node>
               <node name="source">
@@ -586,6 +589,7 @@
                   #include <include/firewall/geoip.xml.i>
                   #include <include/firewall/source-destination-group.xml.i>
                   #include <include/firewall/port.xml.i>
+                  #include <include/firewall/address-mask.xml.i>
                 </children>
               </node>
               #include <include/firewall/common-rule.xml.i>
diff --git a/interface-definitions/include/firewall/address-mask-ipv6.xml.i b/interface-definitions/include/firewall/address-mask-ipv6.xml.i
new file mode 100644
index 000000000..8c0483209
--- /dev/null
+++ b/interface-definitions/include/firewall/address-mask-ipv6.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from firewall/address-mask-ipv6.xml.i -->
+<leafNode name="address-mask">
+  <properties>
+    <help>IP mask</help>
+    <valueHelp>
+      <format>ipv6</format>
+      <description>IP mask to apply</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ipv6"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/address-mask.xml.i b/interface-definitions/include/firewall/address-mask.xml.i
new file mode 100644
index 000000000..7f6f17d1e
--- /dev/null
+++ b/interface-definitions/include/firewall/address-mask.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from firewall/address-mask.xml.i -->
+<leafNode name="address-mask">
+  <properties>
+    <help>IP mask</help>
+    <valueHelp>
+      <format>ipv4</format>
+      <description>IPv4 mask to apply</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ipv4-address"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
-- 
cgit v1.2.3