From fdeba8da3e99256fe449e331d0b833a941315226 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Wed, 28 Jul 2021 12:03:21 +0200
Subject: firewall: T2199: Migrate firewall to XML/Python

---
 interface-definitions/firewall.xml.in              | 75 ++++++--------------
 .../include/firewall/action.xml.i                  | 16 +++--
 .../include/firewall/common-rule.xml.i             | 54 +++++++++++----
 .../firewall/source-destination-group-ipv6.xml.i   | 33 +++++++++
 .../firewall/source-destination-group.xml.i        |  9 +++
 .../interface/interface-firewall-vif-c.xml.i       | 79 ++++++++++++++++++++++
 .../include/interface/interface-firewall-vif.xml.i | 79 ++++++++++++++++++++++
 .../include/interface/interface-firewall.xml.i     | 79 ++++++++++++++++++++++
 .../include/interface/vif-s.xml.i                  |  2 +
 interface-definitions/include/interface/vif.xml.i  |  1 +
 interface-definitions/interfaces-bonding.xml.in    |  1 +
 interface-definitions/interfaces-bridge.xml.in     |  1 +
 interface-definitions/interfaces-dummy.xml.in      |  1 +
 interface-definitions/interfaces-ethernet.xml.in   |  1 +
 interface-definitions/interfaces-geneve.xml.in     |  1 +
 interface-definitions/interfaces-l2tpv3.xml.in     |  1 +
 interface-definitions/interfaces-macsec.xml.in     |  1 +
 interface-definitions/interfaces-openvpn.xml.in    |  1 +
 interface-definitions/interfaces-pppoe.xml.in      |  1 +
 .../interfaces-pseudo-ethernet.xml.in              |  1 +
 interface-definitions/interfaces-tunnel.xml.in     |  1 +
 interface-definitions/interfaces-vti.xml.in        |  1 +
 interface-definitions/interfaces-vxlan.xml.in      |  1 +
 interface-definitions/interfaces-wireguard.xml.in  |  1 +
 interface-definitions/interfaces-wireless.xml.in   |  1 +
 interface-definitions/interfaces-wwan.xml.in       |  1 +
 26 files changed, 368 insertions(+), 75 deletions(-)
 create mode 100644 interface-definitions/include/firewall/source-destination-group-ipv6.xml.i
 create mode 100644 interface-definitions/include/interface/interface-firewall-vif-c.xml.i
 create mode 100644 interface-definitions/include/interface/interface-firewall-vif.xml.i
 create mode 100644 interface-definitions/include/interface/interface-firewall.xml.i

(limited to 'interface-definitions')

diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index f07c619a8..1bb7fb4a1 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <interfaceDefinition>
-  <node name="nfirewall" owner="${vyos_conf_scripts_dir}/firewall.py">
+  <node name="firewall" owner="${vyos_conf_scripts_dir}/firewall.py">
     <properties>
       <priority>199</priority>
       <help>Firewall</help>
@@ -24,6 +24,7 @@
             <regex>^(enable|disable)$</regex>
           </constraint>
         </properties>
+        <defaultValue>enable</defaultValue>
       </leafNode>
       <leafNode name="broadcast-ping">
         <properties>
@@ -43,6 +44,7 @@
             <regex>^(enable|disable)$</regex>
           </constraint>
         </properties>
+        <defaultValue>disable</defaultValue>
       </leafNode>
       <leafNode name="config-trap">
         <properties>
@@ -62,6 +64,7 @@
             <regex>^(enable|disable)$</regex>
           </constraint>
         </properties>
+        <defaultValue>disable</defaultValue>
       </leafNode>
       <node name="group">
         <properties>
@@ -203,6 +206,7 @@
             <regex>^(enable|disable)$</regex>
           </constraint>
         </properties>
+        <defaultValue>disable</defaultValue>
       </leafNode>
       <tagNode name="ipv6-name">
         <properties>
@@ -225,7 +229,7 @@
                 </properties>
                 <children>
                   #include <include/firewall/address-ipv6.xml.i>
-                  #include <include/firewall/source-destination-group.xml.i>
+                  #include <include/firewall/source-destination-group-ipv6.xml.i>
                   #include <include/firewall/port.xml.i>
                 </children>
               </node>
@@ -235,7 +239,7 @@
                 </properties>
                 <children>
                   #include <include/firewall/address-ipv6.xml.i>
-                  #include <include/firewall/source-destination-group.xml.i>
+                  #include <include/firewall/source-destination-group-ipv6.xml.i>
                   #include <include/firewall/port.xml.i>
                 </children>
               </node>
@@ -292,7 +296,7 @@
                     <properties>
                       <help>ICMP type-name</help>
                       <completionHelp>
-                        <list>any echo-reply pong destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS host-redirect echo-request ping router-advertisement router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply</list>
+                        <list>any echo-reply pong destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS host-redirect echo-request ping router-advertisement router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply packet-too-big</list>
                       </completionHelp>
                       <valueHelp>
                         <format>any</format>
@@ -454,63 +458,18 @@
                         <format>address-mask-reply</format>
                         <description>ICMP type/code name</description>
                       </valueHelp>
+                      <valueHelp>
+                        <format>packet-too-big</format>
+                        <description>ICMP type/code name</description>
+                      </valueHelp>
                       <constraint>
-                        <regex>^(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply)$</regex>
+                        <regex>^(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply|packet-too-big)$</regex>
                         <validator name="numeric" argument="--range 0-255"/>
                       </constraint>
                     </properties>
                   </leafNode>
                 </children>
               </node>
-              <node name="p2p">
-                <properties>
-                  <help>P2P application packets</help>
-                </properties>
-                <children>
-                  <leafNode name="all">
-                    <properties>
-                      <help>AppleJuice/BitTorrent/Direct Connect/eDonkey/eMule/Gnutella/KaZaA application packets</help>
-                      <valueless/>
-                    </properties>
-                  </leafNode>
-                  <leafNode name="applejuice">
-                    <properties>
-                      <help>AppleJuice application packets</help>
-                      <valueless/>
-                    </properties>
-                  </leafNode>
-                  <leafNode name="bittorrent">
-                    <properties>
-                      <help>BitTorrent application packets</help>
-                      <valueless/>
-                    </properties>
-                  </leafNode>
-                  <leafNode name="directconnect">
-                    <properties>
-                      <help>Direct Connect application packets</help>
-                      <valueless/>
-                    </properties>
-                  </leafNode>
-                  <leafNode name="edonkey">
-                    <properties>
-                      <help>eDonkey/eMule application packets</help>
-                      <valueless/>
-                    </properties>
-                  </leafNode>
-                  <leafNode name="gnutella">
-                    <properties>
-                      <help>Gnutella application packets</help>
-                      <valueless/>
-                    </properties>
-                  </leafNode>
-                  <leafNode name="kazaa">
-                    <properties>
-                      <help>KaZaA application packets</help>
-                      <valueless/>
-                    </properties>
-                  </leafNode>
-                </children>
-              </node>
             </children>
           </tagNode>
         </children>
@@ -533,6 +492,7 @@
             <regex>^(enable|disable)$</regex>
           </constraint>
         </properties>
+        <defaultValue>disable</defaultValue>
       </leafNode>
       <leafNode name="ipv6-src-route">
         <properties>
@@ -552,6 +512,7 @@
             <regex>^(enable|disable)$</regex>
           </constraint>
         </properties>
+        <defaultValue>disable</defaultValue>
       </leafNode>
       <leafNode name="log-martians">
         <properties>
@@ -571,6 +532,7 @@
             <regex>^(enable|disable)$</regex>
           </constraint>
         </properties>
+        <defaultValue>enable</defaultValue>
       </leafNode>
       <tagNode name="name">
         <properties>
@@ -662,6 +624,7 @@
             <regex>^(enable|disable)$</regex>
           </constraint>
         </properties>
+        <defaultValue>disable</defaultValue>
       </leafNode>
       <leafNode name="send-redirects">
         <properties>
@@ -681,6 +644,7 @@
             <regex>^(enable|disable)$</regex>
           </constraint>
         </properties>
+        <defaultValue>enable</defaultValue>
       </leafNode>
       <leafNode name="source-validation">
         <properties>
@@ -704,6 +668,7 @@
             <regex>^(strict|loose|disable)$</regex>
           </constraint>
         </properties>
+        <defaultValue>disable</defaultValue>
       </leafNode>
       <node name="state-policy">
         <properties>
@@ -757,6 +722,7 @@
             <regex>^(enable|disable)$</regex>
           </constraint>
         </properties>
+        <defaultValue>enable</defaultValue>
       </leafNode>
       <leafNode name="twa-hazards-protection">
         <properties>
@@ -776,6 +742,7 @@
             <regex>^(enable|disable)$</regex>
           </constraint>
         </properties>
+        <defaultValue>disable</defaultValue>
       </leafNode>
     </children>
   </node>
diff --git a/interface-definitions/include/firewall/action.xml.i b/interface-definitions/include/firewall/action.xml.i
index 230f590cb..4ba93e3aa 100644
--- a/interface-definitions/include/firewall/action.xml.i
+++ b/interface-definitions/include/firewall/action.xml.i
@@ -3,18 +3,22 @@
   <properties>
     <help>Rule action [REQUIRED]</help>
     <completionHelp>
-      <list>permit deny</list>
+      <list>accept reject drop</list>
     </completionHelp>
     <valueHelp>
-      <format>permit</format>
-      <description>Permit matching entries</description>
+      <format>accept</format>
+      <description>Accept matching entries</description>
     </valueHelp>
     <valueHelp>
-      <format>deny</format>
-      <description>Deny matching entries</description>
+      <format>reject</format>
+      <description>Reject matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>drop</format>
+      <description>Drop matching entries</description>
     </valueHelp>
     <constraint>
-      <regex>^(permit|deny)$</regex>
+      <regex>^(accept|reject|drop)$</regex>
     </constraint>
   </properties>
 </leafNode>
diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i
index a59c0b390..415b6bf00 100644
--- a/interface-definitions/include/firewall/common-rule.xml.i
+++ b/interface-definitions/include/firewall/common-rule.xml.i
@@ -55,7 +55,7 @@
         <help>Maximum number of packets to allow in excess of rate</help>
         <valueHelp>
           <format>u32:0-4294967295</format>
-          <description>burst__change_me</description>
+          <description>Maximum number of packets to allow in excess of rate</description>
         </valueHelp>
         <constraint>
           <validator name="numeric" argument="--range 0-4294967295"/>
@@ -67,7 +67,7 @@
         <help>Maximum average matching rate</help>
         <valueHelp>
           <format>u32:0-4294967295</format>
-          <description>rate__change_me</description>
+          <description>Maximum average matching rate</description>
         </valueHelp>
         <constraint>
           <validator name="numeric" argument="--range 0-4294967295"/>
@@ -121,7 +121,6 @@
       <validator name="ip-protocol"/>
     </constraint>
   </properties>
-  <defaultValue>all</defaultValue>
 </leafNode>
 <node name="recent">
   <properties>
@@ -285,40 +284,65 @@
     <help>Time to match rule</help>
   </properties>
   <children>
-    <leafNode name="monthdays">
-      <properties>
-        <help>Monthdays to match rule on</help>
-      </properties>
-    </leafNode>
     <leafNode name="startdate">
       <properties>
         <help>Date to start matching rule</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Enter date using following notation - YYYY-MM-DD</description>
+        </valueHelp>
+        <constraint>
+          <regex>^(\d{4}\-\d{2}\-\d{2})$</regex>
+        </constraint>
       </properties>
     </leafNode>
     <leafNode name="starttime">
       <properties>
         <help>Time of day to start matching rule</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Enter time using using 24 hour notation - hh:mm:ss</description>
+        </valueHelp>
+        <constraint>
+          <regex>^([0-2][0-9](\:[0-5][0-9]){1,2})$</regex>
+        </constraint>
       </properties>
     </leafNode>
     <leafNode name="stopdate">
       <properties>
         <help>Date to stop matching rule</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Enter date using following notation - YYYY-MM-DD</description>
+        </valueHelp>
+        <constraint>
+          <regex>^(\d{4}\-\d{2}\-\d{2})$</regex>
+        </constraint>
       </properties>
     </leafNode>
     <leafNode name="stoptime">
       <properties>
         <help>Time of day to stop matching rule</help>
-      </properties>
-    </leafNode>
-    <leafNode name="utc">
-      <properties>
-        <help>Interpret times for startdate, stopdate, starttime and stoptime to be UTC</help>
-        <valueless/>
+        <valueHelp>
+          <format>txt</format>
+          <description>Enter time using using 24 hour notation - hh:mm:ss</description>
+        </valueHelp>
+        <constraint>
+          <regex>^([0-2][0-9](\:[0-5][0-9]){1,2})$</regex>
+        </constraint>
       </properties>
     </leafNode>
     <leafNode name="weekdays">
       <properties>
-        <help>Weekdays to match rule on</help>
+        <help>Comma separated weekdays to match rule on</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday)</description>
+        </valueHelp>
+        <valueHelp>
+          <format>u32:0-6</format>
+          <description>Day number (0 = Sunday ... 6 = Saturday)</description>
+        </valueHelp>
       </properties>
     </leafNode>
   </children>
diff --git a/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i b/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i
new file mode 100644
index 000000000..7815b78d4
--- /dev/null
+++ b/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i
@@ -0,0 +1,33 @@
+<!-- include start from firewall/source-destination-group-ipv6.xml.i -->
+<node name="group">
+  <properties>
+    <help>Group</help>
+  </properties>
+  <children>
+    <leafNode name="address-group">
+      <properties>
+        <help>Group of addresses</help>
+        <completionHelp>
+          <path>firewall group ipv6-address-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="network-group">
+      <properties>
+        <help>Group of networks</help>
+        <completionHelp>
+          <path>firewall group ipv6-network-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="port-group">
+      <properties>
+        <help>Group of ports</help>
+        <completionHelp>
+          <path>firewall group port-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/source-destination-group.xml.i b/interface-definitions/include/firewall/source-destination-group.xml.i
index 30226b0d8..9a9bed0fe 100644
--- a/interface-definitions/include/firewall/source-destination-group.xml.i
+++ b/interface-definitions/include/firewall/source-destination-group.xml.i
@@ -7,16 +7,25 @@
     <leafNode name="address-group">
       <properties>
         <help>Group of addresses</help>
+        <completionHelp>
+          <path>firewall group address-group</path>
+        </completionHelp>
       </properties>
     </leafNode>
     <leafNode name="network-group">
       <properties>
         <help>Group of networks</help>
+        <completionHelp>
+          <path>firewall group network-group</path>
+        </completionHelp>
       </properties>
     </leafNode>
     <leafNode name="port-group">
       <properties>
         <help>Group of ports</help>
+        <completionHelp>
+          <path>firewall group port-group</path>
+        </completionHelp>
       </properties>
     </leafNode>
   </children>
diff --git a/interface-definitions/include/interface/interface-firewall-vif-c.xml.i b/interface-definitions/include/interface/interface-firewall-vif-c.xml.i
new file mode 100644
index 000000000..1bc235fcb
--- /dev/null
+++ b/interface-definitions/include/interface/interface-firewall-vif-c.xml.i
@@ -0,0 +1,79 @@
+<!-- include start from interface/interface-firewall-vif-c.xml.i -->
+<node name="firewall" owner="${vyos_conf_scripts_dir}/firewall-interface.py $VAR(../../../@).$VAR(../../@).$VAR(../@)">
+  <properties>
+    <priority>615</priority>
+    <help>Firewall options</help>
+  </properties>
+  <children>
+    <node name="in">
+      <properties>
+        <help>forwarded packets on inbound interface</help>
+      </properties>
+      <children>
+        <leafNode name="name">
+          <properties>
+            <help>Inbound IPv4 firewall ruleset name for interface</help>
+            <completionHelp>
+              <path>firewall name</path>
+            </completionHelp>
+          </properties>
+        </leafNode>
+        <leafNode name="ipv6-name">
+          <properties>
+            <help>Inbound IPv6 firewall ruleset name for interface</help>
+            <completionHelp>
+              <path>firewall ipv6-name</path>
+            </completionHelp>
+          </properties>
+        </leafNode>
+      </children>
+    </node>
+    <node name="out">
+      <properties>
+        <help>forwarded packets on outbound interface</help>
+      </properties>
+      <children>
+        <leafNode name="name">
+          <properties>
+            <help>Outbound IPv4 firewall ruleset name for interface</help>
+            <completionHelp>
+              <path>firewall name</path>
+            </completionHelp>
+          </properties>
+        </leafNode>
+        <leafNode name="ipv6-name">
+          <properties>
+            <help>Outbound IPv6 firewall ruleset name for interface</help>
+            <completionHelp>
+              <path>firewall ipv6-name</path>
+            </completionHelp>
+          </properties>
+        </leafNode>
+      </children>
+    </node>
+    <node name="local">
+      <properties>
+        <help>packets destined for this router</help>
+      </properties>
+      <children>
+        <leafNode name="name">
+          <properties>
+            <help>Local IPv4 firewall ruleset name for interface</help>
+            <completionHelp>
+              <path>firewall name</path>
+            </completionHelp>
+          </properties>
+        </leafNode>
+        <leafNode name="ipv6-name">
+          <properties>
+            <help>Local IPv6 firewall ruleset name for interface</help>
+            <completionHelp>
+              <path>firewall ipv6-name</path>
+            </completionHelp>
+          </properties>
+        </leafNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/interface/interface-firewall-vif.xml.i b/interface-definitions/include/interface/interface-firewall-vif.xml.i
new file mode 100644
index 000000000..a37ac5c4a
--- /dev/null
+++ b/interface-definitions/include/interface/interface-firewall-vif.xml.i
@@ -0,0 +1,79 @@
+<!-- include start from interface/interface-firewall-vif.xml.i -->
+<node name="firewall" owner="${vyos_conf_scripts_dir}/firewall-interface.py $VAR(../../@).$VAR(../@)">
+  <properties>
+    <priority>615</priority>
+    <help>Firewall options</help>
+  </properties>
+  <children>
+    <node name="in">
+      <properties>
+        <help>forwarded packets on inbound interface</help>
+      </properties>
+      <children>
+        <leafNode name="name">
+          <properties>
+            <help>Inbound IPv4 firewall ruleset name for interface</help>
+            <completionHelp>
+              <path>firewall name</path>
+            </completionHelp>
+          </properties>
+        </leafNode>
+        <leafNode name="ipv6-name">
+          <properties>
+            <help>Inbound IPv6 firewall ruleset name for interface</help>
+            <completionHelp>
+              <path>firewall ipv6-name</path>
+            </completionHelp>
+          </properties>
+        </leafNode>
+      </children>
+    </node>
+    <node name="out">
+      <properties>
+        <help>forwarded packets on outbound interface</help>
+      </properties>
+      <children>
+        <leafNode name="name">
+          <properties>
+            <help>Outbound IPv4 firewall ruleset name for interface</help>
+            <completionHelp>
+              <path>firewall name</path>
+            </completionHelp>
+          </properties>
+        </leafNode>
+        <leafNode name="ipv6-name">
+          <properties>
+            <help>Outbound IPv6 firewall ruleset name for interface</help>
+            <completionHelp>
+              <path>firewall ipv6-name</path>
+            </completionHelp>
+          </properties>
+        </leafNode>
+      </children>
+    </node>
+    <node name="local">
+      <properties>
+        <help>packets destined for this router</help>
+      </properties>
+      <children>
+        <leafNode name="name">
+          <properties>
+            <help>Local IPv4 firewall ruleset name for interface</help>
+            <completionHelp>
+              <path>firewall name</path>
+            </completionHelp>
+          </properties>
+        </leafNode>
+        <leafNode name="ipv6-name">
+          <properties>
+            <help>Local IPv6 firewall ruleset name for interface</help>
+            <completionHelp>
+              <path>firewall ipv6-name</path>
+            </completionHelp>
+          </properties>
+        </leafNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/interface/interface-firewall.xml.i b/interface-definitions/include/interface/interface-firewall.xml.i
new file mode 100644
index 000000000..b3f20c3bf
--- /dev/null
+++ b/interface-definitions/include/interface/interface-firewall.xml.i
@@ -0,0 +1,79 @@
+<!-- include start from interface/interface-firewall.xml.i -->
+<node name="firewall" owner="${vyos_conf_scripts_dir}/firewall-interface.py $VAR(../@)">
+  <properties>
+    <priority>615</priority>
+    <help>Firewall options</help>
+  </properties>
+  <children>
+    <node name="in">
+      <properties>
+        <help>forwarded packets on inbound interface</help>
+      </properties>
+      <children>
+        <leafNode name="name">
+          <properties>
+            <help>Inbound IPv4 firewall ruleset name for interface</help>
+            <completionHelp>
+              <path>firewall name</path>
+            </completionHelp>
+          </properties>
+        </leafNode>
+        <leafNode name="ipv6-name">
+          <properties>
+            <help>Inbound IPv6 firewall ruleset name for interface</help>
+            <completionHelp>
+              <path>firewall ipv6-name</path>
+            </completionHelp>
+          </properties>
+        </leafNode>
+      </children>
+    </node>
+    <node name="out">
+      <properties>
+        <help>forwarded packets on outbound interface</help>
+      </properties>
+      <children>
+        <leafNode name="name">
+          <properties>
+            <help>Outbound IPv4 firewall ruleset name for interface</help>
+            <completionHelp>
+              <path>firewall name</path>
+            </completionHelp>
+          </properties>
+        </leafNode>
+        <leafNode name="ipv6-name">
+          <properties>
+            <help>Outbound IPv6 firewall ruleset name for interface</help>
+            <completionHelp>
+              <path>firewall ipv6-name</path>
+            </completionHelp>
+          </properties>
+        </leafNode>
+      </children>
+    </node>
+    <node name="local">
+      <properties>
+        <help>packets destined for this router</help>
+      </properties>
+      <children>
+        <leafNode name="name">
+          <properties>
+            <help>Local IPv4 firewall ruleset name for interface</help>
+            <completionHelp>
+              <path>firewall name</path>
+            </completionHelp>
+          </properties>
+        </leafNode>
+        <leafNode name="ipv6-name">
+          <properties>
+            <help>Local IPv6 firewall ruleset name for interface</help>
+            <completionHelp>
+              <path>firewall ipv6-name</path>
+            </completionHelp>
+          </properties>
+        </leafNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/interface/vif-s.xml.i b/interface-definitions/include/interface/vif-s.xml.i
index e7ba6d193..caa5248ab 100644
--- a/interface-definitions/include/interface/vif-s.xml.i
+++ b/interface-definitions/include/interface/vif-s.xml.i
@@ -18,6 +18,7 @@
     #include <include/interface/dhcpv6-options.xml.i>
     #include <include/interface/disable-link-detect.xml.i>
     #include <include/interface/disable.xml.i>
+    #include <include/interface/interface-firewall-vif.xml.i>
     <leafNode name="protocol">
       <properties>
         <help>Protocol used for service VLAN (default: 802.1ad)</help>
@@ -63,6 +64,7 @@
         #include <include/interface/mac.xml.i>
         #include <include/interface/mtu-68-16000.xml.i>
         #include <include/interface/vrf.xml.i>
+        #include <include/interface/interface-firewall-vif-c.xml.i>
       </children>
     </tagNode>
     #include <include/interface/vrf.xml.i>
diff --git a/interface-definitions/include/interface/vif.xml.i b/interface-definitions/include/interface/vif.xml.i
index 5644c554f..a2382cc1b 100644
--- a/interface-definitions/include/interface/vif.xml.i
+++ b/interface-definitions/include/interface/vif.xml.i
@@ -19,6 +19,7 @@
     #include <include/interface/disable-link-detect.xml.i>
     #include <include/interface/disable.xml.i>
     #include <include/interface/vrf.xml.i>
+    #include <include/interface/interface-firewall-vif.xml.i>
     <leafNode name="egress-qos">
       <properties>
         <help>VLAN egress QoS</help>
diff --git a/interface-definitions/interfaces-bonding.xml.in b/interface-definitions/interfaces-bonding.xml.in
index 17879cf1e..03cbb523d 100644
--- a/interface-definitions/interfaces-bonding.xml.in
+++ b/interface-definitions/interfaces-bonding.xml.in
@@ -56,6 +56,7 @@
           #include <include/interface/disable.xml.i>
           #include <include/interface/vrf.xml.i>
           #include <include/interface/mirror.xml.i>
+          #include <include/interface/interface-firewall.xml.i>
           <leafNode name="hash-policy">
             <properties>
               <help>Bonding transmit hash policy</help>
diff --git a/interface-definitions/interfaces-bridge.xml.in b/interface-definitions/interfaces-bridge.xml.in
index 144f43f32..ebf6c3631 100644
--- a/interface-definitions/interfaces-bridge.xml.in
+++ b/interface-definitions/interfaces-bridge.xml.in
@@ -41,6 +41,7 @@
           #include <include/interface/disable.xml.i>
           #include <include/interface/vrf.xml.i>
           #include <include/interface/mtu-68-16000.xml.i>
+          #include <include/interface/interface-firewall.xml.i>
           <leafNode name="forwarding-delay">
             <properties>
               <help>Forwarding delay</help>
diff --git a/interface-definitions/interfaces-dummy.xml.in b/interface-definitions/interfaces-dummy.xml.in
index 2bc88c1a7..c6061b8bb 100644
--- a/interface-definitions/interfaces-dummy.xml.in
+++ b/interface-definitions/interfaces-dummy.xml.in
@@ -19,6 +19,7 @@
           #include <include/interface/address-ipv4-ipv6.xml.i>
           #include <include/interface/description.xml.i>
           #include <include/interface/disable.xml.i>
+          #include <include/interface/interface-firewall.xml.i>
           <node name="ip">
             <properties>
               <help>IPv4 routing parameters</help>
diff --git a/interface-definitions/interfaces-ethernet.xml.in b/interface-definitions/interfaces-ethernet.xml.in
index ceeda12a0..3868ebbbc 100644
--- a/interface-definitions/interfaces-ethernet.xml.in
+++ b/interface-definitions/interfaces-ethernet.xml.in
@@ -31,6 +31,7 @@
           </leafNode>
           #include <include/interface/disable-link-detect.xml.i>
           #include <include/interface/disable.xml.i>
+          #include <include/interface/interface-firewall.xml.i>
           <leafNode name="duplex">
             <properties>
               <help>Duplex mode</help>
diff --git a/interface-definitions/interfaces-geneve.xml.in b/interface-definitions/interfaces-geneve.xml.in
index 2ca7dd9f6..06ad7c82b 100644
--- a/interface-definitions/interfaces-geneve.xml.in
+++ b/interface-definitions/interfaces-geneve.xml.in
@@ -23,6 +23,7 @@
           #include <include/interface/ipv6-options.xml.i>
           #include <include/interface/mac.xml.i>
           #include <include/interface/mtu-1450-16000.xml.i>
+          #include <include/interface/interface-firewall.xml.i>
           <node name="parameters">
             <properties>
               <help>GENEVE tunnel parameters</help>
diff --git a/interface-definitions/interfaces-l2tpv3.xml.in b/interface-definitions/interfaces-l2tpv3.xml.in
index 9364c85cd..c5bca4408 100644
--- a/interface-definitions/interfaces-l2tpv3.xml.in
+++ b/interface-definitions/interfaces-l2tpv3.xml.in
@@ -32,6 +32,7 @@
             <defaultValue>5000</defaultValue>
           </leafNode>
           #include <include/interface/disable.xml.i>
+          #include <include/interface/interface-firewall.xml.i>
           <leafNode name="encapsulation">
             <properties>
               <help>Encapsulation type (default: UDP)</help>
diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in
index 4a566ef8b..5713d985b 100644
--- a/interface-definitions/interfaces-macsec.xml.in
+++ b/interface-definitions/interfaces-macsec.xml.in
@@ -19,6 +19,7 @@
           #include <include/interface/address-ipv4-ipv6.xml.i>
           #include <include/interface/ipv4-options.xml.i>
           #include <include/interface/ipv6-options.xml.i>
+          #include <include/interface/interface-firewall.xml.i>
           <node name="security">
             <properties>
               <help>Security/Encryption Settings</help>
diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in
index 6b4440688..1fe8e63f8 100644
--- a/interface-definitions/interfaces-openvpn.xml.in
+++ b/interface-definitions/interfaces-openvpn.xml.in
@@ -34,6 +34,7 @@
             </children>
           </node>
           #include <include/interface/description.xml.i>
+          #include <include/interface/interface-firewall.xml.i>
           <leafNode name="device-type">
             <properties>
               <help>OpenVPN interface device-type (default: tun)</help>
diff --git a/interface-definitions/interfaces-pppoe.xml.in b/interface-definitions/interfaces-pppoe.xml.in
index 57bb01258..d9c30031e 100644
--- a/interface-definitions/interfaces-pppoe.xml.in
+++ b/interface-definitions/interfaces-pppoe.xml.in
@@ -19,6 +19,7 @@
           #include <include/pppoe-access-concentrator.xml.i>
           #include <include/interface/authentication.xml.i>
           #include <include/interface/dial-on-demand.xml.i>
+          #include <include/interface/interface-firewall.xml.i>
           <leafNode name="default-route">
             <properties>
               <help>Default route insertion behaviour (default: auto)</help>
diff --git a/interface-definitions/interfaces-pseudo-ethernet.xml.in b/interface-definitions/interfaces-pseudo-ethernet.xml.in
index 366892032..974ba1a50 100644
--- a/interface-definitions/interfaces-pseudo-ethernet.xml.in
+++ b/interface-definitions/interfaces-pseudo-ethernet.xml.in
@@ -27,6 +27,7 @@
           #include <include/interface/ipv6-options.xml.i>
           #include <include/source-interface-ethernet.xml.i>
           #include <include/interface/mac.xml.i>
+          #include <include/interface/interface-firewall.xml.i>
           <leafNode name="mode">
             <properties>
               <help>Receive mode (default: private)</help>
diff --git a/interface-definitions/interfaces-tunnel.xml.in b/interface-definitions/interfaces-tunnel.xml.in
index cca732f82..b95f07a4b 100644
--- a/interface-definitions/interfaces-tunnel.xml.in
+++ b/interface-definitions/interfaces-tunnel.xml.in
@@ -30,6 +30,7 @@
           #include <include/source-address-ipv4-ipv6.xml.i>
           #include <include/interface/tunnel-remote.xml.i>
           #include <include/source-interface.xml.i>
+          #include <include/interface/interface-firewall.xml.i>
           <leafNode name="6rd-prefix">
             <properties>
               <help>6rd network prefix</help>
diff --git a/interface-definitions/interfaces-vti.xml.in b/interface-definitions/interfaces-vti.xml.in
index b12434ae7..a8a330f32 100644
--- a/interface-definitions/interfaces-vti.xml.in
+++ b/interface-definitions/interfaces-vti.xml.in
@@ -35,6 +35,7 @@
           #include <include/interface/ipv6-options.xml.i>
           #include <include/interface/mtu-68-16000.xml.i>
           #include <include/interface/vrf.xml.i>
+          #include <include/interface/interface-firewall.xml.i>
         </children>
       </tagNode>
     </children>
diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces-vxlan.xml.in
index 0a8a88596..c5bb0c8f2 100644
--- a/interface-definitions/interfaces-vxlan.xml.in
+++ b/interface-definitions/interfaces-vxlan.xml.in
@@ -41,6 +41,7 @@
           #include <include/interface/ipv6-options.xml.i>
           #include <include/interface/mac.xml.i>
           #include <include/interface/mtu-1200-16000.xml.i>
+          #include <include/interface/interface-firewall.xml.i>
           <leafNode name="mtu">
             <defaultValue>1450</defaultValue>
           </leafNode>
diff --git a/interface-definitions/interfaces-wireguard.xml.in b/interface-definitions/interfaces-wireguard.xml.in
index 403282e5c..c96b3d46b 100644
--- a/interface-definitions/interfaces-wireguard.xml.in
+++ b/interface-definitions/interfaces-wireguard.xml.in
@@ -22,6 +22,7 @@
           #include <include/interface/vrf.xml.i>
           #include <include/port-number.xml.i>
           #include <include/interface/mtu-68-16000.xml.i>
+          #include <include/interface/interface-firewall.xml.i>
           <leafNode name="mtu">
             <defaultValue>1420</defaultValue>
           </leafNode>
diff --git a/interface-definitions/interfaces-wireless.xml.in b/interface-definitions/interfaces-wireless.xml.in
index 048c7b475..da739840b 100644
--- a/interface-definitions/interfaces-wireless.xml.in
+++ b/interface-definitions/interfaces-wireless.xml.in
@@ -17,6 +17,7 @@
         </properties>
         <children>
           #include <include/interface/address-ipv4-ipv6-dhcp.xml.i>
+          #include <include/interface/interface-firewall.xml.i>
           <node name="capabilities">
             <properties>
               <help>HT and VHT capabilities for your card</help>
diff --git a/interface-definitions/interfaces-wwan.xml.in b/interface-definitions/interfaces-wwan.xml.in
index 6b6fa1a66..926c48194 100644
--- a/interface-definitions/interfaces-wwan.xml.in
+++ b/interface-definitions/interfaces-wwan.xml.in
@@ -39,6 +39,7 @@
           #include <include/interface/ipv4-options.xml.i>
           #include <include/interface/ipv6-options.xml.i>
           #include <include/interface/dial-on-demand.xml.i>
+          #include <include/interface/interface-firewall.xml.i>
         </children>
       </tagNode>
     </children>
-- 
cgit v1.2.3