vyos · mergify · Nov 10, 2023
@@ -0,0 +1,39 @@
+<!-- include start from firewall/common-rule-bridge.xml.i -->
+#include <include/firewall/action-l2.xml.i>
+#include <include/firewall/nft-queue.xml.i>
+<node name="destination">
+  <properties>
+    <help>Destination parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/mac-address.xml.i>
+  </children>
+</node>
+<leafNode name="disable">
+  <properties>
+    <help>Option to disable firewall rule</help>
+    <valueless/>
+  </properties>
+</leafNode>
+<leafNode name="jump-target">
+  <properties>
+    <help>Set jump target. Action jump must be defined to use this setting</help>
+    <completionHelp>
+      <path>firewall bridge name</path>
+    </completionHelp>
+  </properties>
+</leafNode>
+#include <include/firewall/log.xml.i>
+#include <include/firewall/rule-log-options.xml.i>
+<node name="source">
+  <properties>
+    <help>Source parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/mac-address.xml.i>
+  </children>
+</node>
+#include <include/firewall/inbound-interface.xml.i>
+#include <include/firewall/outbound-interface.xml.i>
+#include <include/firewall/match-vlan.xml.i>
+<!-- include end -->
@@ -81,44 +81,7 @@
     </leafNode>
   </children>
 </node>
-<leafNode name="log">
-  <properties>
-    <help>Option to log packets matching rule</help>
-    <completionHelp>
-      <list>enable disable</list>
-    </completionHelp>
-    <valueHelp>
-      <format>enable</format>
-      <description>Enable log</description>
-    </valueHelp>
-    <valueHelp>
-      <format>disable</format>
-      <description>Disable log</description>
-    </valueHelp>
-    <constraint>
-      <regex>(enable|disable)</regex>
-    </constraint>
-  </properties>
-</leafNode>
-<leafNode name="log">
-  <properties>
-    <help>Option to log packets matching rule</help>
-    <completionHelp>
-      <list>enable disable</list>
-    </completionHelp>
-    <valueHelp>
-      <format>enable</format>
-      <description>Enable log</description>
-    </valueHelp>
-    <valueHelp>
-      <format>disable</format>
-      <description>Disable log</description>
-    </valueHelp>
-    <constraint>
-      <regex>(enable|disable)</regex>
-    </constraint>
-  </properties>
-</leafNode>
+#include <include/firewall/log.xml.i>
 #include <include/firewall/rule-log-options.xml.i>
 <node name="connection-status">
   <properties>
@@ -220,6 +183,7 @@
     </leafNode>
   </children>
 </node>
+<<<<<<< HEAD
 <node name="state">
   <properties>
     <help>Session state</help>
@@ -303,6 +267,10 @@
     </leafNode>
   </children>
 </node>
+=======
+#include <include/firewall/synproxy.xml.i>
+#include <include/firewall/state.xml.i>
+>>>>>>> c4409d6a4 (T5729: firewall: switch to valueless in order to remove unnecessary <enable|disable> commands; log and state moved to new syntax.)
 #include <include/firewall/tcp-flags.xml.i>
 <node name="time">
   <properties>

@@ -1,15 +1,8 @@
 <!-- include start from firewall/log.xml.i -->
-<node name="log">
+<leafNode name="log">
   <properties>
-    <help>Option to log packets</help>
+    <help>Enable log</help>
+    <valueless/>
   </properties>
-  <children>
-    <leafNode name="enable">
-      <properties>
-        <help>Enable logging</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-  </children>
-</node>
+</leafNode>
 <!-- include end -->
@@ -0,0 +1,30 @@
+<!-- include start from firewall/state.xml.i -->
+<leafNode name="state">
+  <properties>
+    <help>Session state</help>
+    <completionHelp>
+      <list>established invalid new related</list>
+    </completionHelp>
+    <valueHelp>
+      <format>established</format>
+      <description>Established state</description>
+    </valueHelp>
+    <valueHelp>
+      <format>invalid</format>
+      <description>Invalid state</description>
+    </valueHelp>
+    <valueHelp>
+      <format>new</format>
+      <description>New state</description>
+    </valueHelp>
+    <valueHelp>
+      <format>related</format>
+      <description>Related state</description>
+    </valueHelp>
+    <constraint>
+      <regex>(established|invalid|new|related)</regex>
+    </constraint>
+    <multi/>
+  </properties>
+</leafNode>
+<!-- include end -->
@@ -34,12 +34,7 @@
         #include <include/firewall/nat-balance.xml.i>
       </children>
     </node>
-    <leafNode name="log">
-      <properties>
-        <help>NAT rule logging</help>
-        <valueless/>
-      </properties>
-    </leafNode>
+    #include <include/firewall/log.xml.i>
     <leafNode name="packet-type">
       <properties>
         <help>Packet type</help>

@@ -76,25 +76,7 @@
     </leafNode>
   </children>
 </node>
-<leafNode name="log">
-  <properties>
-    <help>Option to log packets matching rule</help>
-    <completionHelp>
-      <list>enable disable</list>
-    </completionHelp>
-    <valueHelp>
-      <format>enable</format>
-      <description>Enable log</description>
-    </valueHelp>
-    <valueHelp>
-      <format>disable</format>
-      <description>Disable log</description>
-    </valueHelp>
-    <constraint>
-      <regex>(enable|disable)</regex>
-    </constraint>
-  </properties>
-</leafNode>
+#include <include/firewall/log.xml.i>
 <leafNode name="protocol">
   <properties>
     <help>Protocol to match (protocol name, number, or "all")</help>
@@ -230,89 +212,7 @@
     </leafNode>
   </children>
 </node>
-<node name="state">
-  <properties>
-    <help>Session state</help>
-  </properties>
-  <children>
-    <leafNode name="established">
-      <properties>
-        <help>Established state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="invalid">
-      <properties>
-        <help>Invalid state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="new">
-      <properties>
-        <help>New state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="related">
-      <properties>
-        <help>Related state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
+#include <include/firewall/state.xml.i>
 #include <include/firewall/tcp-flags.xml.i>
 <node name="time">
   <properties>

@@ -1,3 +1,3 @@
 <!-- include start from include/version/firewall-version.xml.i -->
-<syntaxVersion component='firewall' version='12'></syntaxVersion>
+<syntaxVersion component='firewall' version='13'></syntaxVersion>
 <!-- include end -->
@@ -1,3 +1,3 @@
 <!-- include start from include/version/policy-version.xml.i -->
-<syntaxVersion component='policy' version='6'></syntaxVersion>
+<syntaxVersion component='policy' version='7'></syntaxVersion>
 <!-- include end -->
@@ -32,12 +32,7 @@
                 </properties>
               </leafNode>
               #include <include/nat-exclude.xml.i>
-              <leafNode name="log">
-                <properties>
-                  <help>NAT66 rule logging</help>
-                  <valueless/>
-                </properties>
-              </leafNode>
+              #include <include/firewall/log.xml.i>
               #include <include/firewall/outbound-interface-no-group.xml.i>
               #include <include/nat/protocol.xml.i>
               <node name="destination">

@@ -87,7 +87,11 @@ def nft_action(vyos_action):
 
 def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
     output = []
+<<<<<<< HEAD
     #def_suffix = '6' if ip_name == 'ip6' else ''
+=======
+
+>>>>>>> c4409d6a4 (T5729: firewall: switch to valueless in order to remove unnecessary <enable|disable> commands; log and state moved to new syntax.)
     if ip_name == 'ip6':
         def_suffix = '6'
         family = 'ipv6'
@@ -96,7 +100,7 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
         family = 'bri' if ip_name == 'bri' else 'ipv4'
 
     if 'state' in rule_conf and rule_conf['state']:
-        states = ",".join([s for s, v in rule_conf['state'].items() if v == 'enable'])
+        states = ",".join([s for s in rule_conf['state']])
 
         if states:
             output.append(f'ct state {{{states}}}')
@@ -400,6 +404,46 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
         conn_mark_str = ','.join(rule_conf['connection_mark'])
         output.append(f'ct mark {{{conn_mark_str}}}')
 
+<<<<<<< HEAD
+=======
+    if 'mark' in rule_conf:
+        mark = rule_conf['mark']
+        operator = ''
+        if mark[0] == '!':
+            operator = '!='
+            mark = mark[1:]
+        output.append(f'meta mark {operator} {{{mark}}}')
+
+    if 'vlan' in rule_conf:
+        if 'id' in rule_conf['vlan']:
+            output.append(f'vlan id {rule_conf["vlan"]["id"]}')
+        if 'priority' in rule_conf['vlan']:
+            output.append(f'vlan pcp {rule_conf["vlan"]["priority"]}')
+
+    if 'log' in rule_conf:
+        action = rule_conf['action'] if 'action' in rule_conf else 'accept'
+        #output.append(f'log prefix "[{fw_name[:19]}-{rule_id}-{action[:1].upper()}]"')
+        output.append(f'log prefix "[{family}-{hook}-{fw_name}-{rule_id}-{action[:1].upper()}]"')
+                        ##{family}-{hook}-{fw_name}-{rule_id}
+        if 'log_options' in rule_conf:
+
+            if 'level' in rule_conf['log_options']:
+                log_level = rule_conf['log_options']['level']
+                output.append(f'log level {log_level}')
+
+            if 'group' in rule_conf['log_options']:
+                log_group = rule_conf['log_options']['group']
+                output.append(f'log group {log_group}')
+
+                if 'queue_threshold' in rule_conf['log_options']:
+                    queue_threshold = rule_conf['log_options']['queue_threshold']
+                    output.append(f'queue-threshold {queue_threshold}')
+
+                if 'snapshot_length' in rule_conf['log_options']:
+                    log_snaplen = rule_conf['log_options']['snapshot_length']
+                    output.append(f'snaplen {log_snaplen}')
+
+>>>>>>> c4409d6a4 (T5729: firewall: switch to valueless in order to remove unnecessary <enable|disable> commands; log and state moved to new syntax.)
     output.append('counter')
 
     if 'set' in rule_conf: