From b71702f64c417c2fcb8a1f967b40c24b4e425bbc Mon Sep 17 00:00:00 2001
From: Nicolas Fort <nicolasfort1988@gmail.com>
Date: Wed, 31 Jul 2024 12:42:25 +0000
Subject: [PATCH] T4072: change same helpers in xml definitions; add notrack
 action for prerouting chain; re introduce <set vrf> in policy; change global
 options for passing traffic to IPvX firewall; update smoketest

---
 .../firewall/sysctl-firewall.conf.j2          |  6 ++--
 .../include/firewall/bridge-custom-name.xml.i |  1 +
 .../firewall/bridge-hook-forward.xml.i        |  1 +
 .../include/firewall/bridge-hook-input.xml.i  |  1 +
 .../include/firewall/bridge-hook-output.xml.i |  1 +
 .../firewall/bridge-hook-prerouting.xml.i     |  3 +-
 .../include/firewall/common-rule-bridge.xml.i |  1 -
 .../include/firewall/global-options.xml.i     |  2 +-
 .../firewall/set-packet-modifications.xml.i   | 32 +++++++++++++++----
 smoketest/scripts/cli/test_firewall.py        |  7 ++--
 10 files changed, 38 insertions(+), 17 deletions(-)

diff --git a/data/templates/firewall/sysctl-firewall.conf.j2 b/data/templates/firewall/sysctl-firewall.conf.j2
index ae6a8969c00..6c33ffdc85d 100644
--- a/data/templates/firewall/sysctl-firewall.conf.j2
+++ b/data/templates/firewall/sysctl-firewall.conf.j2
@@ -13,9 +13,9 @@ net.ipv4.conf.*.send_redirects = {{ 1 if global_options.send_redirects == 'enabl
 net.ipv4.tcp_syncookies = {{ 1 if global_options.syn_cookies == 'enable' else 0 }}
 net.ipv4.tcp_rfc1337 = {{ 1 if global_options.twa_hazards_protection == 'enable' else 0 }}
 
-{% if global_options.apply_for_bridge is vyos_defined %}
-net.bridge.bridge-nf-call-iptables = {{ 1 if global_options.apply_for_bridge.ipv4 is vyos_defined else 0 }}
-net.bridge.bridge-nf-call-ip6tables = {{ 1 if global_options.apply_for_bridge.ipv6 is vyos_defined else 0 }}
+{% if global_options.apply_to_bridged_traffic is vyos_defined %}
+net.bridge.bridge-nf-call-iptables = {{ 1 if global_options.apply_to_bridged_traffic.ipv4 is vyos_defined else 0 }}
+net.bridge.bridge-nf-call-ip6tables = {{ 1 if global_options.apply_to_bridged_traffic.ipv6 is vyos_defined else 0 }}
 {% else %}
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-ip6tables = 0
diff --git a/interface-definitions/include/firewall/bridge-custom-name.xml.i b/interface-definitions/include/firewall/bridge-custom-name.xml.i
index 48d48949e12..9a2a829d069 100644
--- a/interface-definitions/include/firewall/bridge-custom-name.xml.i
+++ b/interface-definitions/include/firewall/bridge-custom-name.xml.i
@@ -32,6 +32,7 @@
       </properties>
       <children>
         #include <include/firewall/common-rule-bridge.xml.i>
+        #include <include/firewall/action-l2.xml.i>
         #include <include/firewall/connection-mark.xml.i>
         #include <include/firewall/connection-status.xml.i>
         #include <include/firewall/state.xml.i>
diff --git a/interface-definitions/include/firewall/bridge-hook-forward.xml.i b/interface-definitions/include/firewall/bridge-hook-forward.xml.i
index 0bc1fc357b8..fcc9819254f 100644
--- a/interface-definitions/include/firewall/bridge-hook-forward.xml.i
+++ b/interface-definitions/include/firewall/bridge-hook-forward.xml.i
@@ -26,6 +26,7 @@
           </properties>
           <children>
             #include <include/firewall/common-rule-bridge.xml.i>
+            #include <include/firewall/action-l2.xml.i>
             #include <include/firewall/connection-mark.xml.i>
             #include <include/firewall/connection-status.xml.i>
             #include <include/firewall/state.xml.i>
diff --git a/interface-definitions/include/firewall/bridge-hook-input.xml.i b/interface-definitions/include/firewall/bridge-hook-input.xml.i
index 32de14d5417..f6a11f8dac2 100644
--- a/interface-definitions/include/firewall/bridge-hook-input.xml.i
+++ b/interface-definitions/include/firewall/bridge-hook-input.xml.i
@@ -26,6 +26,7 @@
           </properties>
           <children>
             #include <include/firewall/common-rule-bridge.xml.i>
+            #include <include/firewall/action-l2.xml.i>
             #include <include/firewall/connection-mark.xml.i>
             #include <include/firewall/connection-status.xml.i>
             #include <include/firewall/state.xml.i>
diff --git a/interface-definitions/include/firewall/bridge-hook-output.xml.i b/interface-definitions/include/firewall/bridge-hook-output.xml.i
index da0c02470c0..38b8b08cad7 100644
--- a/interface-definitions/include/firewall/bridge-hook-output.xml.i
+++ b/interface-definitions/include/firewall/bridge-hook-output.xml.i
@@ -26,6 +26,7 @@
           </properties>
           <children>
             #include <include/firewall/common-rule-bridge.xml.i>
+            #include <include/firewall/action-l2.xml.i>
             #include <include/firewall/connection-mark.xml.i>
             #include <include/firewall/connection-status.xml.i>
             #include <include/firewall/state.xml.i>
diff --git a/interface-definitions/include/firewall/bridge-hook-prerouting.xml.i b/interface-definitions/include/firewall/bridge-hook-prerouting.xml.i
index b6c1fe87a7b..74e67f0ae94 100644
--- a/interface-definitions/include/firewall/bridge-hook-prerouting.xml.i
+++ b/interface-definitions/include/firewall/bridge-hook-prerouting.xml.i
@@ -14,7 +14,7 @@
         #include <include/generic-description.xml.i>
         <tagNode name="rule">
           <properties>
-            <help>Bridge Firewall prerouting filter rule number</help>
+            <help>Bridge firewall prerouting filter rule number</help>
             <valueHelp>
               <format>u32:1-999999</format>
               <description>Number for this firewall rule</description>
@@ -26,6 +26,7 @@
           </properties>
           <children>
             #include <include/firewall/common-rule-bridge.xml.i>
+            #include <include/firewall/action-and-notrack.xml.i>
             #include <include/firewall/set-packet-modifications.xml.i>
             #include <include/firewall/inbound-interface.xml.i>
           </children>
diff --git a/interface-definitions/include/firewall/common-rule-bridge.xml.i b/interface-definitions/include/firewall/common-rule-bridge.xml.i
index b47408aa83d..9ae28f7bee1 100644
--- a/interface-definitions/include/firewall/common-rule-bridge.xml.i
+++ b/interface-definitions/include/firewall/common-rule-bridge.xml.i
@@ -1,7 +1,6 @@
 <!-- include start from firewall/common-rule-bridge.xml.i -->
 #include <include/generic-description.xml.i>
 #include <include/generic-disable-node.xml.i>
-#include <include/firewall/action-l2.xml.i>
 #include <include/firewall/dscp.xml.i>
 #include <include/firewall/firewall-mark.xml.i>
 #include <include/firewall/fragment.xml.i>
diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i
index 1f289967256..cee8f1854d6 100644
--- a/interface-definitions/include/firewall/global-options.xml.i
+++ b/interface-definitions/include/firewall/global-options.xml.i
@@ -44,7 +44,7 @@
       </properties>
       <defaultValue>disable</defaultValue>
     </leafNode>
-    <node name="apply-for-bridge">
+    <node name="apply-to-bridged-traffic">
       <properties>
         <help>Apply configured firewall rules to traffic switched by bridges</help>
       </properties>
diff --git a/interface-definitions/include/firewall/set-packet-modifications.xml.i b/interface-definitions/include/firewall/set-packet-modifications.xml.i
index eda568a0ebe..ee019b64ee7 100644
--- a/interface-definitions/include/firewall/set-packet-modifications.xml.i
+++ b/interface-definitions/include/firewall/set-packet-modifications.xml.i
@@ -6,10 +6,10 @@
   <children>
     <leafNode name="connection-mark">
       <properties>
-        <help>Connection marking</help>
+        <help>Set connection mark</help>
         <valueHelp>
           <format>u32:0-2147483647</format>
-          <description>Connection marking</description>
+          <description>Connection mark</description>
         </valueHelp>
         <constraint>
           <validator name="numeric" argument="--range 0-2147483647"/>
@@ -18,7 +18,7 @@
     </leafNode>
     <leafNode name="dscp">
       <properties>
-        <help>Packet Differentiated Services Codepoint (DSCP)</help>
+        <help>Set DSCP (Packet Differentiated Services Codepoint) bits</help>
         <valueHelp>
           <format>u32:0-63</format>
           <description>DSCP number</description>
@@ -30,10 +30,10 @@
     </leafNode>
     <leafNode name="mark">
       <properties>
-        <help>Packet marking</help>
+        <help>Set packet mark</help>
         <valueHelp>
           <format>u32:1-2147483647</format>
-          <description>Packet marking</description>
+          <description>Packet mark</description>
         </valueHelp>
         <constraint>
           <validator name="numeric" argument="--range 1-2147483647"/>
@@ -42,7 +42,7 @@
     </leafNode>
     <leafNode name="table">
       <properties>
-        <help>Routing table to forward packet with</help>
+        <help>Set the routing table for matched packets</help>
         <valueHelp>
           <format>u32:1-200</format>
           <description>Table number</description>
@@ -61,9 +61,27 @@
         </completionHelp>
       </properties>
     </leafNode>
+    <leafNode name="vrf">
+      <properties>
+        <help>VRF to forward packet with</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>VRF instance name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>default</format>
+          <description>Forward into default global VRF</description>
+        </valueHelp>
+        <completionHelp>
+          <list>default</list>
+          <path>vrf name</path>
+        </completionHelp>
+        #include <include/constraint/vrf.xml.i>
+      </properties>
+    </leafNode>
     <leafNode name="tcp-mss">
       <properties>
-        <help>TCP Maximum Segment Size</help>
+        <help>Set TCP Maximum Segment Size</help>
         <valueHelp>
           <format>u32:500-1460</format>
           <description>Explicitly set TCP MSS value</description>
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 2287577c707..9184a4cfcaa 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -708,7 +708,7 @@ def test_bridge_firewall(self):
 
         self.cli_set(['firewall', 'group', 'ipv6-address-group', 'AGV6', 'address', '2001:db1::1'])
         self.cli_set(['firewall', 'global-options', 'state-policy', 'established', 'action', 'accept'])
-        self.cli_set(['firewall', 'global-options', 'apply-for-bridge', 'ipv4'])
+        self.cli_set(['firewall', 'global-options', 'apply-to-bridged-traffic', 'ipv4'])
 
         self.cli_set(['firewall', 'bridge', 'name', name, 'default-action', 'accept'])
         self.cli_set(['firewall', 'bridge', 'name', name, 'default-log'])
@@ -731,10 +731,9 @@ def test_bridge_firewall(self):
         self.cli_set(['firewall', 'bridge', 'input', 'filter', 'rule', '1', 'source', 'address', '192.0.2.2'])
         self.cli_set(['firewall', 'bridge', 'input', 'filter', 'rule', '1', 'state', 'new'])
 
-        self.cli_set(['firewall', 'bridge', 'prerouting', 'filter', 'rule', '1', 'action', 'drop'])
+        self.cli_set(['firewall', 'bridge', 'prerouting', 'filter', 'rule', '1', 'action', 'notrack'])
         self.cli_set(['firewall', 'bridge', 'prerouting', 'filter', 'rule', '1', 'destination', 'group', 'ipv6-address-group', 'AGV6'])
 
-
         self.cli_commit()
 
         nftables_search = [
@@ -755,7 +754,7 @@ def test_bridge_firewall(self):
             ['ct state new', 'ip saddr 192.0.2.2', f'iifname "{interface_in}"', 'accept'],
             ['chain VYOS_PREROUTING_filter'],
             ['type filter hook prerouting priority filter; policy accept;'],
-            ['ip6 daddr @A6_AGV6', 'drop']
+            ['ip6 daddr @A6_AGV6', 'notrack']
         ]
 
         self.verify_nftables(nftables_search, 'bridge vyos_filter')