T6841: firewall: improve config parsing for ZBF when using VRFs and interfaces attached to VRFs

[nicolas-fort]

Change Summary

Improve config parsing for ZBF when using VRFs and interfaces attached to VRFs

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

• https://vyos.dev/T6841

Related PR(s)

Component(s) name

firewall

Proposed changes

For zone based firewall, everything is related to matching inbound and outbound interface. The problem is that in Linux, if an interface is attached to a non-default VRF, then:

• For matching inbound-interface, we need to specify <vrf_name> in firewall ruleset
• For matching outbound-interface, we need to specify <physical_interface> in firewall ruleset.

Before this PR, what was written under set firewall zone <zone> interface <iface> was exactly written for inbound|outbound interface in nftables.
Now we have provide more options so we can specify interface name and interfave vrf while defining interfaces in a zone.

• If using interface name <iface> --> it still writes exactly that interfaces for inbound|outbound interface in nftables
• If using interface vrf <vrf_name> --> in nftables it writes:
  • <vrf_name> for matching inbound interface
  • <all_vrf_members> for matching outbound interface.

How to test

Smoketest result

root@zbf-vrfaware:/usr/libexec/vyos/tests/smoke/cli# ./test_firewall.py 
test_bridge_firewall (__main__.TestFirewall.test_bridge_firewall) ... ok
test_cyclic_jump_validation (__main__.TestFirewall.test_cyclic_jump_validation) ... ok
test_flow_offload (__main__.TestFirewall.test_flow_offload) ... ok
test_geoip (__main__.TestFirewall.test_geoip) ... ok
test_gre_match (__main__.TestFirewall.test_gre_match) ... ok
test_groups (__main__.TestFirewall.test_groups) ... ok
test_ipsec_metadata_match (__main__.TestFirewall.test_ipsec_metadata_match) ... ok
test_ipv4_advanced (__main__.TestFirewall.test_ipv4_advanced) ... ok
test_ipv4_basic_rules (__main__.TestFirewall.test_ipv4_basic_rules) ... ok
test_ipv4_dynamic_groups (__main__.TestFirewall.test_ipv4_dynamic_groups) ... ok
test_ipv4_global_state (__main__.TestFirewall.test_ipv4_global_state) ... ok
test_ipv4_mask (__main__.TestFirewall.test_ipv4_mask) ... ok
test_ipv4_state_and_status_rules (__main__.TestFirewall.test_ipv4_state_and_status_rules) ... ok
test_ipv4_synproxy (__main__.TestFirewall.test_ipv4_synproxy) ... ok
test_ipv6_advanced (__main__.TestFirewall.test_ipv6_advanced) ... ok
test_ipv6_basic_rules (__main__.TestFirewall.test_ipv6_basic_rules) ... ok
test_ipv6_dynamic_groups (__main__.TestFirewall.test_ipv6_dynamic_groups) ... ok
test_ipv6_mask (__main__.TestFirewall.test_ipv6_mask) ... ok
test_nested_groups (__main__.TestFirewall.test_nested_groups) ... ok
test_source_validation (__main__.TestFirewall.test_source_validation) ... ok
test_sysfs (__main__.TestFirewall.test_sysfs) ... ok
test_timeout_sysctl (__main__.TestFirewall.test_timeout_sysctl) ... ok
test_zone_basic (__main__.TestFirewall.test_zone_basic) ... ok
test_zone_flow_offload (__main__.TestFirewall.test_zone_flow_offload) ... ok
test_zone_with_vrf (__main__.TestFirewall.test_zone_with_vrf) ... ok

----------------------------------------------------------------------
Ran 25 tests in 136.776s

OK

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[github-actions]

👍
No issues in PR Title / Commit Title

[github-actions]

✅ No issues found in unused-imports check.. Please refer the workflow run

[nicolas-fort]

Should I also change these files?
https://github.com/search?q=repo%3Avyos%2Fvyos-1x+path%3A%2F%5Esmoketest%5C%2Fconfig-tests%5C%2F%2F+%22set+firewall+zone%22&type=code

[dmbaturin]

I suggest a different syntax that I think is more intuitive (or less counter-intuitive ;) and there are some missing cases in the migration script logic.

[dmbaturin]

This logic looks incomplete.

1. It doesn't seem to delete values from under the old interface node, only duplicates them under the new one.
2. VRF support was introduced in 1.4.0 already, but the script doesn't handle the case when the value is a VRF name rather than an interface name.

[github-actions]

CI integration ❌ failed!

Details

CI logs

• CLI Smoketests (no interfaces) ❌ failed
• CLI Smoketests (interfaces only) 👍 passed
• Config tests ❌ failed
• RAID1 tests 👍 passed
• TPM tests 👍 passed