firewall: T4694: Adding rt ipsec exists/missing match to firewall configs (#3616)
- Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for
fw rules
- Add ipsec match-ipsec-out and match-none-out
- Change all the points where the match-ipsec.xml.i include was used before, making sure the new includes (match-ipsec-in/out.xml.i) are used appropriately. There were a handful of spots where match-ipsec.xml.i had snuck back in for output hooked chains already (the common-rule-* includes)
- Add the -out generators to rendered templates
- Heavy modification to firewall config validators:
- I needed to check for ipsec-in matches no matter how deeply nested under an output-hook chain(via jump-target) - this always generates an error.
- Ended up retrofitting the jump-targets validator from root chains and for named custom chains. It checks for recursive loops and improper IPsec matches.
- Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation" smoketests