wlb: T114: Add firewall group support for WAN load balancer

[sarthurdev]

Change summary

Add firewall group support for WAN load balancer

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

Related PR(s)

How to test / Smoketest result

Includes new smoketest for groups.

DEBUG - Running Testcase: /usr/libexec/vyos/tests/smoke/cli/test_load-balancing_wan.py
DEBUG - test_check_chains (__main__.TestLoadBalancingWan.test_check_chains) ... ok
DEBUG - test_criteria_failover_hook (__main__.TestLoadBalancingWan.test_criteria_failover_hook) ... ok
DEBUG - test_firewall_groups (__main__.TestLoadBalancingWan.test_firewall_groups) ... ok
DEBUG - test_table_routes (__main__.TestLoadBalancingWan.test_table_routes) ... ok
DEBUG - 
DEBUG - ----------------------------------------------------------------------
DEBUG - Ran 4 tests in 53.875s
DEBUG - 
DEBUG - OK

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[github-actions]

👍
No issues in PR Title / Commit Title

[github-actions]

CI integration 👍 passed!

Details

CI logs

• CLI Smoketests (no interfaces) 👍 passed
• CLI Smoketests VPP 👍 passed
• CLI Smoketests (interfaces only) 👍 passed
• Config tests 👍 passed
• Config tests VPP 👍 passed
• RAID1 tests 👍 passed
• TPM tests 👍 passed

[c-po]

The implementation looks solid, and I appreciate the reuse of established patterns -particularly the global group definitions under the firewall section. That said, with group definitions now being utilized by firewalling, NAT, and WAN load balancing, it might be time to reconsider their placement under the firewall subsystem.

From a long-term architectural perspective, it could be cleaner and more intuitive to decouple address, port, and network group definitions from the firewall context and elevate them to a more neutral, global scope. This would better reflect their cross-functional use and improve clarity for both users and maintainers.

It might be worth starting a broader discussion among the maintainers about evolving the data model in this direction.

[dmbaturin]

The implementation looks good and I agree we should allow groups in all places that use nftables.

@c-po I agree we should eventually move groups to the global level, but it's a big project that will require a lot of discussion and design effort, so for now let's proceed with out-of-firewall references to firewall groups.