Fix firewall not updating when interfaces become bridge/LAG ports

When interfaces were moved from firewall zones to become bridge or LAG
ports (e.g., sfp1/sfp2 moved from WAN zone to lan-br), the firewall
configuration was not regenerated. This caused stale entries in
/etc/firewalld/zones/*.xml where interfaces remained listed in their
old zones despite no longer being L3 interfaces.

Root cause: firewall_change() only triggered on firewall model changes,
but interface membership changes (bridge-port/lag-port) occur in the
ietf-interfaces model. When interfaces become member ports, they
transition from L3 to L2, which affects the result of
interfaces_get_all_l3() used for default zone assignment.

Fix: Expand the diff check to also trigger firewall regeneration when
bridge-port or lag-port configuration changes, ensuring firewall zones
stay synchronized with actual L3 interface topology.

Fixes #1345

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>

Author: troglobit

src/confd/src/firewall.c

@@ -487,7 +487,15 @@ int firewall_change(sr_session_ctx_t *session, struct lyd_node *config, struct l
 	sr_error_t err = SR_ERR_OK;
 	char **ifaces = NULL;
 
-	if (diff && !lydx_get_xpathf(diff, XPATH))
+	/*
+	 * Trigger firewall regeneration if:
+	 * 1. Firewall configuration changed, OR
+	 * 2. Interface membership changed (bridge-port/lag-port)
+	 *    which affects L3 interface enumeration
+	 */
+	if (diff && !lydx_get_xpathf(diff, XPATH) &&
+	    !lydx_get_xpathf(diff, "/ietf-interfaces:interfaces/interface/bridge-port") &&
+	    !lydx_get_xpathf(diff, "/ietf-interfaces:interfaces/interface/lag-port"))
 		return SR_ERR_OK;
 
 	switch (event) {