2 files changed, 47 insertions, 5 deletions

diff --git a/interface-definitions/dns-forwarding.xml b/interface-definitions/dns-forwarding.xml
index e3d33e8cc..88af5f4f9 100644
--- a/interface-definitions/dns-forwarding.xml
+++ b/interface-definitions/dns-forwarding.xml
@@ -35,25 +35,28 @@
               <leafNode name="dnssec">
                 <properties>
                   <help>DNSSEC mode</help>
+                  <completionHelp>
+                    <list>off process-no-validate process log-fail validate</list>
+                  </completionHelp>
                   <valueHelp>
                     <format>off</format>
-                    <description/>
+                    <description>No DNSSEC processing whatsoever!</description>
                   </valueHelp>
                   <valueHelp>
                     <format>process-no-validate</format>
-                    <description/>
+                    <description>Respond with DNSSEC records to clients that ask for it. Don't do any validation.</description>
                   </valueHelp>
                   <valueHelp>
                     <format>process</format>
-                    <description/>
+                    <description>Respond with DNSSEC records to clients that ask for it. Validation for clients that request it.</description>
                   </valueHelp>
                   <valueHelp>
                     <format>log-fail</format>
-                    <description/>
+                    <description>Similar behaviour to process, but validate RRSIGs on responses and log bogus responses.</description>
                   </valueHelp>
                   <valueHelp>
                     <format>validate</format>
-                    <description/>
+                    <description>Full blown DNSSEC validation. Send SERVFAIL to clients on bogus responses.</description>
                   </valueHelp>
                   <constraint>
                     <regex>(off|process-no-validate|process|log-fail|validate)</regex>
diff --git a/src/migration-scripts/webproxy/1-to-2 b/src/migration-scripts/webproxy/1-to-2
new file mode 100755
index 000000000..4acabba3e
--- /dev/null
+++ b/src/migration-scripts/webproxy/1-to-2
@@ -0,0 +1,39 @@
+#!/usr/bin/env python3
+
+# migrate old style `webproxy proxy-bypass 1.2.3.4/24`
+# to new style `webproxy whitelist destination-address 1.2.3.4/24`
+
+import sys
+
+from vyos.configtree import ConfigTree
+
+if len(sys.argv) < 1:
+    print("Must specify file name!")
+    sys.exit(1)
+
+file_name = sys.argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+
+cfg_webproxy_base = ['service', 'webproxy']
+if not config.exists(cfg_webproxy_base):
+    # Nothing to do
+    sys.exit(0)
+else:
+    bypass_addresses = config.return_values(cfg_webproxy_base + ['proxy-bypass'])
+    # delete old configuration node
+    config.delete(cfg_webproxy_base + ['proxy-bypass'])
+    for bypass_address in bypass_addresses:
+        # add data to new configuration node
+        config.set(cfg_webproxy_base + ['whitelist', 'destination-address'], value=bypass_address, replace=False)
+
+    # save updated configuration
+    try:
+        with open(file_name, 'w') as f:
+            f.write(config.to_string())
+    except OSError as e:
+        print("Failed to save the modified config: {}".format(e))
+        sys.exit(1)