summaryrefslogtreecommitdiff
path: root/src/migration-scripts/ipsec/9-to-10
diff options
context:
space:
mode:
Diffstat (limited to 'src/migration-scripts/ipsec/9-to-10')
-rw-r--r--[-rwxr-xr-x]src/migration-scripts/ipsec/9-to-10223
1 files changed, 103 insertions, 120 deletions
diff --git a/src/migration-scripts/ipsec/9-to-10 b/src/migration-scripts/ipsec/9-to-10
index bc10e1997..321a75973 100755..100644
--- a/src/migration-scripts/ipsec/9-to-10
+++ b/src/migration-scripts/ipsec/9-to-10
@@ -1,131 +1,114 @@
-#!/usr/bin/env python3
+# Copyright 2022-2024 VyOS maintainers and contributors <maintainers@vyos.io>
#
-# Copyright (C) 2022-2024 VyOS maintainers and contributors
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
+# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library. If not, see <http://www.gnu.org/licenses/>.
-import re
+# T4118: Change vpn ipsec syntax for IKE ESP and peer
+# T4879: IPsec migration script remote-id for peer name eq address
-from sys import argv
-from sys import exit
+import re
from vyos.configtree import ConfigTree
-if len(argv) < 2:
- print("Must specify file name!")
- exit(1)
-
-file_name = argv[1]
-
-with open(file_name, 'r') as f:
- config_file = f.read()
-
base = ['vpn', 'ipsec']
-config = ConfigTree(config_file)
-
-if not config.exists(base):
- # Nothing to do
- exit(0)
-
-# IKE changes, T4118:
-if config.exists(base + ['ike-group']):
- for ike_group in config.list_nodes(base + ['ike-group']):
- # replace 'ipsec ike-group <tag> mobike disable'
- # => 'ipsec ike-group <tag> disable-mobike'
- mobike = base + ['ike-group', ike_group, 'mobike']
- if config.exists(mobike):
- if config.return_value(mobike) == 'disable':
- config.set(base + ['ike-group', ike_group, 'disable-mobike'])
- config.delete(mobike)
-
- # replace 'ipsec ike-group <tag> ikev2-reauth yes'
- # => 'ipsec ike-group <tag> ikev2-reauth'
- reauth = base + ['ike-group', ike_group, 'ikev2-reauth']
- if config.exists(reauth):
- if config.return_value(reauth) == 'yes':
- config.delete(reauth)
- config.set(reauth)
- else:
- config.delete(reauth)
-
-# ESP changes
-# replace 'ipsec esp-group <tag> compression enable'
-# => 'ipsec esp-group <tag> compression'
-if config.exists(base + ['esp-group']):
- for esp_group in config.list_nodes(base + ['esp-group']):
- compression = base + ['esp-group', esp_group, 'compression']
- if config.exists(compression):
- if config.return_value(compression) == 'enable':
- config.delete(compression)
- config.set(compression)
- else:
- config.delete(compression)
-
-# PEER changes
-if config.exists(base + ['site-to-site', 'peer']):
- for peer in config.list_nodes(base + ['site-to-site', 'peer']):
- peer_base = base + ['site-to-site', 'peer', peer]
-
- # replace: 'peer <tag> id x'
- # => 'peer <tag> local-id x'
- if config.exists(peer_base + ['authentication', 'id']):
- config.rename(peer_base + ['authentication', 'id'], 'local-id')
-
- # For the peer '@foo' set remote-id 'foo' if remote-id is not defined
- # For the peer '192.0.2.1' set remote-id '192.0.2.1' if remote-id is not defined
- if not config.exists(peer_base + ['authentication', 'remote-id']):
- tmp = peer.replace('@', '') if peer.startswith('@') else peer
- config.set(peer_base + ['authentication', 'remote-id'], value=tmp)
-
- # replace: 'peer <tag> force-encapsulation enable'
- # => 'peer <tag> force-udp-encapsulation'
- force_enc = peer_base + ['force-encapsulation']
- if config.exists(force_enc):
- if config.return_value(force_enc) == 'enable':
- config.delete(force_enc)
- config.set(peer_base + ['force-udp-encapsulation'])
- else:
- config.delete(force_enc)
-
- # add option: 'peer <tag> remote-address x.x.x.x'
- remote_address = peer
- if peer.startswith('@'):
- remote_address = 'any'
- config.set(peer_base + ['remote-address'], value=remote_address)
- # Peer name it is swanctl connection name and shouldn't contain dots or colons
- # rename peer:
- # peer 192.0.2.1 => peer peer_192-0-2-1
- # peer 2001:db8::2 => peer peer_2001-db8--2
- # peer @foo => peer peer_foo
- re_peer_name = re.sub(':|\.', '-', peer)
- if re_peer_name.startswith('@'):
- re_peer_name = re.sub('@', '', re_peer_name)
- new_peer_name = f'peer_{re_peer_name}'
-
- config.rename(peer_base, new_peer_name)
-
-# remote-access/road-warrior changes
-if config.exists(base + ['remote-access', 'connection']):
- for connection in config.list_nodes(base + ['remote-access', 'connection']):
- ra_base = base + ['remote-access', 'connection', connection]
- # replace: 'remote-access connection <tag> authentication id x'
- # => 'remote-access connection <tag> authentication local-id x'
- if config.exists(ra_base + ['authentication', 'id']):
- config.rename(ra_base + ['authentication', 'id'], 'local-id')
-try:
- with open(file_name, 'w') as f:
- f.write(config.to_string())
-except OSError as e:
- print(f'Failed to save the modified config: {e}')
- exit(1)
+def migrate(config: ConfigTree) -> None:
+ if not config.exists(base):
+ # Nothing to do
+ return
+
+ # IKE changes, T4118:
+ if config.exists(base + ['ike-group']):
+ for ike_group in config.list_nodes(base + ['ike-group']):
+ # replace 'ipsec ike-group <tag> mobike disable'
+ # => 'ipsec ike-group <tag> disable-mobike'
+ mobike = base + ['ike-group', ike_group, 'mobike']
+ if config.exists(mobike):
+ if config.return_value(mobike) == 'disable':
+ config.set(base + ['ike-group', ike_group, 'disable-mobike'])
+ config.delete(mobike)
+
+ # replace 'ipsec ike-group <tag> ikev2-reauth yes'
+ # => 'ipsec ike-group <tag> ikev2-reauth'
+ reauth = base + ['ike-group', ike_group, 'ikev2-reauth']
+ if config.exists(reauth):
+ if config.return_value(reauth) == 'yes':
+ config.delete(reauth)
+ config.set(reauth)
+ else:
+ config.delete(reauth)
+
+ # ESP changes
+ # replace 'ipsec esp-group <tag> compression enable'
+ # => 'ipsec esp-group <tag> compression'
+ if config.exists(base + ['esp-group']):
+ for esp_group in config.list_nodes(base + ['esp-group']):
+ compression = base + ['esp-group', esp_group, 'compression']
+ if config.exists(compression):
+ if config.return_value(compression) == 'enable':
+ config.delete(compression)
+ config.set(compression)
+ else:
+ config.delete(compression)
+
+ # PEER changes
+ if config.exists(base + ['site-to-site', 'peer']):
+ for peer in config.list_nodes(base + ['site-to-site', 'peer']):
+ peer_base = base + ['site-to-site', 'peer', peer]
+
+ # replace: 'peer <tag> id x'
+ # => 'peer <tag> local-id x'
+ if config.exists(peer_base + ['authentication', 'id']):
+ config.rename(peer_base + ['authentication', 'id'], 'local-id')
+
+ # For the peer '@foo' set remote-id 'foo' if remote-id is not defined
+ # For the peer '192.0.2.1' set remote-id '192.0.2.1' if remote-id is not defined
+ if not config.exists(peer_base + ['authentication', 'remote-id']):
+ tmp = peer.replace('@', '') if peer.startswith('@') else peer
+ config.set(peer_base + ['authentication', 'remote-id'], value=tmp)
+
+ # replace: 'peer <tag> force-encapsulation enable'
+ # => 'peer <tag> force-udp-encapsulation'
+ force_enc = peer_base + ['force-encapsulation']
+ if config.exists(force_enc):
+ if config.return_value(force_enc) == 'enable':
+ config.delete(force_enc)
+ config.set(peer_base + ['force-udp-encapsulation'])
+ else:
+ config.delete(force_enc)
+
+ # add option: 'peer <tag> remote-address x.x.x.x'
+ remote_address = peer
+ if peer.startswith('@'):
+ remote_address = 'any'
+ config.set(peer_base + ['remote-address'], value=remote_address)
+ # Peer name it is swanctl connection name and shouldn't contain dots or colons
+ # rename peer:
+ # peer 192.0.2.1 => peer peer_192-0-2-1
+ # peer 2001:db8::2 => peer peer_2001-db8--2
+ # peer @foo => peer peer_foo
+ re_peer_name = re.sub(':|\.', '-', peer)
+ if re_peer_name.startswith('@'):
+ re_peer_name = re.sub('@', '', re_peer_name)
+ new_peer_name = f'peer_{re_peer_name}'
+
+ config.rename(peer_base, new_peer_name)
+
+ # remote-access/road-warrior changes
+ if config.exists(base + ['remote-access', 'connection']):
+ for connection in config.list_nodes(base + ['remote-access', 'connection']):
+ ra_base = base + ['remote-access', 'connection', connection]
+ # replace: 'remote-access connection <tag> authentication id x'
+ # => 'remote-access connection <tag> authentication local-id x'
+ if config.exists(ra_base + ['authentication', 'id']):
+ config.rename(ra_base + ['authentication', 'id'], 'local-id')