2 files changed, 95 insertions, 4 deletions

diff --git a/src/migration-scripts/firewall/8-to-9 b/src/migration-scripts/firewall/8-to-9
new file mode 100755
index 000000000..f7c1bb90d
--- /dev/null
+++ b/src/migration-scripts/firewall/8-to-9
@@ -0,0 +1,91 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2022 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# T4780: Add firewall interface group
+#  cli changes from:       
+#  set firewall [name | ipv6-name] <name> rule <number> [inbound-interface | outbound-interface] <interface_name>
+#  To
+#  set firewall [name | ipv6-name] <name> rule <number> [inbound-interface | outbound-interface]  [interface-name | interface-group] <interface_name | interface_group>
+
+import re
+
+from sys import argv
+from sys import exit
+
+from vyos.configtree import ConfigTree
+from vyos.ifconfig import Section
+
+if (len(argv) < 1):
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+base = ['firewall']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+    # Nothing to do
+    exit(0)
+
+if config.exists(base + ['name']):
+    for name in config.list_nodes(base + ['name']):
+        if not config.exists(base + ['name', name, 'rule']):
+            continue
+
+        for rule in config.list_nodes(base + ['name', name, 'rule']):
+            rule_iiface = base + ['name', name, 'rule', rule, 'inbound-interface']
+            rule_oiface = base + ['name', name, 'rule', rule, 'outbound-interface']
+
+            if config.exists(rule_iiface):
+                tmp = config.return_value(rule_iiface)
+                config.delete(rule_iiface)
+                config.set(rule_iiface + ['interface-name'], value=tmp)
+
+            if config.exists(rule_oiface):
+                tmp = config.return_value(rule_oiface)
+                config.delete(rule_oiface)
+                config.set(rule_oiface + ['interface-name'], value=tmp)
+
+
+if config.exists(base + ['ipv6-name']):
+    for name in config.list_nodes(base + ['ipv6-name']):
+        if not config.exists(base + ['ipv6-name', name, 'rule']):
+            continue
+
+        for rule in config.list_nodes(base + ['ipv6-name', name, 'rule']):
+            rule_iiface = base + ['ipv6-name', name, 'rule', rule, 'inbound-interface']
+            rule_oiface = base + ['ipv6-name', name, 'rule', rule, 'outbound-interface']
+
+            if config.exists(rule_iiface):
+                tmp = config.return_value(rule_iiface)
+                config.delete(rule_iiface)
+                config.set(rule_iiface + ['interface-name'], value=tmp)
+
+            if config.exists(rule_oiface):
+                tmp = config.return_value(rule_oiface)
+                config.delete(rule_oiface)
+                config.set(rule_oiface + ['interface-name'], value=tmp)
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
\ No newline at end of file
diff --git a/src/migration-scripts/ipsec/9-to-10 b/src/migration-scripts/ipsec/9-to-10
index 1254104cb..de366ef3b 100755
--- a/src/migration-scripts/ipsec/9-to-10
+++ b/src/migration-scripts/ipsec/9-to-10
@@ -85,10 +85,10 @@ if config.exists(base + ['site-to-site', 'peer']):
             config.rename(peer_base + ['authentication', 'id'], 'local-id')
 
         # For the peer '@foo' set remote-id 'foo' if remote-id is not defined
-        if peer.startswith('@'):
-            if not config.exists(peer_base + ['authentication', 'remote-id']):
-                tmp = peer.replace('@', '')
-                config.set(peer_base + ['authentication', 'remote-id'], value=tmp)
+        # For the peer '192.0.2.1' set remote-id '192.0.2.1' if remote-id is not defined
+        if not config.exists(peer_base + ['authentication', 'remote-id']):
+            tmp = peer.replace('@', '') if peer.startswith('@') else peer
+            config.set(peer_base + ['authentication', 'remote-id'], value=tmp)
 
         # replace: 'peer <tag> force-encapsulation enable'
         #       => 'peer <tag> force-udp-encapsulation'