From c82fe6540c0c0c499434c3ccbb4228b30b24e924 Mon Sep 17 00:00:00 2001
From: Nicolas Fort <nicolasfort1988@gmail.com>
Date: Tue, 17 Oct 2023 11:25:03 +0000
Subject: T5541: remove migration script from zone-based firewall to new cli.
Syntax remains the same, so no migration is needed regarding this feature
---
src/migration-scripts/firewall/10-to-11 | 185 --------------------------------
1 file changed, 185 deletions(-)
diff --git a/src/migration-scripts/firewall/10-to-11 b/src/migration-scripts/firewall/10-to-11
index 716c5a240..b739fb139 100755
--- a/src/migration-scripts/firewall/10-to-11
+++ b/src/migration-scripts/firewall/10-to-11
@@ -181,191 +181,6 @@ if config.exists(base + ['interface']):
config.delete(base + ['interface'])
-
-### Migration of zones:
-### User interface groups
-if config.exists(base + ['zone']):
- inp_ipv4_rule = 101
- inp_ipv6_rule = 101
- fwd_ipv4_rule = 101
- fwd_ipv6_rule = 101
- out_ipv4_rule = 101
- out_ipv6_rule = 101
- local_zone = 'False'
-
- for zone in config.list_nodes(base + ['zone']):
- if config.exists(base + ['zone', zone, 'local-zone']):
- local_zone = 'True'
- # Add default-action== accept for compatibility reasons:
- config.set(base + ['ipv4', 'input', 'filter', 'default-action'], value='accept')
- config.set(base + ['ipv6', 'input', 'filter', 'default-action'], value='accept')
- config.set(base + ['ipv4', 'output', 'filter', 'default-action'], value='accept')
- config.set(base + ['ipv6', 'output', 'filter', 'default-action'], value='accept')
- for from_zone in config.list_nodes(base + ['zone', zone, 'from']):
- group_name = 'IG_' + from_zone
- if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'name']):
- # ipv4 input ruleset
- target_ipv4_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'name'])
- config.set(base + ['ipv4', 'input', 'filter', 'rule'])
- config.set_tag(base + ['ipv4', 'input', 'filter', 'rule'])
- config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value='jump')
- config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
- inp_ipv4_rule = inp_ipv4_rule + 5
- if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name']):
- # ipv6 input ruleset
- target_ipv6_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name'])
- config.set(base + ['ipv6', 'input', 'filter', 'rule'])
- config.set_tag(base + ['ipv6', 'input', 'filter', 'rule'])
- config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'inbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'action'], value='jump')
- config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'jump-target'], value=target_ipv6_chain)
- inp_ipv6_rule = inp_ipv6_rule + 5
-
- # Migrate: set firewall zone <zone> default-action <action>
- # Options: drop or reject. If not specified, is drop
- if config.exists(base + ['zone', zone, 'default-action']):
- local_def_action = config.return_value(base + ['zone', zone, 'default-action'])
- else:
- local_def_action = 'drop'
- config.set(base + ['ipv4', 'input', 'filter', 'rule'])
- config.set_tag(base + ['ipv4', 'input', 'filter', 'rule'])
- config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value=local_def_action)
- config.set(base + ['ipv6', 'input', 'filter', 'rule'])
- config.set_tag(base + ['ipv6', 'input', 'filter', 'rule'])
- config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'action'], value=local_def_action)
- if config.exists(base + ['zone', zone, 'enable-default-log']):
- config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'log'], value='enable')
- config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'log'], value='enable')
-
- else:
- # It's not a local zone
- group_name = 'IG_' + zone
- # Add default-action== accept for compatibility reasons:
- config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept')
- config.set(base + ['ipv6', 'forward', 'filter', 'default-action'], value='accept')
- # intra-filtering migration. By default accept
- intra_zone_ipv4_action = 'accept'
- intra_zone_ipv6_action = 'accept'
-
- if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'action']):
- intra_zone_ipv4_action = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'action'])
- intra_zone_ipv6_action = intra_zone_ipv4_action
- else:
- if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name']):
- intra_zone_ipv4_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name'])
- intra_zone_ipv4_action = 'jump'
- if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']):
- intra_zone_ipv6_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name'])
- intra_zone_ipv6_action = 'jump'
- config.set(base + ['ipv4', 'forward', 'filter', 'rule'])
- config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule'])
- config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=intra_zone_ipv4_action)
- config.set(base + ['ipv6', 'forward', 'filter', 'rule'])
- config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule'])
- config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'inbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'action'], value=intra_zone_ipv6_action)
- if intra_zone_ipv4_action == 'jump':
- if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name']):
- intra_zone_ipv4_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name'])
- config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=intra_zone_ipv4_target)
- if intra_zone_ipv6_action == 'jump':
- if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']):
- intra_zone_ipv6_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name'])
- config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'jump-target'], value=intra_zone_ipv6_target)
- fwd_ipv4_rule = fwd_ipv4_rule + 5
- fwd_ipv6_rule = fwd_ipv6_rule + 5
-
- if config.exists(base + ['zone', zone, 'interface']):
- # Create interface group IG_<zone>
- group_name = 'IG_' + zone
- config.set(base + ['group', 'interface-group'], value=group_name)
- config.set_tag(base + ['group', 'interface-group'])
- for iface in config.return_values(base + ['zone', zone, 'interface']):
- config.set(base + ['group', 'interface-group', group_name, 'interface'], value=iface, replace=False)
-
- if config.exists(base + ['zone', zone, 'from']):
- for from_zone in config.list_nodes(base + ['zone', zone, 'from']):
- from_group = 'IG_' + from_zone
- if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'name']):
- target_ipv4_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'name'])
- if config.exists(base + ['zone', from_zone, 'local-zone']):
- # It's from LOCAL zone -> Output filtering
- config.set(base + ['ipv4', 'output', 'filter', 'rule'])
- config.set_tag(base + ['ipv4', 'output', 'filter', 'rule'])
- config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value='jump')
- config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
- out_ipv4_rule = out_ipv4_rule + 5
- else:
- # It's not LOCAL zone -> forward filtering
- config.set(base + ['ipv4', 'forward', 'filter', 'rule'])
- config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule'])
- config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=from_group)
- config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value='jump')
- config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
- fwd_ipv4_rule = fwd_ipv4_rule + 5
- if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name']):
- target_ipv6_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name'])
- if config.exists(base + ['zone', from_zone, 'local-zone']):
- # It's from LOCAL zone -> Output filtering
- config.set(base + ['ipv6', 'output', 'filter', 'rule'])
- config.set_tag(base + ['ipv6', 'output', 'filter', 'rule'])
- config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'action'], value='jump')
- config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'jump-target'], value=target_ipv6_chain)
- out_ipv6_rule = out_ipv6_rule + 5
- else:
- # It's not LOCAL zone -> forward filtering
- config.set(base + ['ipv6', 'forward', 'filter', 'rule'])
- config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule'])
- config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'inbound-interface', 'interface-group'], value=from_group)
- config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'action'], value='jump')
- config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'jump-target'], value=target_ipv6_chain)
- fwd_ipv6_rule = fwd_ipv6_rule + 5
-
- ## Now need to migrate: set firewall zone <zone> default-action <action> # action=drop if not specified.
- if config.exists(base + ['zone', zone, 'default-action']):
- def_action = config.return_value(base + ['zone', zone, 'default-action'])
- else:
- def_action = 'drop'
- config.set(base + ['ipv4', 'forward', 'filter', 'rule'])
- config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule'])
- config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=def_action)
- description = 'zone_' + zone + ' default-action'
- config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'description'], value=description)
- config.set(base + ['ipv6', 'forward', 'filter', 'rule'])
- config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule'])
- config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'action'], value=def_action)
- config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'description'], value=description)
-
- if config.exists(base + ['zone', zone, 'enable-default-log']):
- config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'log'], value='enable')
- config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'log'], value='enable')
- fwd_ipv4_rule = fwd_ipv4_rule + 5
- fwd_ipv6_rule = fwd_ipv6_rule + 5
-
- # Migrate default-action (force to be drop in output chain) if local zone is defined
- if local_zone == 'True':
- # General drop in output change if needed
- config.set(base + ['ipv4', 'output', 'filter', 'rule'])
- config.set_tag(base + ['ipv4', 'output', 'filter', 'rule'])
- config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value=local_def_action)
- config.set(base + ['ipv6', 'output', 'filter', 'rule'])
- config.set_tag(base + ['ipv6', 'output', 'filter', 'rule'])
- config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'action'], value=local_def_action)
-
- config.delete(base + ['zone'])
-
-###### END migration zones
-
try:
with open(file_name, 'w') as f:
f.write(config.to_string())
--
cgit v1.2.3