summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-01-11 06:47:50 +0100
committerGitHub <noreply@github.com>2024-01-11 06:47:50 +0100
commitd61cc9a0628be30314ff15c404e2ba0783e5a2b2 (patch)
tree875c4cac28ef600764211831cd494b705903e59a
parentee494c3a1dbfca3457bcaffe89d45971348e4848 (diff)
parentdc542f109460bca6453d1eeba9fe829aea38bb33 (diff)
downloadvyos-1x-d61cc9a0628be30314ff15c404e2ba0783e5a2b2.tar.gz
vyos-1x-d61cc9a0628be30314ff15c404e2ba0783e5a2b2.zip
Merge pull request #2790 from sarthurdev/T5814
firewall: T5814: Retain legacy 'accept' behaviour and re-order migration
-rwxr-xr-xsrc/migration-scripts/firewall/10-to-1133
1 files changed, 31 insertions, 2 deletions
diff --git a/src/migration-scripts/firewall/10-to-11 b/src/migration-scripts/firewall/10-to-11
index e14ea0e51..abb804a28 100755
--- a/src/migration-scripts/firewall/10-to-11
+++ b/src/migration-scripts/firewall/10-to-11
@@ -80,12 +80,27 @@ for option in ['all-ping', 'broadcast-ping', 'config-trap', 'ip-src-route', 'ipv
config.delete(base + [option])
### Migration of firewall name and ipv6-name
+### Also migrate legacy 'accept' behaviour
if config.exists(base + ['name']):
config.set(['firewall', 'ipv4', 'name'])
config.set_tag(['firewall', 'ipv4', 'name'])
for ipv4name in config.list_nodes(base + ['name']):
config.copy(base + ['name', ipv4name], base + ['ipv4', 'name', ipv4name])
+
+ if config.exists(base + ['ipv4', 'name', ipv4name, 'default-action']):
+ action = config.return_value(base + ['ipv4', 'name', ipv4name, 'default-action'])
+
+ if action == 'accept':
+ config.set(base + ['ipv4', 'name', ipv4name, 'default-action'], value='return')
+
+ if config.exists(base + ['ipv4', 'name', ipv4name, 'rule']):
+ for rule_id in config.list_nodes(base + ['ipv4', 'name', ipv4name, 'rule']):
+ action = config.return_value(base + ['ipv4', 'name', ipv4name, 'rule', rule_id, 'action'])
+
+ if action == 'accept':
+ config.set(base + ['ipv4', 'name', ipv4name, 'rule', rule_id, 'action'], value='return')
+
config.delete(base + ['name'])
if config.exists(base + ['ipv6-name']):
@@ -94,6 +109,20 @@ if config.exists(base + ['ipv6-name']):
for ipv6name in config.list_nodes(base + ['ipv6-name']):
config.copy(base + ['ipv6-name', ipv6name], base + ['ipv6', 'name', ipv6name])
+
+ if config.exists(base + ['ipv6', 'name', ipv6name, 'default-action']):
+ action = config.return_value(base + ['ipv6', 'name', ipv6name, 'default-action'])
+
+ if action == 'accept':
+ config.set(base + ['ipv6', 'name', ipv6name, 'default-action'], value='return')
+
+ if config.exists(base + ['ipv6', 'name', ipv6name, 'rule']):
+ for rule_id in config.list_nodes(base + ['ipv6', 'name', ipv6name, 'rule']):
+ action = config.return_value(base + ['ipv6', 'name', ipv6name, 'rule', rule_id, 'action'])
+
+ if action == 'accept':
+ config.set(base + ['ipv6', 'name', ipv6name, 'rule', rule_id, 'action'], value='return')
+
config.delete(base + ['ipv6-name'])
### Migration of firewall interface
@@ -102,8 +131,8 @@ if config.exists(base + ['interface']):
inp_ipv4_rule = 5
fwd_ipv6_rule = 5
inp_ipv6_rule = 5
- for iface in config.list_nodes(base + ['interface']):
- for direction in ['in', 'out', 'local']:
+ for direction in ['in', 'out', 'local']:
+ for iface in config.list_nodes(base + ['interface']):
if config.exists(base + ['interface', iface, direction]):
if config.exists(base + ['interface', iface, direction, 'name']):
target = config.return_value(base + ['interface', iface, direction, 'name'])