summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Topp <andrewt@telekinetica.net>2024-07-30 01:05:21 +1000
committerAndrew Topp <andrewt@telekinetica.net>2024-07-30 01:05:21 +1000
commit3d42009c0e3cf5ea7ea0ed167b4d8f655667edd8 (patch)
tree33116d9cc8184e14e63a85e126d30155cf3789f5
parent7b325c1387797ad4bec01007532bb43b03aaf594 (diff)
downloadvyos-1x-3d42009c0e3cf5ea7ea0ed167b4d8f655667edd8.tar.gz
vyos-1x-3d42009c0e3cf5ea7ea0ed167b4d8f655667edd8.zip
firewall: T4694: incomplete node checks in migration script
This patch on #3616 will only attempt to fix ipsec matches in rules if the firewall config tree passed to migrate_chain() has rules attached.
-rwxr-xr-xsrc/migration-scripts/firewall/16-to-178
1 files changed, 4 insertions, 4 deletions
diff --git a/src/migration-scripts/firewall/16-to-17 b/src/migration-scripts/firewall/16-to-17
index 9ad7a30f8..ad0706f04 100755
--- a/src/migration-scripts/firewall/16-to-17
+++ b/src/migration-scripts/firewall/16-to-17
@@ -27,13 +27,14 @@
# (nftables rejects 'meta ipsec' in output hooks), they are not considered here.
#
-import sys
-
from vyos.configtree import ConfigTree
firewall_base = ['firewall']
def migrate_chain(config: ConfigTree, path: list[str]) -> None:
+ if not config.exists(path + ['rule']):
+ return
+
for rule_num in config.list_nodes(path + ['rule']):
tmp_path = path + ['rule', rule_num, 'ipsec']
if config.exists(tmp_path + ['match-ipsec']):
@@ -56,5 +57,4 @@ def migrate(config: ConfigTree) -> None:
for base_hook in [['forward', 'filter'], ['input', 'filter'], ['prerouting', 'raw']]:
tmp_path = firewall_base + [family] + base_hook
- if config.exists(tmp_path):
- migrate_chain(config, tmp_path)
+ migrate_chain(config, tmp_path)