diff options
author | Andrew Topp <andrewt@telekinetica.net> | 2024-07-30 01:05:21 +1000 |
---|---|---|
committer | Andrew Topp <andrewt@telekinetica.net> | 2024-07-30 01:05:21 +1000 |
commit | 3d42009c0e3cf5ea7ea0ed167b4d8f655667edd8 (patch) | |
tree | 33116d9cc8184e14e63a85e126d30155cf3789f5 | |
parent | 7b325c1387797ad4bec01007532bb43b03aaf594 (diff) | |
download | vyos-1x-3d42009c0e3cf5ea7ea0ed167b4d8f655667edd8.tar.gz vyos-1x-3d42009c0e3cf5ea7ea0ed167b4d8f655667edd8.zip |
firewall: T4694: incomplete node checks in migration script
This patch on #3616 will only attempt to fix ipsec matches in rules if the
firewall config tree passed to migrate_chain() has rules attached.
-rwxr-xr-x | src/migration-scripts/firewall/16-to-17 | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/src/migration-scripts/firewall/16-to-17 b/src/migration-scripts/firewall/16-to-17 index 9ad7a30f8..ad0706f04 100755 --- a/src/migration-scripts/firewall/16-to-17 +++ b/src/migration-scripts/firewall/16-to-17 @@ -27,13 +27,14 @@ # (nftables rejects 'meta ipsec' in output hooks), they are not considered here. # -import sys - from vyos.configtree import ConfigTree firewall_base = ['firewall'] def migrate_chain(config: ConfigTree, path: list[str]) -> None: + if not config.exists(path + ['rule']): + return + for rule_num in config.list_nodes(path + ['rule']): tmp_path = path + ['rule', rule_num, 'ipsec'] if config.exists(tmp_path + ['match-ipsec']): @@ -56,5 +57,4 @@ def migrate(config: ConfigTree) -> None: for base_hook in [['forward', 'filter'], ['input', 'filter'], ['prerouting', 'raw']]: tmp_path = firewall_base + [family] + base_hook - if config.exists(tmp_path): - migrate_chain(config, tmp_path) + migrate_chain(config, tmp_path) |