diff options
author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2024-01-10 17:54:17 +0100 |
---|---|---|
committer | Mergify <37929162+mergify[bot]@users.noreply.github.com> | 2024-01-11 15:37:25 +0000 |
commit | 2df93b32000df4bb12e3cc417287fe7a97bda0fc (patch) | |
tree | a9ec88d1bf5ebbe5cae77fced6aadd09c129a78a /src/migration-scripts/firewall/10-to-11 | |
parent | 50c3debc90a6bee413338ad657c3f5194a893cd7 (diff) | |
download | vyos-1x-2df93b32000df4bb12e3cc417287fe7a97bda0fc.tar.gz vyos-1x-2df93b32000df4bb12e3cc417287fe7a97bda0fc.zip |
firewall: T5814: Retain legacy 'accept' behaviour and re-order migration
Pre-1.4 firewall 'accept' action acted as a 'return'. This change ensures the migrated rules meet the expected behaviour.
This commit also re-orders migrated in/out/local jumps ordered by direction instead of interface.
(cherry picked from commit dc542f109460bca6453d1eeba9fe829aea38bb33)
Diffstat (limited to 'src/migration-scripts/firewall/10-to-11')
-rwxr-xr-x | src/migration-scripts/firewall/10-to-11 | 33 |
1 files changed, 31 insertions, 2 deletions
diff --git a/src/migration-scripts/firewall/10-to-11 b/src/migration-scripts/firewall/10-to-11 index e14ea0e51..abb804a28 100755 --- a/src/migration-scripts/firewall/10-to-11 +++ b/src/migration-scripts/firewall/10-to-11 @@ -80,12 +80,27 @@ for option in ['all-ping', 'broadcast-ping', 'config-trap', 'ip-src-route', 'ipv config.delete(base + [option]) ### Migration of firewall name and ipv6-name +### Also migrate legacy 'accept' behaviour if config.exists(base + ['name']): config.set(['firewall', 'ipv4', 'name']) config.set_tag(['firewall', 'ipv4', 'name']) for ipv4name in config.list_nodes(base + ['name']): config.copy(base + ['name', ipv4name], base + ['ipv4', 'name', ipv4name]) + + if config.exists(base + ['ipv4', 'name', ipv4name, 'default-action']): + action = config.return_value(base + ['ipv4', 'name', ipv4name, 'default-action']) + + if action == 'accept': + config.set(base + ['ipv4', 'name', ipv4name, 'default-action'], value='return') + + if config.exists(base + ['ipv4', 'name', ipv4name, 'rule']): + for rule_id in config.list_nodes(base + ['ipv4', 'name', ipv4name, 'rule']): + action = config.return_value(base + ['ipv4', 'name', ipv4name, 'rule', rule_id, 'action']) + + if action == 'accept': + config.set(base + ['ipv4', 'name', ipv4name, 'rule', rule_id, 'action'], value='return') + config.delete(base + ['name']) if config.exists(base + ['ipv6-name']): @@ -94,6 +109,20 @@ if config.exists(base + ['ipv6-name']): for ipv6name in config.list_nodes(base + ['ipv6-name']): config.copy(base + ['ipv6-name', ipv6name], base + ['ipv6', 'name', ipv6name]) + + if config.exists(base + ['ipv6', 'name', ipv6name, 'default-action']): + action = config.return_value(base + ['ipv6', 'name', ipv6name, 'default-action']) + + if action == 'accept': + config.set(base + ['ipv6', 'name', ipv6name, 'default-action'], value='return') + + if config.exists(base + ['ipv6', 'name', ipv6name, 'rule']): + for rule_id in config.list_nodes(base + ['ipv6', 'name', ipv6name, 'rule']): + action = config.return_value(base + ['ipv6', 'name', ipv6name, 'rule', rule_id, 'action']) + + if action == 'accept': + config.set(base + ['ipv6', 'name', ipv6name, 'rule', rule_id, 'action'], value='return') + config.delete(base + ['ipv6-name']) ### Migration of firewall interface @@ -102,8 +131,8 @@ if config.exists(base + ['interface']): inp_ipv4_rule = 5 fwd_ipv6_rule = 5 inp_ipv6_rule = 5 - for iface in config.list_nodes(base + ['interface']): - for direction in ['in', 'out', 'local']: + for direction in ['in', 'out', 'local']: + for iface in config.list_nodes(base + ['interface']): if config.exists(base + ['interface', iface, direction]): if config.exists(base + ['interface', iface, direction, 'name']): target = config.return_value(base + ['interface', iface, direction, 'name']) |