summaryrefslogtreecommitdiff
path: root/src/migration-scripts/firewall/10-to-11
diff options
context:
space:
mode:
authorsarthurdev <965089+sarthurdev@users.noreply.github.com>2024-01-10 17:54:17 +0100
committerMergify <37929162+mergify[bot]@users.noreply.github.com>2024-01-11 15:37:25 +0000
commit2df93b32000df4bb12e3cc417287fe7a97bda0fc (patch)
treea9ec88d1bf5ebbe5cae77fced6aadd09c129a78a /src/migration-scripts/firewall/10-to-11
parent50c3debc90a6bee413338ad657c3f5194a893cd7 (diff)
downloadvyos-1x-2df93b32000df4bb12e3cc417287fe7a97bda0fc.tar.gz
vyos-1x-2df93b32000df4bb12e3cc417287fe7a97bda0fc.zip
firewall: T5814: Retain legacy 'accept' behaviour and re-order migration
Pre-1.4 firewall 'accept' action acted as a 'return'. This change ensures the migrated rules meet the expected behaviour. This commit also re-orders migrated in/out/local jumps ordered by direction instead of interface. (cherry picked from commit dc542f109460bca6453d1eeba9fe829aea38bb33)
Diffstat (limited to 'src/migration-scripts/firewall/10-to-11')
-rwxr-xr-xsrc/migration-scripts/firewall/10-to-1133
1 files changed, 31 insertions, 2 deletions
diff --git a/src/migration-scripts/firewall/10-to-11 b/src/migration-scripts/firewall/10-to-11
index e14ea0e51..abb804a28 100755
--- a/src/migration-scripts/firewall/10-to-11
+++ b/src/migration-scripts/firewall/10-to-11
@@ -80,12 +80,27 @@ for option in ['all-ping', 'broadcast-ping', 'config-trap', 'ip-src-route', 'ipv
config.delete(base + [option])
### Migration of firewall name and ipv6-name
+### Also migrate legacy 'accept' behaviour
if config.exists(base + ['name']):
config.set(['firewall', 'ipv4', 'name'])
config.set_tag(['firewall', 'ipv4', 'name'])
for ipv4name in config.list_nodes(base + ['name']):
config.copy(base + ['name', ipv4name], base + ['ipv4', 'name', ipv4name])
+
+ if config.exists(base + ['ipv4', 'name', ipv4name, 'default-action']):
+ action = config.return_value(base + ['ipv4', 'name', ipv4name, 'default-action'])
+
+ if action == 'accept':
+ config.set(base + ['ipv4', 'name', ipv4name, 'default-action'], value='return')
+
+ if config.exists(base + ['ipv4', 'name', ipv4name, 'rule']):
+ for rule_id in config.list_nodes(base + ['ipv4', 'name', ipv4name, 'rule']):
+ action = config.return_value(base + ['ipv4', 'name', ipv4name, 'rule', rule_id, 'action'])
+
+ if action == 'accept':
+ config.set(base + ['ipv4', 'name', ipv4name, 'rule', rule_id, 'action'], value='return')
+
config.delete(base + ['name'])
if config.exists(base + ['ipv6-name']):
@@ -94,6 +109,20 @@ if config.exists(base + ['ipv6-name']):
for ipv6name in config.list_nodes(base + ['ipv6-name']):
config.copy(base + ['ipv6-name', ipv6name], base + ['ipv6', 'name', ipv6name])
+
+ if config.exists(base + ['ipv6', 'name', ipv6name, 'default-action']):
+ action = config.return_value(base + ['ipv6', 'name', ipv6name, 'default-action'])
+
+ if action == 'accept':
+ config.set(base + ['ipv6', 'name', ipv6name, 'default-action'], value='return')
+
+ if config.exists(base + ['ipv6', 'name', ipv6name, 'rule']):
+ for rule_id in config.list_nodes(base + ['ipv6', 'name', ipv6name, 'rule']):
+ action = config.return_value(base + ['ipv6', 'name', ipv6name, 'rule', rule_id, 'action'])
+
+ if action == 'accept':
+ config.set(base + ['ipv6', 'name', ipv6name, 'rule', rule_id, 'action'], value='return')
+
config.delete(base + ['ipv6-name'])
### Migration of firewall interface
@@ -102,8 +131,8 @@ if config.exists(base + ['interface']):
inp_ipv4_rule = 5
fwd_ipv6_rule = 5
inp_ipv6_rule = 5
- for iface in config.list_nodes(base + ['interface']):
- for direction in ['in', 'out', 'local']:
+ for direction in ['in', 'out', 'local']:
+ for iface in config.list_nodes(base + ['interface']):
if config.exists(base + ['interface', iface, direction]):
if config.exists(base + ['interface', iface, direction, 'name']):
target = config.return_value(base + ['interface', iface, direction, 'name'])