summaryrefslogtreecommitdiff
path: root/src/migration-scripts/firewall
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@vyos.io>2024-09-12 13:59:18 +0100
committerGitHub <noreply@github.com>2024-09-12 13:59:18 +0100
commit205d957d092ade5708cc2182381864c04e4c0aff (patch)
treee78636efaa1332c5d49e1c2f023721dc030f8d6a /src/migration-scripts/firewall
parent9652bfda0a7f3e7932aecb32262c34f3fede72b2 (diff)
parenteaa9c82670fa5ee90835266e6f7a24f81c49d17e (diff)
downloadvyos-1x-205d957d092ade5708cc2182381864c04e4c0aff.tar.gz
vyos-1x-205d957d092ade5708cc2182381864c04e4c0aff.zip
Merge pull request #4050 from jestabro/revise-migration-circinus
T6007: revise migration system
Diffstat (limited to 'src/migration-scripts/firewall')
-rw-r--r--[-rwxr-xr-x]src/migration-scripts/firewall/10-to-11312
-rw-r--r--[-rwxr-xr-x]src/migration-scripts/firewall/11-to-1288
-rw-r--r--[-rwxr-xr-x]src/migration-scripts/firewall/12-to-13114
-rw-r--r--[-rwxr-xr-x]src/migration-scripts/firewall/13-to-1464
-rw-r--r--[-rwxr-xr-x]src/migration-scripts/firewall/14-to-1549
-rw-r--r--[-rwxr-xr-x]src/migration-scripts/firewall/15-to-1639
-rw-r--r--[-rwxr-xr-x]src/migration-scripts/firewall/5-to-6160
-rw-r--r--[-rwxr-xr-x]src/migration-scripts/firewall/6-to-7444
-rw-r--r--[-rwxr-xr-x]src/migration-scripts/firewall/7-to-8106
-rw-r--r--[-rwxr-xr-x]src/migration-scripts/firewall/8-to-9126
-rw-r--r--[-rwxr-xr-x]src/migration-scripts/firewall/9-to-10104
11 files changed, 694 insertions, 912 deletions
diff --git a/src/migration-scripts/firewall/10-to-11 b/src/migration-scripts/firewall/10-to-11
index 854d5a558..70a170940 100755..100644
--- a/src/migration-scripts/firewall/10-to-11
+++ b/src/migration-scripts/firewall/10-to-11
@@ -1,18 +1,17 @@
-#!/usr/bin/env python3
+# Copyright 2023-2024 VyOS maintainers and contributors <maintainers@vyos.io>
#
-# Copyright (C) 2023-2024 VyOS maintainers and contributors
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
+# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library. If not, see <http://www.gnu.org/licenses/>.
# T5160: Firewall re-writing
@@ -37,171 +36,152 @@
# set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> action jump
# set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> jump-target <name>
-from sys import argv
-from sys import exit
-
from vyos.configtree import ConfigTree
-if len(argv) < 2:
- print("Must specify file name!")
- exit(1)
-
-file_name = argv[1]
-
-with open(file_name, 'r') as f:
- config_file = f.read()
-
base = ['firewall']
-config = ConfigTree(config_file)
-
-if not config.exists(base):
- # Nothing to do
- exit(0)
-
-### Migration of state policies
-if config.exists(base + ['state-policy']):
- for state in config.list_nodes(base + ['state-policy']):
- action = config.return_value(base + ['state-policy', state, 'action'])
- config.set(base + ['global-options', 'state-policy', state, 'action'], value=action)
- if config.exists(base + ['state-policy', state, 'log']):
- config.set(base + ['global-options', 'state-policy', state, 'log'], value='enable')
- config.delete(base + ['state-policy'])
-
-## migration of global options:
-for option in ['all-ping', 'broadcast-ping', 'config-trap', 'ip-src-route', 'ipv6-receive-redirects', 'ipv6-src-route', 'log-martians',
- 'receive-redirects', 'resolver-cache', 'resolver-internal', 'send-redirects', 'source-validation', 'syn-cookies', 'twa-hazards-protection']:
- if config.exists(base + [option]):
- if option != 'config-trap':
- val = config.return_value(base + [option])
- config.set(base + ['global-options', option], value=val)
- config.delete(base + [option])
-
-### Migration of firewall name and ipv6-name
-### Also migrate legacy 'accept' behaviour
-if config.exists(base + ['name']):
- config.set(['firewall', 'ipv4', 'name'])
- config.set_tag(['firewall', 'ipv4', 'name'])
-
- for ipv4name in config.list_nodes(base + ['name']):
- config.copy(base + ['name', ipv4name], base + ['ipv4', 'name', ipv4name])
-
- if config.exists(base + ['ipv4', 'name', ipv4name, 'default-action']):
- action = config.return_value(base + ['ipv4', 'name', ipv4name, 'default-action'])
-
- if action == 'accept':
- config.set(base + ['ipv4', 'name', ipv4name, 'default-action'], value='return')
-
- if config.exists(base + ['ipv4', 'name', ipv4name, 'rule']):
- for rule_id in config.list_nodes(base + ['ipv4', 'name', ipv4name, 'rule']):
- action = config.return_value(base + ['ipv4', 'name', ipv4name, 'rule', rule_id, 'action'])
+
+def migrate(config: ConfigTree) -> None:
+ if not config.exists(base):
+ # Nothing to do
+ return
+
+ ### Migration of state policies
+ if config.exists(base + ['state-policy']):
+ for state in config.list_nodes(base + ['state-policy']):
+ action = config.return_value(base + ['state-policy', state, 'action'])
+ config.set(base + ['global-options', 'state-policy', state, 'action'], value=action)
+ if config.exists(base + ['state-policy', state, 'log']):
+ config.set(base + ['global-options', 'state-policy', state, 'log'], value='enable')
+ config.delete(base + ['state-policy'])
+
+ ## migration of global options:
+ for option in ['all-ping', 'broadcast-ping', 'config-trap', 'ip-src-route', 'ipv6-receive-redirects', 'ipv6-src-route', 'log-martians',
+ 'receive-redirects', 'resolver-cache', 'resolver-internal', 'send-redirects', 'source-validation', 'syn-cookies', 'twa-hazards-protection']:
+ if config.exists(base + [option]):
+ if option != 'config-trap':
+ val = config.return_value(base + [option])
+ config.set(base + ['global-options', option], value=val)
+ config.delete(base + [option])
+
+ ### Migration of firewall name and ipv6-name
+ ### Also migrate legacy 'accept' behaviour
+ if config.exists(base + ['name']):
+ config.set(['firewall', 'ipv4', 'name'])
+ config.set_tag(['firewall', 'ipv4', 'name'])
+
+ for ipv4name in config.list_nodes(base + ['name']):
+ config.copy(base + ['name', ipv4name], base + ['ipv4', 'name', ipv4name])
+
+ if config.exists(base + ['ipv4', 'name', ipv4name, 'default-action']):
+ action = config.return_value(base + ['ipv4', 'name', ipv4name, 'default-action'])
if action == 'accept':
- config.set(base + ['ipv4', 'name', ipv4name, 'rule', rule_id, 'action'], value='return')
+ config.set(base + ['ipv4', 'name', ipv4name, 'default-action'], value='return')
- config.delete(base + ['name'])
+ if config.exists(base + ['ipv4', 'name', ipv4name, 'rule']):
+ for rule_id in config.list_nodes(base + ['ipv4', 'name', ipv4name, 'rule']):
+ action = config.return_value(base + ['ipv4', 'name', ipv4name, 'rule', rule_id, 'action'])
-if config.exists(base + ['ipv6-name']):
- config.set(['firewall', 'ipv6', 'name'])
- config.set_tag(['firewall', 'ipv6', 'name'])
+ if action == 'accept':
+ config.set(base + ['ipv4', 'name', ipv4name, 'rule', rule_id, 'action'], value='return')
- for ipv6name in config.list_nodes(base + ['ipv6-name']):
- config.copy(base + ['ipv6-name', ipv6name], base + ['ipv6', 'name', ipv6name])
+ config.delete(base + ['name'])
- if config.exists(base + ['ipv6', 'name', ipv6name, 'default-action']):
- action = config.return_value(base + ['ipv6', 'name', ipv6name, 'default-action'])
+ if config.exists(base + ['ipv6-name']):
+ config.set(['firewall', 'ipv6', 'name'])
+ config.set_tag(['firewall', 'ipv6', 'name'])
- if action == 'accept':
- config.set(base + ['ipv6', 'name', ipv6name, 'default-action'], value='return')
+ for ipv6name in config.list_nodes(base + ['ipv6-name']):
+ config.copy(base + ['ipv6-name', ipv6name], base + ['ipv6', 'name', ipv6name])
- if config.exists(base + ['ipv6', 'name', ipv6name, 'rule']):
- for rule_id in config.list_nodes(base + ['ipv6', 'name', ipv6name, 'rule']):
- action = config.return_value(base + ['ipv6', 'name', ipv6name, 'rule', rule_id, 'action'])
+ if config.exists(base + ['ipv6', 'name', ipv6name, 'default-action']):
+ action = config.return_value(base + ['ipv6', 'name', ipv6name, 'default-action'])
if action == 'accept':
- config.set(base + ['ipv6', 'name', ipv6name, 'rule', rule_id, 'action'], value='return')
-
- config.delete(base + ['ipv6-name'])
-
-### Migration of firewall interface
-if config.exists(base + ['interface']):
- fwd_ipv4_rule = 5
- inp_ipv4_rule = 5
- fwd_ipv6_rule = 5
- inp_ipv6_rule = 5
- for direction in ['in', 'out', 'local']:
- for iface in config.list_nodes(base + ['interface']):
- if config.exists(base + ['interface', iface, direction]):
- if config.exists(base + ['interface', iface, direction, 'name']):
- target = config.return_value(base + ['interface', iface, direction, 'name'])
- if direction == 'in':
- # Add default-action== accept for compatibility reasons:
- config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept')
- new_base = base + ['ipv4', 'forward', 'filter', 'rule']
- config.set(new_base)
- config.set_tag(new_base)
- config.set(new_base + [fwd_ipv4_rule, 'inbound-interface', 'interface-name'], value=iface)
- config.set(new_base + [fwd_ipv4_rule, 'action'], value='jump')
- config.set(new_base + [fwd_ipv4_rule, 'jump-target'], value=target)
- fwd_ipv4_rule = fwd_ipv4_rule + 5
- elif direction == 'out':
- # Add default-action== accept for compatibility reasons:
- config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept')
- new_base = base + ['ipv4', 'forward', 'filter', 'rule']
- config.set(new_base)
- config.set_tag(new_base)
- config.set(new_base + [fwd_ipv4_rule, 'outbound-interface', 'interface-name'], value=iface)
- config.set(new_base + [fwd_ipv4_rule, 'action'], value='jump')
- config.set(new_base + [fwd_ipv4_rule, 'jump-target'], value=target)
- fwd_ipv4_rule = fwd_ipv4_rule + 5
- else:
- # Add default-action== accept for compatibility reasons:
- config.set(base + ['ipv4', 'input', 'filter', 'default-action'], value='accept')
- new_base = base + ['ipv4', 'input', 'filter', 'rule']
- config.set(new_base)
- config.set_tag(new_base)
- config.set(new_base + [inp_ipv4_rule, 'inbound-interface', 'interface-name'], value=iface)
- config.set(new_base + [inp_ipv4_rule, 'action'], value='jump')
- config.set(new_base + [inp_ipv4_rule, 'jump-target'], value=target)
- inp_ipv4_rule = inp_ipv4_rule + 5
-
- if config.exists(base + ['interface', iface, direction, 'ipv6-name']):
- target = config.return_value(base + ['interface', iface, direction, 'ipv6-name'])
- if direction == 'in':
- # Add default-action== accept for compatibility reasons:
- config.set(base + ['ipv6', 'forward', 'filter', 'default-action'], value='accept')
- new_base = base + ['ipv6', 'forward', 'filter', 'rule']
- config.set(new_base)
- config.set_tag(new_base)
- config.set(new_base + [fwd_ipv6_rule, 'inbound-interface', 'interface-name'], value=iface)
- config.set(new_base + [fwd_ipv6_rule, 'action'], value='jump')
- config.set(new_base + [fwd_ipv6_rule, 'jump-target'], value=target)
- fwd_ipv6_rule = fwd_ipv6_rule + 5
- elif direction == 'out':
- # Add default-action== accept for compatibility reasons:
- config.set(base + ['ipv6', 'forward', 'filter', 'default-action'], value='accept')
- new_base = base + ['ipv6', 'forward', 'filter', 'rule']
- config.set(new_base)
- config.set_tag(new_base)
- config.set(new_base + [fwd_ipv6_rule, 'outbound-interface', 'interface-name'], value=iface)
- config.set(new_base + [fwd_ipv6_rule, 'action'], value='jump')
- config.set(new_base + [fwd_ipv6_rule, 'jump-target'], value=target)
- fwd_ipv6_rule = fwd_ipv6_rule + 5
- else:
- new_base = base + ['ipv6', 'input', 'filter', 'rule']
- # Add default-action== accept for compatibility reasons:
- config.set(base + ['ipv6', 'input', 'filter', 'default-action'], value='accept')
- config.set(new_base)
- config.set_tag(new_base)
- config.set(new_base + [inp_ipv6_rule, 'inbound-interface', 'interface-name'], value=iface)
- config.set(new_base + [inp_ipv6_rule, 'action'], value='jump')
- config.set(new_base + [inp_ipv6_rule, 'jump-target'], value=target)
- inp_ipv6_rule = inp_ipv6_rule + 5
-
- config.delete(base + ['interface'])
-
-try:
- with open(file_name, 'w') as f:
- f.write(config.to_string())
-except OSError as e:
- print("Failed to save the modified config: {}".format(e))
- exit(1)
+ config.set(base + ['ipv6', 'name', ipv6name, 'default-action'], value='return')
+
+ if config.exists(base + ['ipv6', 'name', ipv6name, 'rule']):
+ for rule_id in config.list_nodes(base + ['ipv6', 'name', ipv6name, 'rule']):
+ action = config.return_value(base + ['ipv6', 'name', ipv6name, 'rule', rule_id, 'action'])
+
+ if action == 'accept':
+ config.set(base + ['ipv6', 'name', ipv6name, 'rule', rule_id, 'action'], value='return')
+
+ config.delete(base + ['ipv6-name'])
+
+ ### Migration of firewall interface
+ if config.exists(base + ['interface']):
+ fwd_ipv4_rule = 5
+ inp_ipv4_rule = 5
+ fwd_ipv6_rule = 5
+ inp_ipv6_rule = 5
+ for direction in ['in', 'out', 'local']:
+ for iface in config.list_nodes(base + ['interface']):
+ if config.exists(base + ['interface', iface, direction]):
+ if config.exists(base + ['interface', iface, direction, 'name']):
+ target = config.return_value(base + ['interface', iface, direction, 'name'])
+ if direction == 'in':
+ # Add default-action== accept for compatibility reasons:
+ config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept')
+ new_base = base + ['ipv4', 'forward', 'filter', 'rule']
+ config.set(new_base)
+ config.set_tag(new_base)
+ config.set(new_base + [fwd_ipv4_rule, 'inbound-interface', 'interface-name'], value=iface)
+ config.set(new_base + [fwd_ipv4_rule, 'action'], value='jump')
+ config.set(new_base + [fwd_ipv4_rule, 'jump-target'], value=target)
+ fwd_ipv4_rule = fwd_ipv4_rule + 5
+ elif direction == 'out':
+ # Add default-action== accept for compatibility reasons:
+ config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept')
+ new_base = base + ['ipv4', 'forward', 'filter', 'rule']
+ config.set(new_base)
+ config.set_tag(new_base)
+ config.set(new_base + [fwd_ipv4_rule, 'outbound-interface', 'interface-name'], value=iface)
+ config.set(new_base + [fwd_ipv4_rule, 'action'], value='jump')
+ config.set(new_base + [fwd_ipv4_rule, 'jump-target'], value=target)
+ fwd_ipv4_rule = fwd_ipv4_rule + 5
+ else:
+ # Add default-action== accept for compatibility reasons:
+ config.set(base + ['ipv4', 'input', 'filter', 'default-action'], value='accept')
+ new_base = base + ['ipv4', 'input', 'filter', 'rule']
+ config.set(new_base)
+ config.set_tag(new_base)
+ config.set(new_base + [inp_ipv4_rule, 'inbound-interface', 'interface-name'], value=iface)
+ config.set(new_base + [inp_ipv4_rule, 'action'], value='jump')
+ config.set(new_base + [inp_ipv4_rule, 'jump-target'], value=target)
+ inp_ipv4_rule = inp_ipv4_rule + 5
+
+ if config.exists(base + ['interface', iface, direction, 'ipv6-name']):
+ target = config.return_value(base + ['interface', iface, direction, 'ipv6-name'])
+ if direction == 'in':
+ # Add default-action== accept for compatibility reasons:
+ config.set(base + ['ipv6', 'forward', 'filter', 'default-action'], value='accept')
+ new_base = base + ['ipv6', 'forward', 'filter', 'rule']
+ config.set(new_base)
+ config.set_tag(new_base)
+ config.set(new_base + [fwd_ipv6_rule, 'inbound-interface', 'interface-name'], value=iface)
+ config.set(new_base + [fwd_ipv6_rule, 'action'], value='jump')
+ config.set(new_base + [fwd_ipv6_rule, 'jump-target'], value=target)
+ fwd_ipv6_rule = fwd_ipv6_rule + 5
+ elif direction == 'out':
+ # Add default-action== accept for compatibility reasons:
+ config.set(base + ['ipv6', 'forward', 'filter', 'default-action'], value='accept')
+ new_base = base + ['ipv6', 'forward', 'filter', 'rule']
+ config.set(new_base)
+ config.set_tag(new_base)
+ config.set(new_base + [fwd_ipv6_rule, 'outbound-interface', 'interface-name'], value=iface)
+ config.set(new_base + [fwd_ipv6_rule, 'action'], value='jump')
+ config.set(new_base + [fwd_ipv6_rule, 'jump-target'], value=target)
+ fwd_ipv6_rule = fwd_ipv6_rule + 5
+ else:
+ new_base = base + ['ipv6', 'input', 'filter', 'rule']
+ # Add default-action== accept for compatibility reasons:
+ config.set(base + ['ipv6', 'input', 'filter', 'default-action'], value='accept')
+ config.set(new_base)
+ config.set_tag(new_base)
+ config.set(new_base + [inp_ipv6_rule, 'inbound-interface', 'interface-name'], value=iface)
+ config.set(new_base + [inp_ipv6_rule, 'action'], value='jump')
+ config.set(new_base + [inp_ipv6_rule, 'jump-target'], value=target)
+ inp_ipv6_rule = inp_ipv6_rule + 5
+
+ config.delete(base + ['interface'])
diff --git a/src/migration-scripts/firewall/11-to-12 b/src/migration-scripts/firewall/11-to-12
index f9122e74c..80a74cca9 100755..100644
--- a/src/migration-scripts/firewall/11-to-12
+++ b/src/migration-scripts/firewall/11-to-12
@@ -1,18 +1,17 @@
-#!/usr/bin/env python3
+# Copyright 2023-2024 VyOS maintainers and contributors <maintainers@vyos.io>
#
-# Copyright (C) 2023-2024 VyOS maintainers and contributors
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
+# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library. If not, see <http://www.gnu.org/licenses/>.
# T5681: Firewall re-writing. Simplify cli when mathcing interface
# From
@@ -22,50 +21,31 @@
# set firewall ... rule <rule> [inbound-interface | outboubd-interface] name <iface>
# set firewall ... rule <rule> [inbound-interface | outboubd-interface] group <iface_group>
-from sys import argv
-from sys import exit
-
from vyos.configtree import ConfigTree
-if len(argv) < 2:
- print("Must specify file name!")
- exit(1)
-
-file_name = argv[1]
-
-with open(file_name, 'r') as f:
- config_file = f.read()
-
base = ['firewall']
-config = ConfigTree(config_file)
-
-if not config.exists(base):
- # Nothing to do
- exit(0)
-
-## Migration from base chains
-#if config.exists(base + ['interface', iface, direction]):
-for family in ['ipv4', 'ipv6']:
- if config.exists(base + [family]):
- for hook in ['forward', 'input', 'output', 'name']:
- if config.exists(base + [family, hook]):
- for priority in config.list_nodes(base + [family, hook]):
- if config.exists(base + [family, hook, priority, 'rule']):
- for rule in config.list_nodes(base + [family, hook, priority, 'rule']):
- for direction in ['inbound-interface', 'outbound-interface']:
- if config.exists(base + [family, hook, priority, 'rule', rule, direction]):
- if config.exists(base + [family, hook, priority, 'rule', rule, direction, 'interface-name']):
- iface = config.return_value(base + [family, hook, priority, 'rule', rule, direction, 'interface-name'])
- config.set(base + [family, hook, priority, 'rule', rule, direction, 'name'], value=iface)
- config.delete(base + [family, hook, priority, 'rule', rule, direction, 'interface-name'])
- elif config.exists(base + [family, hook, priority, 'rule', rule, direction, 'interface-group']):
- group = config.return_value(base + [family, hook, priority, 'rule', rule, direction, 'interface-group'])
- config.set(base + [family, hook, priority, 'rule', rule, direction, 'group'], value=group)
- config.delete(base + [family, hook, priority, 'rule', rule, direction, 'interface-group'])
-try:
- with open(file_name, 'w') as f:
- f.write(config.to_string())
-except OSError as e:
- print("Failed to save the modified config: {}".format(e))
- exit(1)
+def migrate(config: ConfigTree) -> None:
+ if not config.exists(base):
+ # Nothing to do
+ return
+
+ ## Migration from base chains
+ #if config.exists(base + ['interface', iface, direction]):
+ for family in ['ipv4', 'ipv6']:
+ if config.exists(base + [family]):
+ for hook in ['forward', 'input', 'output', 'name']:
+ if config.exists(base + [family, hook]):
+ for priority in config.list_nodes(base + [family, hook]):
+ if config.exists(base + [family, hook, priority, 'rule']):
+ for rule in config.list_nodes(base + [family, hook, priority, 'rule']):
+ for direction in ['inbound-interface', 'outbound-interface']:
+ if config.exists(base + [family, hook, priority, 'rule', rule, direction]):
+ if config.exists(base + [family, hook, priority, 'rule', rule, direction, 'interface-name']):
+ iface = config.return_value(base + [family, hook, priority, 'rule', rule, direction, 'interface-name'])
+ config.set(base + [family, hook, priority, 'rule', rule, direction, 'name'], value=iface)
+ config.delete(base + [family, hook, priority, 'rule', rule, direction, 'interface-name'])
+ elif config.exists(base + [family, hook, priority, 'rule', rule, direction, 'interface-group']):
+ group = config.return_value(base + [family, hook, priority, 'rule', rule, direction, 'interface-group'])
+ config.set(base + [family, hook, priority, 'rule', rule, direction, 'group'], value=group)
+ config.delete(base + [family, hook, priority, 'rule', rule, direction, 'interface-group'])
diff --git a/src/migration-scripts/firewall/12-to-13 b/src/migration-scripts/firewall/12-to-13
index d72ba834d..d7b801cd3 100755..100644
--- a/src/migration-scripts/firewall/12-to-13
+++ b/src/migration-scripts/firewall/12-to-13
@@ -1,18 +1,17 @@
-#!/usr/bin/env python3
+# Copyright 2023-2024 VyOS maintainers and contributors <maintainers@vyos.io>
#
-# Copyright (C) 2023-2024 VyOS maintainers and contributors
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
+# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library. If not, see <http://www.gnu.org/licenses/>.
# T5729: Switch to valueless whenever is possible.
# From
@@ -25,65 +24,46 @@
# set firewall ... rule <rule> state <state>
# Remove command if log=disable or <state>=disable
-from sys import argv
-from sys import exit
-
from vyos.configtree import ConfigTree
-if len(argv) < 2:
- print("Must specify file name!")
- exit(1)
-
-file_name = argv[1]
-
-with open(file_name, 'r') as f:
- config_file = f.read()
-
base = ['firewall']
-config = ConfigTree(config_file)
-
-if not config.exists(base):
- # Nothing to do
- exit(0)
-# State Policy logs:
-if config.exists(base + ['global-options', 'state-policy']):
- for state in config.list_nodes(base + ['global-options', 'state-policy']):
- if config.exists(base + ['global-options', 'state-policy', state, 'log']):
- log_value = config.return_value(base + ['global-options', 'state-policy', state, 'log'])
- config.delete(base + ['global-options', 'state-policy', state, 'log'])
- if log_value == 'enable':
- config.set(base + ['global-options', 'state-policy', state, 'log'])
+def migrate(config: ConfigTree) -> None:
+ if not config.exists(base):
+ # Nothing to do
+ return
-for family in ['ipv4', 'ipv6', 'bridge']:
- if config.exists(base + [family]):
- for hook in ['forward', 'input', 'output', 'name']:
- if config.exists(base + [family, hook]):
- for priority in config.list_nodes(base + [family, hook]):
- if config.exists(base + [family, hook, priority, 'rule']):
- for rule in config.list_nodes(base + [family, hook, priority, 'rule']):
- # Log
- if config.exists(base + [family, hook, priority, 'rule', rule, 'log']):
- log_value = config.return_value(base + [family, hook, priority, 'rule', rule, 'log'])
- config.delete(base + [family, hook, priority, 'rule', rule, 'log'])
- if log_value == 'enable':
- config.set(base + [family, hook, priority, 'rule', rule, 'log'])
- # State
- if config.exists(base + [family, hook, priority, 'rule', rule, 'state']):
- flag_enable = 'False'
- for state in ['established', 'invalid', 'new', 'related']:
- if config.exists(base + [family, hook, priority, 'rule', rule, 'state', state]):
- state_value = config.return_value(base + [family, hook, priority, 'rule', rule, 'state', state])
- config.delete(base + [family, hook, priority, 'rule', rule, 'state', state])
- if state_value == 'enable':
- config.set(base + [family, hook, priority, 'rule', rule, 'state'], value=state, replace=False)
- flag_enable = 'True'
- if flag_enable == 'False':
- config.delete(base + [family, hook, priority, 'rule', rule, 'state'])
+ # State Policy logs:
+ if config.exists(base + ['global-options', 'state-policy']):
+ for state in config.list_nodes(base + ['global-options', 'state-policy']):
+ if config.exists(base + ['global-options', 'state-policy', state, 'log']):
+ log_value = config.return_value(base + ['global-options', 'state-policy', state, 'log'])
+ config.delete(base + ['global-options', 'state-policy', state, 'log'])
+ if log_value == 'enable':
+ config.set(base + ['global-options', 'state-policy', state, 'log'])
-try:
- with open(file_name, 'w') as f:
- f.write(config.to_string())
-except OSError as e:
- print("Failed to save the modified config: {}".format(e))
- exit(1)
+ for family in ['ipv4', 'ipv6', 'bridge']:
+ if config.exists(base + [family]):
+ for hook in ['forward', 'input', 'output', 'name']:
+ if config.exists(base + [family, hook]):
+ for priority in config.list_nodes(base + [family, hook]):
+ if config.exists(base + [family, hook, priority, 'rule']):
+ for rule in config.list_nodes(base + [family, hook, priority, 'rule']):
+ # Log
+ if config.exists(base + [family, hook, priority, 'rule', rule, 'log']):
+ log_value = config.return_value(base + [family, hook, priority, 'rule', rule, 'log'])
+ config.delete(base + [family, hook, priority, 'rule', rule, 'log'])
+ if log_value == 'enable':
+ config.set(base + [family, hook, priority, 'rule', rule, 'log'])
+ # State
+ if config.exists(base + [family, hook, priority, 'rule', rule, 'state']):
+ flag_enable = 'False'
+ for state in ['established', 'invalid', 'new', 'related']:
+ if config.exists(base + [family, hook, priority, 'rule', rule, 'state', state]):
+ state_value = config.return_value(base + [family, hook, priority, 'rule', rule, 'state', state])
+ config.delete(base + [family, hook, priority, 'rule', rule, 'state', state])
+ if state_value == 'enable':
+ config.set(base + [family, hook, priority, 'rule', rule, 'state'], value=state, replace=False)
+ flag_enable = 'True'
+ if flag_enable == 'False':
+ config.delete(base + [family, hook, priority, 'rule', rule, 'state'])
diff --git a/src/migration-scripts/firewall/13-to-14 b/src/migration-scripts/firewall/13-to-14
index f45ff0674..723b0aea2 100755..100644
--- a/src/migration-scripts/firewall/13-to-14
+++ b/src/migration-scripts/firewall/13-to-14
@@ -1,18 +1,17 @@
-#!/usr/bin/env python3
+# Copyright 2023-2024 VyOS maintainers and contributors <maintainers@vyos.io>
#
-# Copyright (C) 2023 VyOS maintainers and contributors
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
+# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library. If not, see <http://www.gnu.org/licenses/>.
# T5834: Rename 'enable-default-log' to 'default-log'
# From
@@ -22,38 +21,19 @@
# set firewall ... filter default-log
# set firewall ... name <name> default-log
-from sys import argv
-from sys import exit
-
from vyos.configtree import ConfigTree
-if len(argv) < 2:
- print("Must specify file name!")
- exit(1)
-
-file_name = argv[1]
-
-with open(file_name, 'r') as f:
- config_file = f.read()
-
base = ['firewall']
-config = ConfigTree(config_file)
-
-if not config.exists(base):
- # Nothing to do
- exit(0)
-
-for family in ['ipv4', 'ipv6', 'bridge']:
- if config.exists(base + [family]):
- for hook in ['forward', 'input', 'output', 'name']:
- if config.exists(base + [family, hook]):
- for priority in config.list_nodes(base + [family, hook]):
- if config.exists(base + [family, hook, priority, 'enable-default-log']):
- config.rename(base + [family, hook, priority, 'enable-default-log'], 'default-log')
-try:
- with open(file_name, 'w') as f:
- f.write(config.to_string())
-except OSError as e:
- print("Failed to save the modified config: {}".format(e))
- exit(1)
+def migrate(config: ConfigTree) -> None:
+ if not config.exists(base):
+ # Nothing to do
+ return
+
+ for family in ['ipv4', 'ipv6', 'bridge']:
+ if config.exists(base + [family]):
+ for hook in ['forward', 'input', 'output', 'name']:
+ if config.exists(base + [family, hook]):
+ for priority in config.list_nodes(base + [family, hook]):
+ if config.exists(base + [family, hook, priority, 'enable-default-log']):
+ config.rename(base + [family, hook, priority, 'enable-default-log'], 'default-log')
diff --git a/src/migration-scripts/firewall/14-to-15 b/src/migration-scripts/firewall/14-to-15
index 735839365..e4a2aaee4 100755..100644
--- a/src/migration-scripts/firewall/14-to-15
+++ b/src/migration-scripts/firewall/14-to-15
@@ -1,46 +1,25 @@
-#!/usr/bin/env python3
+# Copyright 2024 VyOS maintainers and contributors <maintainers@vyos.io>
#
-# Copyright (C) 2022-2024 VyOS maintainers and contributors
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
+# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library. If not, see <http://www.gnu.org/licenses/>.
# T5535: Migrate <set system ip disable-directed-broadcast> to <set firewall global-options directed-broadcas [enable|disable]
-from sys import argv
-from sys import exit
-
from vyos.configtree import ConfigTree
-if len(argv) < 2:
- print("Must specify file name!")
- exit(1)
-
-file_name = argv[1]
-
-with open(file_name, 'r') as f:
- config_file = f.read()
-
-config = ConfigTree(config_file)
-
base = ['firewall']
-if config.exists(['system', 'ip', 'disable-directed-broadcast']):
- config.set(['firewall', 'global-options', 'directed-broadcast'], value='disable')
- config.delete(['system', 'ip', 'disable-directed-broadcast'])
-
-try:
- with open(file_name, 'w') as f:
- f.write(config.to_string())
-except OSError as e:
- print("Failed to save the modified config: {}".format(e))
- exit(1) \ No newline at end of file
+def migrate(config: ConfigTree) -> None:
+ if config.exists(['system', 'ip', 'disable-directed-broadcast']):
+ config.set(['firewall', 'global-options', 'directed-broadcast'], value='disable')
+ config.delete(['system', 'ip', 'disable-directed-broadcast'])
diff --git a/src/migration-scripts/firewall/15-to-16 b/src/migration-scripts/firewall/15-to-16
index 28df1256e..8e28bba6f 100755..100644
--- a/src/migration-scripts/firewall/15-to-16
+++ b/src/migration-scripts/firewall/15-to-16
@@ -18,39 +18,20 @@
# from: set system conntrack timeout ..
# to: set firewall global-options timeout ...
-from sys import argv
-from sys import exit
-
from vyos.configtree import ConfigTree
-if len(argv) < 2:
- print("Must specify file name!")
- exit(1)
-
-file_name = argv[1]
-
-with open(file_name, 'r') as f:
- config_file = f.read()
-
firewall_base = ['firewall', 'global-options']
conntrack_base = ['system', 'conntrack', 'timeout']
-config = ConfigTree(config_file)
-
-if not config.exists(conntrack_base):
- # Nothing to do
- exit(0)
-for protocol in ['icmp', 'tcp', 'udp', 'other']:
- if config.exists(conntrack_base + [protocol]):
- if not config.exists(firewall_base + ['timeout']):
- config.set(firewall_base + ['timeout'])
+def migrate(config: ConfigTree) -> None:
+ if not config.exists(conntrack_base):
+ # Nothing to do
+ return
- config.copy(conntrack_base + [protocol], firewall_base + ['timeout', protocol])
- config.delete(conntrack_base + [protocol])
+ for protocol in ['icmp', 'tcp', 'udp', 'other']:
+ if config.exists(conntrack_base + [protocol]):
+ if not config.exists(firewall_base + ['timeout']):
+ config.set(firewall_base + ['timeout'])
-try:
- with open(file_name, 'w') as f:
- f.write(config.to_string())
-except OSError as e:
- print("Failed to save the modified config: {}".format(e))
- exit(1)
+ config.copy(conntrack_base + [protocol], firewall_base + ['timeout', protocol])
+ config.delete(conntrack_base + [protocol])
diff --git a/src/migration-scripts/firewall/5-to-6 b/src/migration-scripts/firewall/5-to-6
index e1eaea7a1..d01684787 100755..100644
--- a/src/migration-scripts/firewall/5-to-6
+++ b/src/migration-scripts/firewall/5-to-6
@@ -1,105 +1,85 @@
-#!/usr/bin/env python3
+# Copyright 2021-2024 VyOS maintainers and contributors <maintainers@vyos.io>
#
-# Copyright (C) 2021 VyOS maintainers and contributors
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
+# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library. If not, see <http://www.gnu.org/licenses/>.
# T3090: migrate "firewall options interface <name> adjust-mss" to the
# individual interface.
-from sys import argv
-from sys import exit
-
from vyos.configtree import ConfigTree
from vyos.ifconfig import Section
-if len(argv) < 2:
- print("Must specify file name!")
- exit(1)
-
-file_name = argv[1]
-
-with open(file_name, 'r') as f:
- config_file = f.read()
-
base = ['firewall', 'options', 'interface']
-config = ConfigTree(config_file)
-
-if not config.exists(base):
- # Nothing to do
- exit(0)
-
-for interface in config.list_nodes(base):
- if config.exists(base + [interface, 'disable']):
- continue
- if config.exists(base + [interface, 'adjust-mss']):
- section = Section.section(interface)
- tmp = config.return_value(base + [interface, 'adjust-mss'])
-
- vlan = interface.split('.')
- base_interface_path = ['interfaces', section, vlan[0]]
-
- if len(vlan) == 1:
- # Normal interface, no VLAN
- config.set(base_interface_path + ['ip', 'adjust-mss'], value=tmp)
- elif len(vlan) == 2:
- # Regular VIF or VIF-S interface - we need to check the config
- vif = vlan[1]
- if config.exists(base_interface_path + ['vif', vif]):
- config.set(base_interface_path + ['vif', vif, 'ip', 'adjust-mss'], value=tmp)
- elif config.exists(base_interface_path + ['vif-s', vif]):
- config.set(base_interface_path + ['vif-s', vif, 'ip', 'adjust-mss'], value=tmp)
- elif len(vlan) == 3:
- # VIF-S interface with VIF-C subinterface
- vif_s = vlan[1]
- vif_c = vlan[2]
- config.set(base_interface_path + ['vif-s', vif_s, 'vif-c', vif_c, 'ip', 'adjust-mss'], value=tmp)
- config.set_tag(base_interface_path + ['vif-s'])
- config.set_tag(base_interface_path + ['vif-s', vif_s, 'vif-c'])
-
- if config.exists(base + [interface, 'adjust-mss6']):
- section = Section.section(interface)
- tmp = config.return_value(base + [interface, 'adjust-mss6'])
-
- vlan = interface.split('.')
- base_interface_path = ['interfaces', section, vlan[0]]
-
- if len(vlan) == 1:
- # Normal interface, no VLAN
- config.set(['interfaces', section, interface, 'ipv6', 'adjust-mss'], value=tmp)
- elif len(vlan) == 2:
- # Regular VIF or VIF-S interface - we need to check the config
- vif = vlan[1]
- if config.exists(base_interface_path + ['vif', vif]):
- config.set(base_interface_path + ['vif', vif, 'ipv6', 'adjust-mss'], value=tmp)
- config.set_tag(base_interface_path + ['vif'])
- elif config.exists(base_interface_path + ['vif-s', vif]):
- config.set(base_interface_path + ['vif-s', vif, 'ipv6', 'adjust-mss'], value=tmp)
+def migrate(config: ConfigTree) -> None:
+ if not config.exists(base):
+ # Nothing to do
+ return
+
+ for interface in config.list_nodes(base):
+ if config.exists(base + [interface, 'disable']):
+ continue
+
+ if config.exists(base + [interface, 'adjust-mss']):
+ section = Section.section(interface)
+ tmp = config.return_value(base + [interface, 'adjust-mss'])
+
+ vlan = interface.split('.')
+ base_interface_path = ['interfaces', section, vlan[0]]
+
+ if len(vlan) == 1:
+ # Normal interface, no VLAN
+ config.set(base_interface_path + ['ip', 'adjust-mss'], value=tmp)
+ elif len(vlan) == 2:
+ # Regular VIF or VIF-S interface - we need to check the config
+ vif = vlan[1]
+ if config.exists(base_interface_path + ['vif', vif]):
+ config.set(base_interface_path + ['vif', vif, 'ip', 'adjust-mss'], value=tmp)
+ elif config.exists(base_interface_path + ['vif-s', vif]):
+ config.set(base_interface_path + ['vif-s', vif, 'ip', 'adjust-mss'], value=tmp)
+ elif len(vlan) == 3:
+ # VIF-S interface with VIF-C subinterface
+ vif_s = vlan[1]
+ vif_c = vlan[2]
+ config.set(base_interface_path + ['vif-s', vif_s, 'vif-c', vif_c, 'ip', 'adjust-mss'], value=tmp)
config.set_tag(base_interface_path + ['vif-s'])
- elif len(vlan) == 3:
- # VIF-S interface with VIF-C subinterface
- vif_s = vlan[1]
- vif_c = vlan[2]
- config.set(base_interface_path + ['vif-s', vif_s, 'vif-c', vif_c, 'ipv6', 'adjust-mss'], value=tmp)
- config.set_tag(base_interface_path + ['vif-s'])
- config.set_tag(base_interface_path + ['vif-s', vif_s, 'vif-c'])
-
-config.delete(['firewall', 'options'])
+ config.set_tag(base_interface_path + ['vif-s', vif_s, 'vif-c'])
+
+ if config.exists(base + [interface, 'adjust-mss6']):
+ section = Section.section(interface)
+ tmp = config.return_value(base + [interface, 'adjust-mss6'])
+
+ vlan = interface.split('.')
+ base_interface_path = ['interfaces', section, vlan[0]]
+
+ if len(vlan) == 1:
+ # Normal interface, no VLAN
+ config.set(['interfaces', section, interface, 'ipv6', 'adjust-mss'], value=tmp)
+ elif len(vlan) == 2:
+ # Regular VIF or VIF-S interface - we need to check the config
+ vif = vlan[1]
+ if config.exists(base_interface_path + ['vif', vif]):
+ config.set(base_interface_path + ['vif', vif, 'ipv6', 'adjust-mss'], value=tmp)
+ config.set_tag(base_interface_path + ['vif'])
+ elif config.exists(base_interface_path + ['vif-s', vif]):
+ config.set(base_interface_path + ['vif-s', vif, 'ipv6', 'adjust-mss'], value=tmp)
+ config.set_tag(base_interface_path + ['vif-s'])
+ elif len(vlan) == 3:
+ # VIF-S interface with VIF-C subinterface
+ vif_s = vlan[1]
+ vif_c = vlan[2]
+ config.set(base_interface_path + ['vif-s', vif_s, 'vif-c', vif_c, 'ipv6', 'adjust-mss'], value=tmp)
+ config.set_tag(base_interface_path + ['vif-s'])
+ config.set_tag(base_interface_path + ['vif-s', vif_s, 'vif-c'])
-try:
- with open(file_name, 'w') as f:
- f.write(config.to_string())
-except OSError as e:
- print("Failed to save the modified config: {}".format(e))
- exit(1)
+ config.delete(['firewall', 'options'])
diff --git a/src/migration-scripts/firewall/6-to-7 b/src/migration-scripts/firewall/6-to-7
index 938044c6d..1afbc780b 100755..100644
--- a/src/migration-scripts/firewall/6-to-7
+++ b/src/migration-scripts/firewall/6-to-7
@@ -1,18 +1,17 @@
-#!/usr/bin/env python3
+# Copyright 2021-2024 VyOS maintainers and contributors <maintainers@vyos.io>
#
-# Copyright (C) 2021-2024 VyOS maintainers and contributors
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
+# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library. If not, see <http://www.gnu.org/licenses/>.
# T2199: Remove unavailable nodes due to XML/Python implementation using nftables
# monthdays: nftables does not have a monthdays equivalent
@@ -23,28 +22,11 @@
import re
-from sys import argv
-from sys import exit
-
from vyos.configtree import ConfigTree
-if len(argv) < 2:
- print("Must specify file name!")
- exit(1)
-
-file_name = argv[1]
-
-with open(file_name, 'r') as f:
- config_file = f.read()
-
max_len_description = 255
base = ['firewall']
-config = ConfigTree(config_file)
-
-if not config.exists(base):
- # Nothing to do
- exit(0)
icmp_remove = ['any']
icmp_translations = {
@@ -107,216 +89,216 @@ icmpv6_translations = {
'unknown-option': [4, 2]
}
-v4_found = False
-v6_found = False
v4_groups = ["address-group", "network-group", "port-group"]
v6_groups = ["ipv6-address-group", "ipv6-network-group", "port-group"]
-translated_dict = {}
-if config.exists(base + ['group']):
- for group_type in config.list_nodes(base + ['group']):
- for group_name in config.list_nodes(base + ['group', group_type]):
- name_description = base + ['group', group_type, group_name, 'description']
+def migrate(config: ConfigTree) -> None:
+ if not config.exists(base):
+ # Nothing to do
+ return
+
+ v4_found = False
+ v6_found = False
+ translated_dict = {}
+
+ if config.exists(base + ['group']):
+ for group_type in config.list_nodes(base + ['group']):
+ for group_name in config.list_nodes(base + ['group', group_type]):
+ name_description = base + ['group', group_type, group_name, 'description']
+ if config.exists(name_description):
+ tmp = config.return_value(name_description)
+ config.set(name_description, value=tmp[:max_len_description])
+ if '+' in group_name:
+ replacement_string = "_"
+ if group_type in v4_groups and not v4_found:
+ v4_found = True
+ if group_type in v6_groups and not v6_found:
+ v6_found = True
+ new_group_name = group_name.replace('+', replacement_string)
+ while config.exists(base + ['group', group_type, new_group_name]):
+ replacement_string = replacement_string + "_"
+ new_group_name = group_name.replace('+', replacement_string)
+ translated_dict[group_name] = new_group_name
+ config.copy(base + ['group', group_type, group_name], base + ['group', group_type, new_group_name])
+ config.delete(base + ['group', group_type, group_name])
+
+ if config.exists(base + ['name']):
+ for name in config.list_nodes(base + ['name']):
+ name_description = base + ['name', name, 'description']
if config.exists(name_description):
tmp = config.return_value(name_description)
config.set(name_description, value=tmp[:max_len_description])
- if '+' in group_name:
- replacement_string = "_"
- if group_type in v4_groups and not v4_found:
- v4_found = True
- if group_type in v6_groups and not v6_found:
- v6_found = True
- new_group_name = group_name.replace('+', replacement_string)
- while config.exists(base + ['group', group_type, new_group_name]):
- replacement_string = replacement_string + "_"
- new_group_name = group_name.replace('+', replacement_string)
- translated_dict[group_name] = new_group_name
- config.copy(base + ['group', group_type, group_name], base + ['group', group_type, new_group_name])
- config.delete(base + ['group', group_type, group_name])
-
-if config.exists(base + ['name']):
- for name in config.list_nodes(base + ['name']):
- name_description = base + ['name', name, 'description']
- if config.exists(name_description):
- tmp = config.return_value(name_description)
- config.set(name_description, value=tmp[:max_len_description])
-
- if not config.exists(base + ['name', name, 'rule']):
- continue
-
- for rule in config.list_nodes(base + ['name', name, 'rule']):
- rule_description = base + ['name', name, 'rule', rule, 'description']
- if config.exists(rule_description):
- tmp = config.return_value(rule_description)
- config.set(rule_description, value=tmp[:max_len_description])
-
- rule_recent = base + ['name', name, 'rule', rule, 'recent']
- rule_time = base + ['name', name, 'rule', rule, 'time']
- rule_tcp_flags = base + ['name', name, 'rule', rule, 'tcp', 'flags']
- rule_icmp = base + ['name', name, 'rule', rule, 'icmp']
-
- if config.exists(rule_time + ['monthdays']):
- config.delete(rule_time + ['monthdays'])
-
- if config.exists(rule_time + ['utc']):
- config.delete(rule_time + ['utc'])
-
- if config.exists(rule_recent + ['time']):
- tmp = int(config.return_value(rule_recent + ['time']))
- unit = 'minute'
- if tmp > 600:
- unit = 'hour'
- elif tmp < 10:
- unit = 'second'
- config.set(rule_recent + ['time'], value=unit)
-
- if config.exists(rule_tcp_flags):
- tmp = config.return_value(rule_tcp_flags)
- config.delete(rule_tcp_flags)
- for flag in tmp.split(","):
- if flag[0] == '!':
- config.set(rule_tcp_flags + ['not', flag[1:].lower()])
- else:
- config.set(rule_tcp_flags + [flag.lower()])
-
- if config.exists(rule_icmp + ['type-name']):
- tmp = config.return_value(rule_icmp + ['type-name'])
- if tmp in icmp_remove:
- config.delete(rule_icmp + ['type-name'])
- elif tmp in icmp_translations:
- translate = icmp_translations[tmp]
- if isinstance(translate, str):
- config.set(rule_icmp + ['type-name'], value=translate)
- elif isinstance(translate, list):
+
+ if not config.exists(base + ['name', name, 'rule']):
+ continue
+
+ for rule in config.list_nodes(base + ['name', name, 'rule']):
+ rule_description = base + ['name', name, 'rule', rule, 'description']
+ if config.exists(rule_description):
+ tmp = config.return_value(rule_description)
+ config.set(rule_description, value=tmp[:max_len_description])
+
+ rule_recent = base + ['name', name, 'rule', rule, 'recent']
+ rule_time = base + ['name', name, 'rule', rule, 'time']
+ rule_tcp_flags = base + ['name', name, 'rule', rule, 'tcp', 'flags']
+ rule_icmp = base + ['name', name, 'rule', rule, 'icmp']
+
+ if config.exists(rule_time + ['monthdays']):
+ config.delete(rule_time + ['monthdays'])
+
+ if config.exists(rule_time + ['utc']):
+ config.delete(rule_time + ['utc'])
+
+ if config.exists(rule_recent + ['time']):
+ tmp = int(config.return_value(rule_recent + ['time']))
+ unit = 'minute'
+ if tmp > 600:
+ unit = 'hour'
+ elif tmp < 10:
+ unit = 'second'
+ config.set(rule_recent + ['time'], value=unit)
+
+ if config.exists(rule_tcp_flags):
+ tmp = config.return_value(rule_tcp_flags)
+ config.delete(rule_tcp_flags)
+ for flag in tmp.split(","):
+ if flag[0] == '!':
+ config.set(rule_tcp_flags + ['not', flag[1:].lower()])
+ else:
+ config.set(rule_tcp_flags + [flag.lower()])
+
+ if config.exists(rule_icmp + ['type-name']):
+ tmp = config.return_value(rule_icmp + ['type-name'])
+ if tmp in icmp_remove:
config.delete(rule_icmp + ['type-name'])
- config.set(rule_icmp + ['type'], value=translate[0])
- config.set(rule_icmp + ['code'], value=translate[1])
-
- for direction in ['destination', 'source']:
- if config.exists(base + ['name', name, 'rule', rule, direction]):
- if config.exists(base + ['name', name, 'rule', rule, direction, 'group']) and v4_found:
- for group_type in config.list_nodes(base + ['name', name, 'rule', rule, direction, 'group']):
- group_name = config.return_value(base + ['name', name, 'rule', rule, direction, 'group', group_type])
- if '+' in group_name:
- if group_name[0] == "!":
- new_group_name = "!" + translated_dict[group_name[1:]]
- else:
- new_group_name = translated_dict[group_name]
- config.set(base + ['name', name, 'rule', rule, direction, 'group', group_type], value=new_group_name)
-
- pg_base = base + ['name', name, 'rule', rule, direction, 'group', 'port-group']
- proto_base = base + ['name', name, 'rule', rule, 'protocol']
- if config.exists(pg_base) and not config.exists(proto_base):
- config.set(proto_base, value='tcp_udp')
-
- if '+' in name:
- replacement_string = "_"
- new_name = name.replace('+', replacement_string)
- while config.exists(base + ['name', new_name]):
- replacement_string = replacement_string + "_"
+ elif tmp in icmp_translations:
+ translate = icmp_translations[tmp]
+ if isinstance(translate, str):
+ config.set(rule_icmp + ['type-name'], value=translate)
+ elif isinstance(translate, list):
+ config.delete(rule_icmp + ['type-name'])
+ config.set(rule_icmp + ['type'], value=translate[0])
+ config.set(rule_icmp + ['code'], value=translate[1])
+
+ for direction in ['destination', 'source']:
+ if config.exists(base + ['name', name, 'rule', rule, direction]):
+ if config.exists(base + ['name', name, 'rule', rule, direction, 'group']) and v4_found:
+ for group_type in config.list_nodes(base + ['name', name, 'rule', rule, direction, 'group']):
+ group_name = config.return_value(base + ['name', name, 'rule', rule, direction, 'group', group_type])
+ if '+' in group_name:
+ if group_name[0] == "!":
+ new_group_name = "!" + translated_dict[group_name[1:]]
+ else:
+ new_group_name = translated_dict[group_name]
+ config.set(base + ['name', name, 'rule', rule, direction, 'group', group_type], value=new_group_name)
+
+ pg_base = base + ['name', name, 'rule', rule, direction, 'group', 'port-group']
+ proto_base = base + ['name', name, 'rule', rule, 'protocol']
+ if config.exists(pg_base) and not config.exists(proto_base):
+ config.set(proto_base, value='tcp_udp')
+
+ if '+' in name:
+ replacement_string = "_"
new_name = name.replace('+', replacement_string)
- config.copy(base + ['name', name], base + ['name', new_name])
- config.delete(base + ['name', name])
-
-if config.exists(base + ['ipv6-name']):
- for name in config.list_nodes(base + ['ipv6-name']):
- name_description = base + ['ipv6-name', name, 'description']
- if config.exists(name_description):
- tmp = config.return_value(name_description)
- config.set(name_description, value=tmp[:max_len_description])
-
- if not config.exists(base + ['ipv6-name', name, 'rule']):
- continue
-
- for rule in config.list_nodes(base + ['ipv6-name', name, 'rule']):
- rule_description = base + ['ipv6-name', name, 'rule', rule, 'description']
- if config.exists(rule_description):
- tmp = config.return_value(rule_description)
- config.set(rule_description, value=tmp[:max_len_description])
-
- rule_recent = base + ['ipv6-name', name, 'rule', rule, 'recent']
- rule_time = base + ['ipv6-name', name, 'rule', rule, 'time']
- rule_tcp_flags = base + ['ipv6-name', name, 'rule', rule, 'tcp', 'flags']
- rule_icmp = base + ['ipv6-name', name, 'rule', rule, 'icmpv6']
-
- if config.exists(rule_time + ['monthdays']):
- config.delete(rule_time + ['monthdays'])
-
- if config.exists(rule_time + ['utc']):
- config.delete(rule_time + ['utc'])
-
- if config.exists(rule_recent + ['time']):
- tmp = int(config.return_value(rule_recent + ['time']))
- unit = 'minute'
- if tmp > 600:
- unit = 'hour'
- elif tmp < 10:
- unit = 'second'
- config.set(rule_recent + ['time'], value=unit)
-
- if config.exists(rule_tcp_flags):
- tmp = config.return_value(rule_tcp_flags)
- config.delete(rule_tcp_flags)
- for flag in tmp.split(","):
- if flag[0] == '!':
- config.set(rule_tcp_flags + ['not', flag[1:].lower()])
- else:
- config.set(rule_tcp_flags + [flag.lower()])
-
- if config.exists(base + ['ipv6-name', name, 'rule', rule, 'protocol']):
- tmp = config.return_value(base + ['ipv6-name', name, 'rule', rule, 'protocol'])
- if tmp == 'icmpv6':
- config.set(base + ['ipv6-name', name, 'rule', rule, 'protocol'], value='ipv6-icmp')
-
- if config.exists(rule_icmp + ['type']):
- tmp = config.return_value(rule_icmp + ['type'])
- type_code_match = re.match(r'^(\d+)(?:/(\d+))?$', tmp)
-
- if type_code_match:
- config.set(rule_icmp + ['type'], value=type_code_match[1])
- if type_code_match[2]:
- config.set(rule_icmp + ['code'], value=type_code_match[2])
- elif tmp in icmpv6_remove:
- config.delete(rule_icmp + ['type'])
- elif tmp in icmpv6_translations:
- translate = icmpv6_translations[tmp]
- if isinstance(translate, str):
+ while config.exists(base + ['name', new_name]):
+ replacement_string = replacement_string + "_"
+ new_name = name.replace('+', replacement_string)
+ config.copy(base + ['name', name], base + ['name', new_name])
+ config.delete(base + ['name', name])
+
+ if config.exists(base + ['ipv6-name']):
+ for name in config.list_nodes(base + ['ipv6-name']):
+ name_description = base + ['ipv6-name', name, 'description']
+ if config.exists(name_description):
+ tmp = config.return_value(name_description)
+ config.set(name_description, value=tmp[:max_len_description])
+
+ if not config.exists(base + ['ipv6-name', name, 'rule']):
+ continue
+
+ for rule in config.list_nodes(base + ['ipv6-name', name, 'rule']):
+ rule_description = base + ['ipv6-name', name, 'rule', rule, 'description']
+ if config.exists(rule_description):
+ tmp = config.return_value(rule_description)
+ config.set(rule_description, value=tmp[:max_len_description])
+
+ rule_recent = base + ['ipv6-name', name, 'rule', rule, 'recent']
+ rule_time = base + ['ipv6-name', name, 'rule', rule, 'time']
+ rule_tcp_flags = base + ['ipv6-name', name, 'rule', rule, 'tcp', 'flags']
+ rule_icmp = base + ['ipv6-name', name, 'rule', rule, 'icmpv6']
+
+ if config.exists(rule_time + ['monthdays']):
+ config.delete(rule_time + ['monthdays'])
+
+ if config.exists(rule_time + ['utc']):
+ config.delete(rule_time + ['utc'])
+
+ if config.exists(rule_recent + ['time']):
+ tmp = int(config.return_value(rule_recent + ['time']))
+ unit = 'minute'
+ if tmp > 600:
+ unit = 'hour'
+ elif tmp < 10:
+ unit = 'second'
+ config.set(rule_recent + ['time'], value=unit)
+
+ if config.exists(rule_tcp_flags):
+ tmp = config.return_value(rule_tcp_flags)
+ config.delete(rule_tcp_flags)
+ for flag in tmp.split(","):
+ if flag[0] == '!':
+ config.set(rule_tcp_flags + ['not', flag[1:].lower()])
+ else:
+ config.set(rule_tcp_flags + [flag.lower()])
+
+ if config.exists(base + ['ipv6-name', name, 'rule', rule, 'protocol']):
+ tmp = config.return_value(base + ['ipv6-name', name, 'rule', rule, 'protocol'])
+ if tmp == 'icmpv6':
+ config.set(base + ['ipv6-name', name, 'rule', rule, 'protocol'], value='ipv6-icmp')
+
+ if config.exists(rule_icmp + ['type']):
+ tmp = config.return_value(rule_icmp + ['type'])
+ type_code_match = re.match(r'^(\d+)(?:/(\d+))?$', tmp)
+
+ if type_code_match:
+ config.set(rule_icmp + ['type'], value=type_code_match[1])
+ if type_code_match[2]:
+ config.set(rule_icmp + ['code'], value=type_code_match[2])
+ elif tmp in icmpv6_remove:
config.delete(rule_icmp + ['type'])
- config.set(rule_icmp + ['type-name'], value=translate)
- elif isinstance(translate, list):
- config.set(rule_icmp + ['type'], value=translate[0])
- config.set(rule_icmp + ['code'], value=translate[1])
- else:
- config.rename(rule_icmp + ['type'], 'type-name')
-
- for direction in ['destination', 'source']:
- if config.exists(base + ['ipv6-name', name, 'rule', rule, direction]):
- if config.exists(base + ['ipv6-name', name, 'rule', rule, direction, 'group']) and v6_found:
- for group_type in config.list_nodes(base + ['ipv6-name', name, 'rule', rule, direction, 'group']):
- group_name = config.return_value(base + ['ipv6-name', name, 'rule', rule, direction, 'group', group_type])
- if '+' in group_name:
- if group_name[0] == "!":
- new_group_name = "!" + translated_dict[group_name[1:]]
- else:
- new_group_name = translated_dict[group_name]
- config.set(base + ['ipv6-name', name, 'rule', rule, direction, 'group', group_type], value=new_group_name)
-
- pg_base = base + ['ipv6-name', name, 'rule', rule, direction, 'group', 'port-group']
- proto_base = base + ['ipv6-name', name, 'rule', rule, 'protocol']
- if config.exists(pg_base) and not config.exists(proto_base):
- config.set(proto_base, value='tcp_udp')
-
- if '+' in name:
- replacement_string = "_"
- new_name = name.replace('+', replacement_string)
- while config.exists(base + ['ipv6-name', new_name]):
- replacement_string = replacement_string + "_"
+ elif tmp in icmpv6_translations:
+ translate = icmpv6_translations[tmp]
+ if isinstance(translate, str):
+ config.delete(rule_icmp + ['type'])
+ config.set(rule_icmp + ['type-name'], value=translate)
+ elif isinstance(translate, list):
+ config.set(rule_icmp + ['type'], value=translate[0])
+ config.set(rule_icmp + ['code'], value=translate[1])
+ else:
+ config.rename(rule_icmp + ['type'], 'type-name')
+
+ for direction in ['destination', 'source']:
+ if config.exists(base + ['ipv6-name', name, 'rule', rule, direction]):
+ if config.exists(base + ['ipv6-name', name, 'rule', rule, direction, 'group']) and v6_found:
+ for group_type in config.list_nodes(base + ['ipv6-name', name, 'rule', rule, direction, 'group']):
+ group_name = config.return_value(base + ['ipv6-name', name, 'rule', rule, direction, 'group', group_type])
+ if '+' in group_name:
+ if group_name[0] == "!":
+ new_group_name = "!" + translated_dict[group_name[1:]]
+ else:
+ new_group_name = translated_dict[group_name]
+ config.set(base + ['ipv6-name', name, 'rule', rule, direction, 'group', group_type], value=new_group_name)
+
+ pg_base = base + ['ipv6-name', name, 'rule', rule, direction, 'group', 'port-group']
+ proto_base = base + ['ipv6-name', name, 'rule', rule, 'protocol']
+ if config.exists(pg_base) and not config.exists(proto_base):
+ config.set(proto_base, value='tcp_udp')
+
+ if '+' in name:
+ replacement_string = "_"
new_name = name.replace('+', replacement_string)
- config.copy(base + ['ipv6-name', name], base + ['ipv6-name', new_name])
- config.delete(base + ['ipv6-name', name])
-try:
- with open(file_name, 'w') as f:
- f.write(config.to_string())
-except OSError as e:
- print("Failed to save the modified config: {}".format(e))
- exit(1)
+ while config.exists(base + ['ipv6-name', new_name]):
+ replacement_string = replacement_string + "_"
+ new_name = name.replace('+', replacement_string)
+ config.copy(base + ['ipv6-name', name], base + ['ipv6-name', new_name])
+ config.delete(base + ['ipv6-name', name])
diff --git a/src/migration-scripts/firewall/7-to-8 b/src/migration-scripts/firewall/7-to-8
index 17af0f355..b8bcc52cc 100755..100644
--- a/src/migration-scripts/firewall/7-to-8
+++ b/src/migration-scripts/firewall/7-to-8
@@ -1,43 +1,25 @@
-#!/usr/bin/env python3
+# Copyright 2022-2024 VyOS maintainers and contributors <maintainers@vyos.io>
#
-# Copyright (C) 2022-2024 VyOS maintainers and contributors
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
+# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library. If not, see <http://www.gnu.org/licenses/>.
# T2199: Migrate interface firewall nodes to firewall interfaces <ifname> <direction> name/ipv6-name <name>
# T2199: Migrate zone-policy to firewall node
-from sys import argv
-from sys import exit
-
from vyos.configtree import ConfigTree
-if len(argv) < 2:
- print("Must specify file name!")
- exit(1)
-
-file_name = argv[1]
-
-with open(file_name, 'r') as f:
- config_file = f.read()
-
base = ['firewall']
zone_base = ['zone-policy']
-config = ConfigTree(config_file)
-
-if not config.exists(base) and not config.exists(zone_base):
- # Nothing to do
- exit(0)
def migrate_interface(config, iftype, ifname, vif=None, vifs=None, vifc=None):
if_path = ['interfaces', iftype, ifname]
@@ -63,39 +45,37 @@ def migrate_interface(config, iftype, ifname, vif=None, vifs=None, vifc=None):
config.copy(if_path + ['firewall'], ['firewall', 'interface', ifname_full])
config.delete(if_path + ['firewall'])
-for iftype in config.list_nodes(['interfaces']):
- for ifname in config.list_nodes(['interfaces', iftype]):
- migrate_interface(config, iftype, ifname)
-
- if config.exists(['interfaces', iftype, ifname, 'vif']):
- for vif in config.list_nodes(['interfaces', iftype, ifname, 'vif']):
- migrate_interface(config, iftype, ifname, vif=vif)
-
- if config.exists(['interfaces', iftype, ifname, 'vif-s']):
- for vifs in config.list_nodes(['interfaces', iftype, ifname, 'vif-s']):
- migrate_interface(config, iftype, ifname, vifs=vifs)
-
- if config.exists(['interfaces', iftype, ifname, 'vif-s', vifs, 'vif-c']):
- for vifc in config.list_nodes(['interfaces', iftype, ifname, 'vif-s', vifs, 'vif-c']):
- migrate_interface(config, iftype, ifname, vifs=vifs, vifc=vifc)
-
-if config.exists(zone_base + ['zone']):
- config.set(['firewall', 'zone'])
- config.set_tag(['firewall', 'zone'])
-
- for zone in config.list_nodes(zone_base + ['zone']):
- if 'interface' in config.list_nodes(zone_base + ['zone', zone]):
- for iface in config.return_values(zone_base + ['zone', zone, 'interface']):
- if '+' in iface:
- config.delete_value(zone_base + ['zone', zone, 'interface'], value=iface)
- iface = iface.replace('+', '*')
- config.set(zone_base + ['zone', zone, 'interface'], value=iface, replace=False)
- config.copy(zone_base + ['zone', zone], ['firewall', 'zone', zone])
- config.delete(zone_base)
+def migrate(config: ConfigTree) -> None:
+ if not config.exists(base) and not config.exists(zone_base):
+ # Nothing to do
+ return
-try:
- with open(file_name, 'w') as f:
- f.write(config.to_string())
-except OSError as e:
- print("Failed to save the modified config: {}".format(e))
- exit(1)
+ for iftype in config.list_nodes(['interfaces']):
+ for ifname in config.list_nodes(['interfaces', iftype]):
+ migrate_interface(config, iftype, ifname)
+
+ if config.exists(['interfaces', iftype, ifname, 'vif']):
+ for vif in config.list_nodes(['interfaces', iftype, ifname, 'vif']):
+ migrate_interface(config, iftype, ifname, vif=vif)
+
+ if config.exists(['interfaces', iftype, ifname, 'vif-s']):
+ for vifs in config.list_nodes(['interfaces', iftype, ifname, 'vif-s']):
+ migrate_interface(config, iftype, ifname, vifs=vifs)
+
+ if config.exists(['interfaces', iftype, ifname, 'vif-s', vifs, 'vif-c']):
+ for vifc in config.list_nodes(['interfaces', iftype, ifname, 'vif-s', vifs, 'vif-c']):
+ migrate_interface(config, iftype, ifname, vifs=vifs, vifc=vifc)
+
+ if config.exists(zone_base + ['zone']):
+ config.set(['firewall', 'zone'])
+ config.set_tag(['firewall', 'zone'])
+
+ for zone in config.list_nodes(zone_base + ['zone']):
+ if 'interface' in config.list_nodes(zone_base + ['zone', zone]):
+ for iface in config.return_values(zone_base + ['zone', zone, 'interface']):
+ if '+' in iface:
+ config.delete_value(zone_base + ['zone', zone, 'interface'], value=iface)
+ iface = iface.replace('+', '*')
+ config.set(zone_base + ['zone', zone, 'interface'], value=iface, replace=False)
+ config.copy(zone_base + ['zone', zone], ['firewall', 'zone', zone])
+ config.delete(zone_base) \ No newline at end of file
diff --git a/src/migration-scripts/firewall/8-to-9 b/src/migration-scripts/firewall/8-to-9
index 6e019beb2..3c9e84662 100755..100644
--- a/src/migration-scripts/firewall/8-to-9
+++ b/src/migration-scripts/firewall/8-to-9
@@ -1,18 +1,17 @@
-#!/usr/bin/env python3
+# Copyright 2022-2024 VyOS maintainers and contributors <maintainers@vyos.io>
#
-# Copyright (C) 2022-2024 VyOS maintainers and contributors
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
+# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library. If not, see <http://www.gnu.org/licenses/>.
# T4780: Add firewall interface group
# cli changes from:
@@ -20,69 +19,50 @@
# To
# set firewall [name | ipv6-name] <name> rule <number> [inbound-interface | outbound-interface] [interface-name | interface-group] <interface_name | interface_group>
-from sys import argv
-from sys import exit
-
from vyos.configtree import ConfigTree
-if len(argv) < 2:
- print("Must specify file name!")
- exit(1)
-
-file_name = argv[1]
-
-with open(file_name, 'r') as f:
- config_file = f.read()
-
base = ['firewall']
-config = ConfigTree(config_file)
-
-if not config.exists(base):
- # Nothing to do
- exit(0)
-
-if config.exists(base + ['name']):
- for name in config.list_nodes(base + ['name']):
- if not config.exists(base + ['name', name, 'rule']):
- continue
-
- for rule in config.list_nodes(base + ['name', name, 'rule']):
- rule_iiface = base + ['name', name, 'rule', rule, 'inbound-interface']
- rule_oiface = base + ['name', name, 'rule', rule, 'outbound-interface']
-
- if config.exists(rule_iiface):
- tmp = config.return_value(rule_iiface)
- config.delete(rule_iiface)
- config.set(rule_iiface + ['interface-name'], value=tmp)
-
- if config.exists(rule_oiface):
- tmp = config.return_value(rule_oiface)
- config.delete(rule_oiface)
- config.set(rule_oiface + ['interface-name'], value=tmp)
-
-
-if config.exists(base + ['ipv6-name']):
- for name in config.list_nodes(base + ['ipv6-name']):
- if not config.exists(base + ['ipv6-name', name, 'rule']):
- continue
-
- for rule in config.list_nodes(base + ['ipv6-name', name, 'rule']):
- rule_iiface = base + ['ipv6-name', name, 'rule', rule, 'inbound-interface']
- rule_oiface = base + ['ipv6-name', name, 'rule', rule, 'outbound-interface']
-
- if config.exists(rule_iiface):
- tmp = config.return_value(rule_iiface)
- config.delete(rule_iiface)
- config.set(rule_iiface + ['interface-name'], value=tmp)
-
- if config.exists(rule_oiface):
- tmp = config.return_value(rule_oiface)
- config.delete(rule_oiface)
- config.set(rule_oiface + ['interface-name'], value=tmp)
-try:
- with open(file_name, 'w') as f:
- f.write(config.to_string())
-except OSError as e:
- print("Failed to save the modified config: {}".format(e))
- exit(1)
+def migrate(config: ConfigTree) -> None:
+ if not config.exists(base):
+ # Nothing to do
+ return
+
+ if config.exists(base + ['name']):
+ for name in config.list_nodes(base + ['name']):
+ if not config.exists(base + ['name', name, 'rule']):
+ continue
+
+ for rule in config.list_nodes(base + ['name', name, 'rule']):
+ rule_iiface = base + ['name', name, 'rule', rule, 'inbound-interface']
+ rule_oiface = base + ['name', name, 'rule', rule, 'outbound-interface']
+
+ if config.exists(rule_iiface):
+ tmp = config.return_value(rule_iiface)
+ config.delete(rule_iiface)
+ config.set(rule_iiface + ['interface-name'], value=tmp)
+
+ if config.exists(rule_oiface):
+ tmp = config.return_value(rule_oiface)
+ config.delete(rule_oiface)
+ config.set(rule_oiface + ['interface-name'], value=tmp)
+
+
+ if config.exists(base + ['ipv6-name']):
+ for name in config.list_nodes(base + ['ipv6-name']):
+ if not config.exists(base + ['ipv6-name', name, 'rule']):
+ continue
+
+ for rule in config.list_nodes(base + ['ipv6-name', name, 'rule']):
+ rule_iiface = base + ['ipv6-name', name, 'rule', rule, 'inbound-interface']
+ rule_oiface = base + ['ipv6-name', name, 'rule', rule, 'outbound-interface']
+
+ if config.exists(rule_iiface):
+ tmp = config.return_value(rule_iiface)
+ config.delete(rule_iiface)
+ config.set(rule_iiface + ['interface-name'], value=tmp)
+
+ if config.exists(rule_oiface):
+ tmp = config.return_value(rule_oiface)
+ config.delete(rule_oiface)
+ config.set(rule_oiface + ['interface-name'], value=tmp)
diff --git a/src/migration-scripts/firewall/9-to-10 b/src/migration-scripts/firewall/9-to-10
index ce509a731..306a53a86 100755..100644
--- a/src/migration-scripts/firewall/9-to-10
+++ b/src/migration-scripts/firewall/9-to-10
@@ -1,18 +1,17 @@
-#!/usr/bin/env python3
+# Copyright 2023-2024 VyOS maintainers and contributors <maintainers@vyos.io>
#
-# Copyright (C) 2023-2024 VyOS maintainers and contributors
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
+# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library. If not, see <http://www.gnu.org/licenses/>.
# T5050: Log options
# cli changes from:
@@ -20,58 +19,39 @@
# To
# set firewall [name | ipv6-name] <name> rule <number> log-options level <log_level>
-from sys import argv
-from sys import exit
-
from vyos.configtree import ConfigTree
-if len(argv) < 2:
- print("Must specify file name!")
- exit(1)
-
-file_name = argv[1]
-
-with open(file_name, 'r') as f:
- config_file = f.read()
-
base = ['firewall']
-config = ConfigTree(config_file)
-
-if not config.exists(base):
- # Nothing to do
- exit(0)
-
-if config.exists(base + ['name']):
- for name in config.list_nodes(base + ['name']):
- if not config.exists(base + ['name', name, 'rule']):
- continue
-
- for rule in config.list_nodes(base + ['name', name, 'rule']):
- log_options_base = base + ['name', name, 'rule', rule, 'log-options']
- rule_log_level = base + ['name', name, 'rule', rule, 'log-level']
-
- if config.exists(rule_log_level):
- tmp = config.return_value(rule_log_level)
- config.delete(rule_log_level)
- config.set(log_options_base + ['level'], value=tmp)
-
-if config.exists(base + ['ipv6-name']):
- for name in config.list_nodes(base + ['ipv6-name']):
- if not config.exists(base + ['ipv6-name', name, 'rule']):
- continue
-
- for rule in config.list_nodes(base + ['ipv6-name', name, 'rule']):
- log_options_base = base + ['ipv6-name', name, 'rule', rule, 'log-options']
- rule_log_level = base + ['ipv6-name', name, 'rule', rule, 'log-level']
-
- if config.exists(rule_log_level):
- tmp = config.return_value(rule_log_level)
- config.delete(rule_log_level)
- config.set(log_options_base + ['level'], value=tmp)
-try:
- with open(file_name, 'w') as f:
- f.write(config.to_string())
-except OSError as e:
- print("Failed to save the modified config: {}".format(e))
- exit(1)
+def migrate(config: ConfigTree) -> None:
+ if not config.exists(base):
+ # Nothing to do
+ return
+
+ if config.exists(base + ['name']):
+ for name in config.list_nodes(base + ['name']):
+ if not config.exists(base + ['name', name, 'rule']):
+ continue
+
+ for rule in config.list_nodes(base + ['name', name, 'rule']):
+ log_options_base = base + ['name', name, 'rule', rule, 'log-options']
+ rule_log_level = base + ['name', name, 'rule', rule, 'log-level']
+
+ if config.exists(rule_log_level):
+ tmp = config.return_value(rule_log_level)
+ config.delete(rule_log_level)
+ config.set(log_options_base + ['level'], value=tmp)
+
+ if config.exists(base + ['ipv6-name']):
+ for name in config.list_nodes(base + ['ipv6-name']):
+ if not config.exists(base + ['ipv6-name', name, 'rule']):
+ continue
+
+ for rule in config.list_nodes(base + ['ipv6-name', name, 'rule']):
+ log_options_base = base + ['ipv6-name', name, 'rule', rule, 'log-options']
+ rule_log_level = base + ['ipv6-name', name, 'rule', rule, 'log-level']
+
+ if config.exists(rule_log_level):
+ tmp = config.return_value(rule_log_level)
+ config.delete(rule_log_level)
+ config.set(log_options_base + ['level'], value=tmp)