diff options
| author | Christian Breunig <christian@breunig.cc> | 2023-11-11 13:05:42 +0100 | 
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-11-11 13:05:42 +0100 | 
| commit | e5a53d48cf149facb30410c25e55ab3780205186 (patch) | |
| tree | 0ea5b052b18f9db57fc65981950529ef478e8298 /src | |
| parent | 2ca0ac6ac420b5904d87344db80840c640d2cde9 (diff) | |
| parent | c4409d6a4e11bf2acc7b5b96888e2c471c4559e5 (diff) | |
| download | vyos-1x-e5a53d48cf149facb30410c25e55ab3780205186.tar.gz vyos-1x-e5a53d48cf149facb30410c25e55ab3780205186.zip | |
Merge pull request #2471 from nicolas-fort/T5729
T5729: firewall: switch to valueless in 
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/firewall.py | 2 | ||||
| -rwxr-xr-x | src/migration-scripts/firewall/11-to-12 | 1 | ||||
| -rwxr-xr-x | src/migration-scripts/firewall/12-to-13 | 83 | ||||
| -rwxr-xr-x | src/migration-scripts/policy/6-to-7 | 79 | 
4 files changed, 163 insertions, 2 deletions
| diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index 8028492a7..ceed0cf31 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -272,7 +272,7 @@ def verify_rule(firewall, rule_conf, ipv6):                  raise ConfigError(f'{side} port-group and port cannot both be defined')      if 'log_options' in rule_conf: -        if 'log' not in rule_conf or 'enable' not in rule_conf['log']: +        if 'log' not in rule_conf:              raise ConfigError('log-options defined, but log is not enable')          if 'snapshot_length' in rule_conf['log_options'] and 'group' not in rule_conf['log_options']: diff --git a/src/migration-scripts/firewall/11-to-12 b/src/migration-scripts/firewall/11-to-12 index 51b2fa860..ba8374d66 100755 --- a/src/migration-scripts/firewall/11-to-12 +++ b/src/migration-scripts/firewall/11-to-12 @@ -46,7 +46,6 @@ if not config.exists(base):      # Nothing to do      exit(0) -## FORT  ## Migration from base chains  #if config.exists(base + ['interface', iface, direction]):  for family in ['ipv4', 'ipv6']: diff --git a/src/migration-scripts/firewall/12-to-13 b/src/migration-scripts/firewall/12-to-13 new file mode 100755 index 000000000..c2b34b2d8 --- /dev/null +++ b/src/migration-scripts/firewall/12-to-13 @@ -0,0 +1,83 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program.  If not, see <http://www.gnu.org/licenses/>. + +# T5729: Switch to valueless whenever is possible. +# From +    # set firewall ... rule <rule> log enable +    # set firewall ... rule <rule> state <state> enable +    # set firewall ... rule <rule> log disable +    # set firewall ... rule <rule> state <state> disable +# To +    # set firewall ... rule <rule> log +    # set firewall ... rule <rule> state <state> +    # Remove command if log=disable or <state>=disable + +import re + +from sys import argv +from sys import exit + +from vyos.configtree import ConfigTree +from vyos.ifconfig import Section + +if len(argv) < 2: +    print("Must specify file name!") +    exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: +    config_file = f.read() + +base = ['firewall'] +config = ConfigTree(config_file) + +if not config.exists(base): +    # Nothing to do +    exit(0) + +for family in ['ipv4', 'ipv6', 'bridge']: +    if config.exists(base + [family]): +        for hook in ['forward', 'input', 'output', 'name']: +            if config.exists(base + [family, hook]): +                for priority in config.list_nodes(base + [family, hook]): +                    if config.exists(base + [family, hook, priority, 'rule']): +                        for rule in config.list_nodes(base + [family, hook, priority, 'rule']): +                            # Log +                            if config.exists(base + [family, hook, priority, 'rule', rule, 'log']): +                                log_value = config.return_value(base + [family, hook, priority, 'rule', rule, 'log']) +                                config.delete(base + [family, hook, priority, 'rule', rule, 'log']) +                                if log_value == 'enable': +                                    config.set(base + [family, hook, priority, 'rule', rule, 'log']) +                            # State +                            if config.exists(base + [family, hook, priority, 'rule', rule, 'state']): +                                flag_enable = 'False' +                                for state in ['established', 'invalid', 'new', 'related']: +                                    if config.exists(base + [family, hook, priority, 'rule', rule, 'state', state]): +                                        state_value = config.return_value(base + [family, hook, priority, 'rule', rule, 'state', state]) +                                        config.delete(base + [family, hook, priority, 'rule', rule, 'state', state]) +                                        if state_value == 'enable': +                                            config.set(base + [family, hook, priority, 'rule', rule, 'state', state]) +                                            flag_enable = 'True' +                                if flag_enable == 'False': +                                    config.delete(base + [family, hook, priority, 'rule', rule, 'state']) + +try: +    with open(file_name, 'w') as f: +        f.write(config.to_string()) +except OSError as e: +    print("Failed to save the modified config: {}".format(e)) +    exit(1)
\ No newline at end of file diff --git a/src/migration-scripts/policy/6-to-7 b/src/migration-scripts/policy/6-to-7 new file mode 100755 index 000000000..1f955aa02 --- /dev/null +++ b/src/migration-scripts/policy/6-to-7 @@ -0,0 +1,79 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program.  If not, see <http://www.gnu.org/licenses/>. + +# T5729: Switch to valueless whenever is possible. +# From +    # set policy [route | route6] ... rule <rule> log enable +    # set policy [route | route6] ... rule <rule> log disable +# To +    # set policy [route | route6] ... rule <rule> log +    # Remove command if log=disable + +import re + +from sys import argv +from sys import exit + +from vyos.configtree import ConfigTree +from vyos.ifconfig import Section + +if len(argv) < 2: +    print("Must specify file name!") +    exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: +    config_file = f.read() + +base = ['policy'] +config = ConfigTree(config_file) + +if not config.exists(base): +    # Nothing to do +    exit(0) + +for family in ['route', 'route6']: +    if config.exists(base + [family]): +         +        for policy_name in config.list_nodes(base + [family]): +            if config.exists(base + [family, policy_name, 'rule']): +                for rule in config.list_nodes(base + [family, policy_name, 'rule']): +                    # Log +                    if config.exists(base + [family, policy_name, 'rule', rule, 'log']): +                        log_value = config.return_value(base + [family, policy_name, 'rule', rule, 'log']) +                        config.delete(base + [family, policy_name, 'rule', rule, 'log']) +                        if log_value == 'enable': +                            config.set(base + [family, policy_name, 'rule', rule, 'log']) +                    # State +                    if config.exists(base + [family, policy_name, 'rule', rule, 'state']): +                        flag_enable = 'False' +                        for state in ['established', 'invalid', 'new', 'related']: +                            if config.exists(base + [family, policy_name, 'rule', rule, 'state', state]): +                                state_value = config.return_value(base + [family, policy_name, 'rule', rule, 'state', state]) +                                config.delete(base + [family, policy_name, 'rule', rule, 'state', state]) +                                if state_value == 'enable': +                                    config.set(base + [family, policy_name, 'rule', rule, 'state', state]) +                                    flag_enable = 'True' +                        if flag_enable == 'False': +                            config.delete(base + [family, policy_name, 'rule', rule, 'state']) + +try: +    with open(file_name, 'w') as f: +        f.write(config.to_string()) +except OSError as e: +    print("Failed to save the modified config: {}".format(e)) +    exit(1)
\ No newline at end of file | 
