summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorNicolas Fort <nicolasfort1988@gmail.com>2023-07-03 16:32:37 -0300
committerNicolas Fort <nicolasfort1988@gmail.com>2023-08-11 11:50:00 -0300
commit0300bf433d9aaff81fdecf9eeaabba8d06c1999f (patch)
tree31e3f9fb52dc9fd9c9ab7046a1c1904b2eb04f83 /src
parentdbb069151f372ea521fad2edcd83f2d33631e6c7 (diff)
downloadvyos-1x-0300bf433d9aaff81fdecf9eeaabba8d06c1999f.tar.gz
vyos-1x-0300bf433d9aaff81fdecf9eeaabba8d06c1999f.zip
T5160: firewall refactor: move <set firewall ipv6 ipv6-name ...> to <set firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip.
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/firewall.py36
-rwxr-xr-xsrc/migration-scripts/firewall/10-to-118
2 files changed, 22 insertions, 22 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index a50ae2ec6..c8b1e27db 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -98,21 +98,21 @@ def geoip_updated(conf, firewall):
for key, path in dict_search_recursive(firewall, 'geoip'):
set_name = f'GEOIP_CC_{path[1]}_{path[2]}_{path[4]}'
- if path[1] == 'ipv6_name':
- set_name = f'GEOIP_CC_name6_{path[2]}_{path[4]}'
-
- if (path[0] == 'ipv4') and ( path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name' ):
+ if (path[0] == 'ipv4'):
out['name'].append(set_name)
- elif (path[0] == 'ipv6') and ( path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'ipv6_name' ):
+ elif (path[0] == 'ipv6'):
+ set_name = f'GEOIP_CC6_{path[1]}_{path[2]}_{path[4]}'
out['ipv6_name'].append(set_name)
+
updated = True
if 'delete' in node_diff:
for key, path in dict_search_recursive(node_diff['delete'], 'geoip'):
- set_name = f'GEOIP_CC_{path[2]}_{path[4]}'
- if path[1] == 'name':
+ set_name = f'GEOIP_CC_{path[1]}_{path[2]}_{path[4]}'
+ if (path[0] == 'ipv4'):
out['deleted_name'].append(set_name)
- elif path[1] == 'ipv6-name':
+ elif (path[0] == 'ipv6'):
+ set_name = f'GEOIP_CC_{path[1]}_{path[2]}_{path[4]}'
out['deleted_ipv6_name'].append(set_name)
updated = True
@@ -140,7 +140,7 @@ def get_config(config=None):
default_values = defaults(base)
for family in ['ipv4', 'ipv6']:
- for tmp in ['name', 'ipv6_name', 'forward', 'input', 'output', 'prerouting']:
+ for tmp in ['name', 'forward', 'input', 'output', 'prerouting']:
if tmp in default_values[family]:
del default_values[family][tmp]
@@ -162,11 +162,11 @@ def get_config(config=None):
firewall['ipv4'][hook][priority])
# Merge in defaults for IPv6 ruleset
- if 'ipv6_name' in firewall['ipv6']:
- default_values = defaults(base + ['ipv6'] + ['ipv6-name'])
- for ipv6_name in firewall['ipv6']['ipv6_name']:
- firewall['ipv6']['ipv6_name'][ipv6_name] = dict_merge(default_values,
- firewall['ipv6']['ipv6_name'][ipv6_name])
+ if 'name' in firewall['ipv6']:
+ default_values = defaults(base + ['ipv6'] + ['name'])
+ for ipv6_name in firewall['ipv6']['name']:
+ firewall['ipv6']['name'][ipv6_name] = dict_merge(default_values,
+ firewall['ipv6']['name'][ipv6_name])
for hook in ['forward', 'input', 'output', 'prerouting']:
if hook in firewall['ipv6']:
for priority in ['filter', 'mangle', 'raw']:
@@ -209,8 +209,8 @@ def verify_rule(firewall, rule_conf, ipv6):
if target not in dict_search_args(firewall, 'ipv4', 'name'):
raise ConfigError(f'Invalid jump-target. Firewall name {target} does not exist on the system')
else:
- if target not in dict_search_args(firewall, 'ipv6', 'ipv6_name'):
- raise ConfigError(f'Invalid jump-target. Firewall ipv6-name {target} does not exist on the system')
+ if target not in dict_search_args(firewall, 'ipv6', 'name'):
+ raise ConfigError(f'Invalid jump-target. Firewall ipv6 name {target} does not exist on the system')
if 'queue_options' in rule_conf:
if 'queue' not in rule_conf['action']:
@@ -359,7 +359,7 @@ def verify(firewall):
verify_rule(firewall, rule_conf, False)
if 'ipv6' in firewall:
- for name in ['ipv6_name','forward','input','output']:
+ for name in ['name','forward','input','output']:
if name in firewall['ipv6']:
for name_id, name_conf in firewall['ipv6'][name].items():
if 'jump' in name_conf['default_action'] and 'default_jump_target' not in name_conf:
@@ -371,7 +371,7 @@ def verify(firewall):
if name_conf['default_jump_target'] == name_id:
raise ConfigError(f'Loop detected on default-jump-target.')
## Now need to check that default-jump-target exists (other firewall chain/name)
- if target not in dict_search_args(firewall['ipv6'], 'ipv6_name'):
+ if target not in dict_search_args(firewall['ipv6'], 'name'):
raise ConfigError(f'Invalid jump-target. Firewall name {target} does not exist on the system')
if 'rule' in name_conf:
diff --git a/src/migration-scripts/firewall/10-to-11 b/src/migration-scripts/firewall/10-to-11
index 8cd2a4df8..8afcb64fd 100755
--- a/src/migration-scripts/firewall/10-to-11
+++ b/src/migration-scripts/firewall/10-to-11
@@ -21,7 +21,7 @@
# set firewall ipv6-name <name> ...
# To
# set firewall ipv4 name <name>
-# set firewall ipv6 ipv6-name <name>
+# set firewall ipv6 name <name>
## Also from 'firewall interface' removed.
## in and out:
@@ -97,11 +97,11 @@ if config.exists(base + ['name']):
config.delete(base + ['name'])
if config.exists(base + ['ipv6-name']):
- config.set(['firewall', 'ipv6', 'ipv6-name'])
- config.set_tag(['firewall', 'ipv6', 'ipv6-name'])
+ config.set(['firewall', 'ipv6', 'name'])
+ config.set_tag(['firewall', 'ipv6', 'name'])
for ipv6name in config.list_nodes(base + ['ipv6-name']):
- config.copy(base + ['ipv6-name', ipv6name], base + ['ipv6', 'ipv6-name', ipv6name])
+ config.copy(base + ['ipv6-name', ipv6name], base + ['ipv6', 'name', ipv6name])
config.delete(base + ['ipv6-name'])
### Migration of firewall interface