4 files changed, 53 insertions, 38 deletions

diff --git a/interface-definitions/include/conntrack-module-disable.xml.i b/interface-definitions/include/conntrack-module-disable.xml.i
deleted file mode 100644
index f891225e0..000000000
--- a/interface-definitions/include/conntrack-module-disable.xml.i
+++ /dev/null
@@ -1,8 +0,0 @@
-<!-- include start from conntrack-module-disable.xml.i -->
-<leafNode name="disable">
-  <properties>
-    <help>Disable connection tracking helper</help>
-    <valueless/>
-  </properties>
-</leafNode>
-<!-- include end -->
diff --git a/interface-definitions/system-conntrack.xml.in b/interface-definitions/system-conntrack.xml.in
index fa73df3db..c408e9bdd 100644
--- a/interface-definitions/system-conntrack.xml.in
+++ b/interface-definitions/system-conntrack.xml.in
@@ -37,64 +37,50 @@
           </leafNode>
           <node name="modules">
             <properties>
-              <help>Connection tracking modules settings</help>
+              <help>Connection tracking modules</help>
             </properties>
             <children>
               <node name="ftp">
                 <properties>
-                  <help>FTP connection tracking settings</help>
+                  <help>FTP connection tracking</help>
+                  <valueless/>
                 </properties>
-                <children>
-                  #include <include/conntrack-module-disable.xml.i>
-                </children>
               </node>
               <node name="h323">
                 <properties>
-                  <help>H.323 connection tracking settings</help>
+                  <help>H.323 connection tracking</help>
+                  <valueless/>
                 </properties>
-                <children>
-                  #include <include/conntrack-module-disable.xml.i>
-                </children>
               </node>
               <node name="nfs">
                 <properties>
-                  <help>NFS connection tracking settings</help>
+                  <help>NFS connection tracking</help>
+                  <valueless/>
                 </properties>
-                <children>
-                  #include <include/conntrack-module-disable.xml.i>
-                </children>
               </node>
               <node name="pptp">
                 <properties>
-                  <help>PPTP connection tracking settings</help>
+                  <help>PPTP connection tracking</help>
+                  <valueless/>
                 </properties>
-                <children>
-                  #include <include/conntrack-module-disable.xml.i>
-                </children>
               </node>
               <node name="sip">
                 <properties>
-                  <help>SIP connection tracking settings</help>
+                  <help>SIP connection tracking</help>
+                  <valueless/>
                 </properties>
-                <children>
-                  #include <include/conntrack-module-disable.xml.i>
-                </children>
               </node>
               <node name="sqlnet">
                 <properties>
-                  <help>SQLnet connection tracking settings</help>
+                  <help>SQLnet connection tracking</help>
+                  <valueless/>
                 </properties>
-                <children>
-                  #include <include/conntrack-module-disable.xml.i>
-                </children>
               </node>
               <node name="tftp">
                 <properties>
-                  <help>TFTP connection tracking settings</help>
+                  <help>TFTP connection tracking</help>
+                  <valueless/>
                 </properties>
-                <children>
-                  #include <include/conntrack-module-disable.xml.i>
-                </children>
               </node>
             </children>
           </node>
diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py
index 4e6e39c0f..b305265db 100755
--- a/src/conf_mode/conntrack.py
+++ b/src/conf_mode/conntrack.py
@@ -97,7 +97,7 @@ def apply(conntrack):
     # Depending on the enable/disable state of the ALG (Application Layer Gateway)
     # modules we need to either insmod or rmmod the helpers.
     for module, module_config in module_map.items():
-        if dict_search(f'modules.{module}.disable', conntrack) != None:
+        if dict_search(f'modules.{module}', conntrack) is None:
             if 'ko' in module_config:
                 for mod in module_config['ko']:
                     # Only remove the module if it's loaded
diff --git a/src/migration-scripts/conntrack/2-to-3 b/src/migration-scripts/conntrack/2-to-3
new file mode 100755
index 000000000..8a8b43279
--- /dev/null
+++ b/src/migration-scripts/conntrack/2-to-3
@@ -0,0 +1,37 @@
+#!/usr/bin/env python3
+
+# Conntrack syntax version 3
+# Enables all conntrack modules (previous default behaviour) and omits manually disabled modules.
+
+import sys
+
+from vyos.configtree import ConfigTree
+from vyos.version import get_version
+
+if len(sys.argv) < 1:
+    print('Must specify file name!')
+    sys.exit(1)
+
+filename = sys.argv[1]
+
+with open(filename, 'r') as f:
+    config = ConfigTree(f.read())
+
+module_path = ['system', 'conntrack', 'modules']
+
+# Go over all conntrack modules available as of v1.3.0.
+for module in ['ftp', 'h323', 'nfs', 'pptp', 'sip', 'sqlnet', 'tftp']:
+    # 'disable' is being phased out.
+    if config.exists(module_path + [module, 'disable']):
+        config.delete(module_path + [module])
+    # If it wasn't manually 'disable'd, it was enabled by default.
+    else:
+        config.set(module_path + [module])
+
+try:
+    if config.exists(module_path):
+        with open(filename, 'w') as f:
+            f.write(config.to_string())
+except OSError as e:
+    print(f'Failed to save the modified config: {e}')
+    sys.exit(1)