summaryrefslogtreecommitdiff
path: root/src/migration-scripts/firewall
diff options
context:
space:
mode:
Diffstat (limited to 'src/migration-scripts/firewall')
-rwxr-xr-xsrc/migration-scripts/firewall/10-to-11236
-rwxr-xr-xsrc/migration-scripts/firewall/11-to-1274
-rwxr-xr-xsrc/migration-scripts/firewall/12-to-1392
-rwxr-xr-xsrc/migration-scripts/firewall/13-to-1459
-rwxr-xr-xsrc/migration-scripts/firewall/6-to-79
5 files changed, 269 insertions, 201 deletions
diff --git a/src/migration-scripts/firewall/10-to-11 b/src/migration-scripts/firewall/10-to-11
index 716c5a240..abb804a28 100755
--- a/src/migration-scripts/firewall/10-to-11
+++ b/src/migration-scripts/firewall/10-to-11
@@ -63,19 +63,11 @@ if not config.exists(base):
### Migration of state policies
if config.exists(base + ['state-policy']):
- for family in ['ipv4', 'ipv6']:
- for hook in ['forward', 'input', 'output']:
- for priority in ['filter']:
- # Add default-action== accept for compatibility reasons:
- config.set(base + [family, hook, priority, 'default-action'], value='accept')
- position = 1
- for state in config.list_nodes(base + ['state-policy']):
- action = config.return_value(base + ['state-policy', state, 'action'])
- config.set(base + [family, hook, priority, 'rule'])
- config.set_tag(base + [family, hook, priority, 'rule'])
- config.set(base + [family, hook, priority, 'rule', position, 'state', state], value='enable')
- config.set(base + [family, hook, priority, 'rule', position, 'action'], value=action)
- position = position + 1
+ for state in config.list_nodes(base + ['state-policy']):
+ action = config.return_value(base + ['state-policy', state, 'action'])
+ config.set(base + ['global-options', 'state-policy', state, 'action'], value=action)
+ if config.exists(base + ['state-policy', state, 'log']):
+ config.set(base + ['global-options', 'state-policy', state, 'log'], value='enable')
config.delete(base + ['state-policy'])
## migration of global options:
@@ -88,12 +80,27 @@ for option in ['all-ping', 'broadcast-ping', 'config-trap', 'ip-src-route', 'ipv
config.delete(base + [option])
### Migration of firewall name and ipv6-name
+### Also migrate legacy 'accept' behaviour
if config.exists(base + ['name']):
config.set(['firewall', 'ipv4', 'name'])
config.set_tag(['firewall', 'ipv4', 'name'])
for ipv4name in config.list_nodes(base + ['name']):
config.copy(base + ['name', ipv4name], base + ['ipv4', 'name', ipv4name])
+
+ if config.exists(base + ['ipv4', 'name', ipv4name, 'default-action']):
+ action = config.return_value(base + ['ipv4', 'name', ipv4name, 'default-action'])
+
+ if action == 'accept':
+ config.set(base + ['ipv4', 'name', ipv4name, 'default-action'], value='return')
+
+ if config.exists(base + ['ipv4', 'name', ipv4name, 'rule']):
+ for rule_id in config.list_nodes(base + ['ipv4', 'name', ipv4name, 'rule']):
+ action = config.return_value(base + ['ipv4', 'name', ipv4name, 'rule', rule_id, 'action'])
+
+ if action == 'accept':
+ config.set(base + ['ipv4', 'name', ipv4name, 'rule', rule_id, 'action'], value='return')
+
config.delete(base + ['name'])
if config.exists(base + ['ipv6-name']):
@@ -102,6 +109,20 @@ if config.exists(base + ['ipv6-name']):
for ipv6name in config.list_nodes(base + ['ipv6-name']):
config.copy(base + ['ipv6-name', ipv6name], base + ['ipv6', 'name', ipv6name])
+
+ if config.exists(base + ['ipv6', 'name', ipv6name, 'default-action']):
+ action = config.return_value(base + ['ipv6', 'name', ipv6name, 'default-action'])
+
+ if action == 'accept':
+ config.set(base + ['ipv6', 'name', ipv6name, 'default-action'], value='return')
+
+ if config.exists(base + ['ipv6', 'name', ipv6name, 'rule']):
+ for rule_id in config.list_nodes(base + ['ipv6', 'name', ipv6name, 'rule']):
+ action = config.return_value(base + ['ipv6', 'name', ipv6name, 'rule', rule_id, 'action'])
+
+ if action == 'accept':
+ config.set(base + ['ipv6', 'name', ipv6name, 'rule', rule_id, 'action'], value='return')
+
config.delete(base + ['ipv6-name'])
### Migration of firewall interface
@@ -110,8 +131,8 @@ if config.exists(base + ['interface']):
inp_ipv4_rule = 5
fwd_ipv6_rule = 5
inp_ipv6_rule = 5
- for iface in config.list_nodes(base + ['interface']):
- for direction in ['in', 'out', 'local']:
+ for direction in ['in', 'out', 'local']:
+ for iface in config.list_nodes(base + ['interface']):
if config.exists(base + ['interface', iface, direction]):
if config.exists(base + ['interface', iface, direction, 'name']):
target = config.return_value(base + ['interface', iface, direction, 'name'])
@@ -181,191 +202,6 @@ if config.exists(base + ['interface']):
config.delete(base + ['interface'])
-
-### Migration of zones:
-### User interface groups
-if config.exists(base + ['zone']):
- inp_ipv4_rule = 101
- inp_ipv6_rule = 101
- fwd_ipv4_rule = 101
- fwd_ipv6_rule = 101
- out_ipv4_rule = 101
- out_ipv6_rule = 101
- local_zone = 'False'
-
- for zone in config.list_nodes(base + ['zone']):
- if config.exists(base + ['zone', zone, 'local-zone']):
- local_zone = 'True'
- # Add default-action== accept for compatibility reasons:
- config.set(base + ['ipv4', 'input', 'filter', 'default-action'], value='accept')
- config.set(base + ['ipv6', 'input', 'filter', 'default-action'], value='accept')
- config.set(base + ['ipv4', 'output', 'filter', 'default-action'], value='accept')
- config.set(base + ['ipv6', 'output', 'filter', 'default-action'], value='accept')
- for from_zone in config.list_nodes(base + ['zone', zone, 'from']):
- group_name = 'IG_' + from_zone
- if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'name']):
- # ipv4 input ruleset
- target_ipv4_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'name'])
- config.set(base + ['ipv4', 'input', 'filter', 'rule'])
- config.set_tag(base + ['ipv4', 'input', 'filter', 'rule'])
- config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value='jump')
- config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
- inp_ipv4_rule = inp_ipv4_rule + 5
- if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name']):
- # ipv6 input ruleset
- target_ipv6_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name'])
- config.set(base + ['ipv6', 'input', 'filter', 'rule'])
- config.set_tag(base + ['ipv6', 'input', 'filter', 'rule'])
- config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'inbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'action'], value='jump')
- config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'jump-target'], value=target_ipv6_chain)
- inp_ipv6_rule = inp_ipv6_rule + 5
-
- # Migrate: set firewall zone <zone> default-action <action>
- # Options: drop or reject. If not specified, is drop
- if config.exists(base + ['zone', zone, 'default-action']):
- local_def_action = config.return_value(base + ['zone', zone, 'default-action'])
- else:
- local_def_action = 'drop'
- config.set(base + ['ipv4', 'input', 'filter', 'rule'])
- config.set_tag(base + ['ipv4', 'input', 'filter', 'rule'])
- config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value=local_def_action)
- config.set(base + ['ipv6', 'input', 'filter', 'rule'])
- config.set_tag(base + ['ipv6', 'input', 'filter', 'rule'])
- config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'action'], value=local_def_action)
- if config.exists(base + ['zone', zone, 'enable-default-log']):
- config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'log'], value='enable')
- config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'log'], value='enable')
-
- else:
- # It's not a local zone
- group_name = 'IG_' + zone
- # Add default-action== accept for compatibility reasons:
- config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept')
- config.set(base + ['ipv6', 'forward', 'filter', 'default-action'], value='accept')
- # intra-filtering migration. By default accept
- intra_zone_ipv4_action = 'accept'
- intra_zone_ipv6_action = 'accept'
-
- if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'action']):
- intra_zone_ipv4_action = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'action'])
- intra_zone_ipv6_action = intra_zone_ipv4_action
- else:
- if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name']):
- intra_zone_ipv4_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name'])
- intra_zone_ipv4_action = 'jump'
- if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']):
- intra_zone_ipv6_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name'])
- intra_zone_ipv6_action = 'jump'
- config.set(base + ['ipv4', 'forward', 'filter', 'rule'])
- config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule'])
- config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=intra_zone_ipv4_action)
- config.set(base + ['ipv6', 'forward', 'filter', 'rule'])
- config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule'])
- config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'inbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'action'], value=intra_zone_ipv6_action)
- if intra_zone_ipv4_action == 'jump':
- if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name']):
- intra_zone_ipv4_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name'])
- config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=intra_zone_ipv4_target)
- if intra_zone_ipv6_action == 'jump':
- if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']):
- intra_zone_ipv6_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name'])
- config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'jump-target'], value=intra_zone_ipv6_target)
- fwd_ipv4_rule = fwd_ipv4_rule + 5
- fwd_ipv6_rule = fwd_ipv6_rule + 5
-
- if config.exists(base + ['zone', zone, 'interface']):
- # Create interface group IG_<zone>
- group_name = 'IG_' + zone
- config.set(base + ['group', 'interface-group'], value=group_name)
- config.set_tag(base + ['group', 'interface-group'])
- for iface in config.return_values(base + ['zone', zone, 'interface']):
- config.set(base + ['group', 'interface-group', group_name, 'interface'], value=iface, replace=False)
-
- if config.exists(base + ['zone', zone, 'from']):
- for from_zone in config.list_nodes(base + ['zone', zone, 'from']):
- from_group = 'IG_' + from_zone
- if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'name']):
- target_ipv4_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'name'])
- if config.exists(base + ['zone', from_zone, 'local-zone']):
- # It's from LOCAL zone -> Output filtering
- config.set(base + ['ipv4', 'output', 'filter', 'rule'])
- config.set_tag(base + ['ipv4', 'output', 'filter', 'rule'])
- config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value='jump')
- config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
- out_ipv4_rule = out_ipv4_rule + 5
- else:
- # It's not LOCAL zone -> forward filtering
- config.set(base + ['ipv4', 'forward', 'filter', 'rule'])
- config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule'])
- config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=from_group)
- config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value='jump')
- config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
- fwd_ipv4_rule = fwd_ipv4_rule + 5
- if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name']):
- target_ipv6_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name'])
- if config.exists(base + ['zone', from_zone, 'local-zone']):
- # It's from LOCAL zone -> Output filtering
- config.set(base + ['ipv6', 'output', 'filter', 'rule'])
- config.set_tag(base + ['ipv6', 'output', 'filter', 'rule'])
- config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'action'], value='jump')
- config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'jump-target'], value=target_ipv6_chain)
- out_ipv6_rule = out_ipv6_rule + 5
- else:
- # It's not LOCAL zone -> forward filtering
- config.set(base + ['ipv6', 'forward', 'filter', 'rule'])
- config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule'])
- config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'inbound-interface', 'interface-group'], value=from_group)
- config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'action'], value='jump')
- config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'jump-target'], value=target_ipv6_chain)
- fwd_ipv6_rule = fwd_ipv6_rule + 5
-
- ## Now need to migrate: set firewall zone <zone> default-action <action> # action=drop if not specified.
- if config.exists(base + ['zone', zone, 'default-action']):
- def_action = config.return_value(base + ['zone', zone, 'default-action'])
- else:
- def_action = 'drop'
- config.set(base + ['ipv4', 'forward', 'filter', 'rule'])
- config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule'])
- config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=def_action)
- description = 'zone_' + zone + ' default-action'
- config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'description'], value=description)
- config.set(base + ['ipv6', 'forward', 'filter', 'rule'])
- config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule'])
- config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name)
- config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'action'], value=def_action)
- config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'description'], value=description)
-
- if config.exists(base + ['zone', zone, 'enable-default-log']):
- config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'log'], value='enable')
- config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'log'], value='enable')
- fwd_ipv4_rule = fwd_ipv4_rule + 5
- fwd_ipv6_rule = fwd_ipv6_rule + 5
-
- # Migrate default-action (force to be drop in output chain) if local zone is defined
- if local_zone == 'True':
- # General drop in output change if needed
- config.set(base + ['ipv4', 'output', 'filter', 'rule'])
- config.set_tag(base + ['ipv4', 'output', 'filter', 'rule'])
- config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value=local_def_action)
- config.set(base + ['ipv6', 'output', 'filter', 'rule'])
- config.set_tag(base + ['ipv6', 'output', 'filter', 'rule'])
- config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'action'], value=local_def_action)
-
- config.delete(base + ['zone'])
-
-###### END migration zones
-
try:
with open(file_name, 'w') as f:
f.write(config.to_string())
diff --git a/src/migration-scripts/firewall/11-to-12 b/src/migration-scripts/firewall/11-to-12
new file mode 100755
index 000000000..ba8374d66
--- /dev/null
+++ b/src/migration-scripts/firewall/11-to-12
@@ -0,0 +1,74 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# T5681: Firewall re-writing. Simplify cli when mathcing interface
+# From
+ # set firewall ... rule <rule> [inbound-interface | outboubd-interface] interface-name <iface>
+ # set firewall ... rule <rule> [inbound-interface | outboubd-interface] interface-group <iface_group>
+# To
+ # set firewall ... rule <rule> [inbound-interface | outboubd-interface] name <iface>
+ # set firewall ... rule <rule> [inbound-interface | outboubd-interface] group <iface_group>
+
+import re
+
+from sys import argv
+from sys import exit
+
+from vyos.configtree import ConfigTree
+from vyos.ifconfig import Section
+
+if len(argv) < 2:
+ print("Must specify file name!")
+ exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+base = ['firewall']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+ # Nothing to do
+ exit(0)
+
+## Migration from base chains
+#if config.exists(base + ['interface', iface, direction]):
+for family in ['ipv4', 'ipv6']:
+ if config.exists(base + [family]):
+ for hook in ['forward', 'input', 'output', 'name']:
+ if config.exists(base + [family, hook]):
+ for priority in config.list_nodes(base + [family, hook]):
+ if config.exists(base + [family, hook, priority, 'rule']):
+ for rule in config.list_nodes(base + [family, hook, priority, 'rule']):
+ for direction in ['inbound-interface', 'outbound-interface']:
+ if config.exists(base + [family, hook, priority, 'rule', rule, direction]):
+ if config.exists(base + [family, hook, priority, 'rule', rule, direction, 'interface-name']):
+ iface = config.return_value(base + [family, hook, priority, 'rule', rule, direction, 'interface-name'])
+ config.set(base + [family, hook, priority, 'rule', rule, direction, 'name'], value=iface)
+ config.delete(base + [family, hook, priority, 'rule', rule, direction, 'interface-name'])
+ elif config.exists(base + [family, hook, priority, 'rule', rule, direction, 'interface-group']):
+ group = config.return_value(base + [family, hook, priority, 'rule', rule, direction, 'interface-group'])
+ config.set(base + [family, hook, priority, 'rule', rule, direction, 'group'], value=group)
+ config.delete(base + [family, hook, priority, 'rule', rule, direction, 'interface-group'])
+
+try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ exit(1) \ No newline at end of file
diff --git a/src/migration-scripts/firewall/12-to-13 b/src/migration-scripts/firewall/12-to-13
new file mode 100755
index 000000000..8396dd9d1
--- /dev/null
+++ b/src/migration-scripts/firewall/12-to-13
@@ -0,0 +1,92 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# T5729: Switch to valueless whenever is possible.
+# From
+ # set firewall ... rule <rule> log enable
+ # set firewall ... rule <rule> state <state> enable
+ # set firewall ... rule <rule> log disable
+ # set firewall ... rule <rule> state <state> disable
+# To
+ # set firewall ... rule <rule> log
+ # set firewall ... rule <rule> state <state>
+ # Remove command if log=disable or <state>=disable
+
+import re
+
+from sys import argv
+from sys import exit
+
+from vyos.configtree import ConfigTree
+from vyos.ifconfig import Section
+
+if len(argv) < 2:
+ print("Must specify file name!")
+ exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+base = ['firewall']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+ # Nothing to do
+ exit(0)
+
+# State Policy logs:
+if config.exists(base + ['global-options', 'state-policy']):
+ for state in config.list_nodes(base + ['global-options', 'state-policy']):
+ if config.exists(base + ['global-options', 'state-policy', state, 'log']):
+ log_value = config.return_value(base + ['global-options', 'state-policy', state, 'log'])
+ config.delete(base + ['global-options', 'state-policy', state, 'log'])
+ if log_value == 'enable':
+ config.set(base + ['global-options', 'state-policy', state, 'log'])
+
+for family in ['ipv4', 'ipv6', 'bridge']:
+ if config.exists(base + [family]):
+ for hook in ['forward', 'input', 'output', 'name']:
+ if config.exists(base + [family, hook]):
+ for priority in config.list_nodes(base + [family, hook]):
+ if config.exists(base + [family, hook, priority, 'rule']):
+ for rule in config.list_nodes(base + [family, hook, priority, 'rule']):
+ # Log
+ if config.exists(base + [family, hook, priority, 'rule', rule, 'log']):
+ log_value = config.return_value(base + [family, hook, priority, 'rule', rule, 'log'])
+ config.delete(base + [family, hook, priority, 'rule', rule, 'log'])
+ if log_value == 'enable':
+ config.set(base + [family, hook, priority, 'rule', rule, 'log'])
+ # State
+ if config.exists(base + [family, hook, priority, 'rule', rule, 'state']):
+ flag_enable = 'False'
+ for state in ['established', 'invalid', 'new', 'related']:
+ if config.exists(base + [family, hook, priority, 'rule', rule, 'state', state]):
+ state_value = config.return_value(base + [family, hook, priority, 'rule', rule, 'state', state])
+ config.delete(base + [family, hook, priority, 'rule', rule, 'state', state])
+ if state_value == 'enable':
+ config.set(base + [family, hook, priority, 'rule', rule, 'state'], value=state, replace=False)
+ flag_enable = 'True'
+ if flag_enable == 'False':
+ config.delete(base + [family, hook, priority, 'rule', rule, 'state'])
+
+try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ exit(1) \ No newline at end of file
diff --git a/src/migration-scripts/firewall/13-to-14 b/src/migration-scripts/firewall/13-to-14
new file mode 100755
index 000000000..f45ff0674
--- /dev/null
+++ b/src/migration-scripts/firewall/13-to-14
@@ -0,0 +1,59 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# T5834: Rename 'enable-default-log' to 'default-log'
+# From
+ # set firewall ... filter enable-default-log
+ # set firewall ... name <name> enable-default-log
+# To
+ # set firewall ... filter default-log
+ # set firewall ... name <name> default-log
+
+from sys import argv
+from sys import exit
+
+from vyos.configtree import ConfigTree
+
+if len(argv) < 2:
+ print("Must specify file name!")
+ exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+ config_file = f.read()
+
+base = ['firewall']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+ # Nothing to do
+ exit(0)
+
+for family in ['ipv4', 'ipv6', 'bridge']:
+ if config.exists(base + [family]):
+ for hook in ['forward', 'input', 'output', 'name']:
+ if config.exists(base + [family, hook]):
+ for priority in config.list_nodes(base + [family, hook]):
+ if config.exists(base + [family, hook, priority, 'enable-default-log']):
+ config.rename(base + [family, hook, priority, 'enable-default-log'], 'default-log')
+
+try:
+ with open(file_name, 'w') as f:
+ f.write(config.to_string())
+except OSError as e:
+ print("Failed to save the modified config: {}".format(e))
+ exit(1)
diff --git a/src/migration-scripts/firewall/6-to-7 b/src/migration-scripts/firewall/6-to-7
index 9ad887acc..b918833e9 100755
--- a/src/migration-scripts/firewall/6-to-7
+++ b/src/migration-scripts/firewall/6-to-7
@@ -73,6 +73,7 @@ icmp_translations = {
# Time Exceeded
'ttl-zero-during-transit': [11, 0],
'ttl-zero-during-reassembly': [11, 1],
+ 'ttl-exceeded': 'time-exceeded',
# Parameter Problem
'ip-header-bad': [12, 0],
'required-option-missing': [12, 1]
@@ -87,8 +88,14 @@ icmpv6_translations = {
'communication-prohibited': [1, 1],
'address-unreachble': [1, 3],
'port-unreachable': [1, 4],
- # Redirect
+ # nd
'redirect': 'nd-redirect',
+ 'router-solicitation': 'nd-router-solicit',
+ 'router-advertisement': 'nd-router-advert',
+ 'neighbour-solicitation': 'nd-neighbor-solicit',
+ 'neighbor-solicitation': 'nd-neighbor-solicit',
+ 'neighbour-advertisement': 'nd-neighbor-advert',
+ 'neighbor-advertisement': 'nd-neighbor-advert',
# Time Exceeded
'ttl-zero-during-transit': [3, 0],
'ttl-zero-during-reassembly': [3, 1],
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-11 21:07:30 +0000