diff options
Diffstat (limited to 'src/migration-scripts/firewall')
-rw-r--r--[-rwxr-xr-x] | src/migration-scripts/firewall/10-to-11 | 312 | ||||
-rw-r--r--[-rwxr-xr-x] | src/migration-scripts/firewall/11-to-12 | 88 | ||||
-rw-r--r--[-rwxr-xr-x] | src/migration-scripts/firewall/12-to-13 | 114 | ||||
-rw-r--r--[-rwxr-xr-x] | src/migration-scripts/firewall/13-to-14 | 64 | ||||
-rw-r--r--[-rwxr-xr-x] | src/migration-scripts/firewall/14-to-15 | 49 | ||||
-rw-r--r--[-rwxr-xr-x] | src/migration-scripts/firewall/15-to-16 | 39 | ||||
-rw-r--r--[-rwxr-xr-x] | src/migration-scripts/firewall/5-to-6 | 160 | ||||
-rw-r--r--[-rwxr-xr-x] | src/migration-scripts/firewall/6-to-7 | 444 | ||||
-rw-r--r--[-rwxr-xr-x] | src/migration-scripts/firewall/7-to-8 | 84 | ||||
-rw-r--r--[-rwxr-xr-x] | src/migration-scripts/firewall/8-to-9 | 126 | ||||
-rw-r--r--[-rwxr-xr-x] | src/migration-scripts/firewall/9-to-10 | 104 |
11 files changed, 683 insertions, 901 deletions
diff --git a/src/migration-scripts/firewall/10-to-11 b/src/migration-scripts/firewall/10-to-11 index 854d5a558..70a170940 100755..100644 --- a/src/migration-scripts/firewall/10-to-11 +++ b/src/migration-scripts/firewall/10-to-11 @@ -1,18 +1,17 @@ -#!/usr/bin/env python3 +# Copyright 2023-2024 VyOS maintainers and contributors <maintainers@vyos.io> # -# Copyright (C) 2023-2024 VyOS maintainers and contributors +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. # -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, +# This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# You should have received a copy of the GNU Lesser General Public License +# along with this library. If not, see <http://www.gnu.org/licenses/>. # T5160: Firewall re-writing @@ -37,171 +36,152 @@ # set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> action jump # set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> jump-target <name> -from sys import argv -from sys import exit - from vyos.configtree import ConfigTree -if len(argv) < 2: - print("Must specify file name!") - exit(1) - -file_name = argv[1] - -with open(file_name, 'r') as f: - config_file = f.read() - base = ['firewall'] -config = ConfigTree(config_file) - -if not config.exists(base): - # Nothing to do - exit(0) - -### Migration of state policies -if config.exists(base + ['state-policy']): - for state in config.list_nodes(base + ['state-policy']): - action = config.return_value(base + ['state-policy', state, 'action']) - config.set(base + ['global-options', 'state-policy', state, 'action'], value=action) - if config.exists(base + ['state-policy', state, 'log']): - config.set(base + ['global-options', 'state-policy', state, 'log'], value='enable') - config.delete(base + ['state-policy']) - -## migration of global options: -for option in ['all-ping', 'broadcast-ping', 'config-trap', 'ip-src-route', 'ipv6-receive-redirects', 'ipv6-src-route', 'log-martians', - 'receive-redirects', 'resolver-cache', 'resolver-internal', 'send-redirects', 'source-validation', 'syn-cookies', 'twa-hazards-protection']: - if config.exists(base + [option]): - if option != 'config-trap': - val = config.return_value(base + [option]) - config.set(base + ['global-options', option], value=val) - config.delete(base + [option]) - -### Migration of firewall name and ipv6-name -### Also migrate legacy 'accept' behaviour -if config.exists(base + ['name']): - config.set(['firewall', 'ipv4', 'name']) - config.set_tag(['firewall', 'ipv4', 'name']) - - for ipv4name in config.list_nodes(base + ['name']): - config.copy(base + ['name', ipv4name], base + ['ipv4', 'name', ipv4name]) - - if config.exists(base + ['ipv4', 'name', ipv4name, 'default-action']): - action = config.return_value(base + ['ipv4', 'name', ipv4name, 'default-action']) - - if action == 'accept': - config.set(base + ['ipv4', 'name', ipv4name, 'default-action'], value='return') - - if config.exists(base + ['ipv4', 'name', ipv4name, 'rule']): - for rule_id in config.list_nodes(base + ['ipv4', 'name', ipv4name, 'rule']): - action = config.return_value(base + ['ipv4', 'name', ipv4name, 'rule', rule_id, 'action']) + +def migrate(config: ConfigTree) -> None: + if not config.exists(base): + # Nothing to do + return + + ### Migration of state policies + if config.exists(base + ['state-policy']): + for state in config.list_nodes(base + ['state-policy']): + action = config.return_value(base + ['state-policy', state, 'action']) + config.set(base + ['global-options', 'state-policy', state, 'action'], value=action) + if config.exists(base + ['state-policy', state, 'log']): + config.set(base + ['global-options', 'state-policy', state, 'log'], value='enable') + config.delete(base + ['state-policy']) + + ## migration of global options: + for option in ['all-ping', 'broadcast-ping', 'config-trap', 'ip-src-route', 'ipv6-receive-redirects', 'ipv6-src-route', 'log-martians', + 'receive-redirects', 'resolver-cache', 'resolver-internal', 'send-redirects', 'source-validation', 'syn-cookies', 'twa-hazards-protection']: + if config.exists(base + [option]): + if option != 'config-trap': + val = config.return_value(base + [option]) + config.set(base + ['global-options', option], value=val) + config.delete(base + [option]) + + ### Migration of firewall name and ipv6-name + ### Also migrate legacy 'accept' behaviour + if config.exists(base + ['name']): + config.set(['firewall', 'ipv4', 'name']) + config.set_tag(['firewall', 'ipv4', 'name']) + + for ipv4name in config.list_nodes(base + ['name']): + config.copy(base + ['name', ipv4name], base + ['ipv4', 'name', ipv4name]) + + if config.exists(base + ['ipv4', 'name', ipv4name, 'default-action']): + action = config.return_value(base + ['ipv4', 'name', ipv4name, 'default-action']) if action == 'accept': - config.set(base + ['ipv4', 'name', ipv4name, 'rule', rule_id, 'action'], value='return') + config.set(base + ['ipv4', 'name', ipv4name, 'default-action'], value='return') - config.delete(base + ['name']) + if config.exists(base + ['ipv4', 'name', ipv4name, 'rule']): + for rule_id in config.list_nodes(base + ['ipv4', 'name', ipv4name, 'rule']): + action = config.return_value(base + ['ipv4', 'name', ipv4name, 'rule', rule_id, 'action']) -if config.exists(base + ['ipv6-name']): - config.set(['firewall', 'ipv6', 'name']) - config.set_tag(['firewall', 'ipv6', 'name']) + if action == 'accept': + config.set(base + ['ipv4', 'name', ipv4name, 'rule', rule_id, 'action'], value='return') - for ipv6name in config.list_nodes(base + ['ipv6-name']): - config.copy(base + ['ipv6-name', ipv6name], base + ['ipv6', 'name', ipv6name]) + config.delete(base + ['name']) - if config.exists(base + ['ipv6', 'name', ipv6name, 'default-action']): - action = config.return_value(base + ['ipv6', 'name', ipv6name, 'default-action']) + if config.exists(base + ['ipv6-name']): + config.set(['firewall', 'ipv6', 'name']) + config.set_tag(['firewall', 'ipv6', 'name']) - if action == 'accept': - config.set(base + ['ipv6', 'name', ipv6name, 'default-action'], value='return') + for ipv6name in config.list_nodes(base + ['ipv6-name']): + config.copy(base + ['ipv6-name', ipv6name], base + ['ipv6', 'name', ipv6name]) - if config.exists(base + ['ipv6', 'name', ipv6name, 'rule']): - for rule_id in config.list_nodes(base + ['ipv6', 'name', ipv6name, 'rule']): - action = config.return_value(base + ['ipv6', 'name', ipv6name, 'rule', rule_id, 'action']) + if config.exists(base + ['ipv6', 'name', ipv6name, 'default-action']): + action = config.return_value(base + ['ipv6', 'name', ipv6name, 'default-action']) if action == 'accept': - config.set(base + ['ipv6', 'name', ipv6name, 'rule', rule_id, 'action'], value='return') - - config.delete(base + ['ipv6-name']) - -### Migration of firewall interface -if config.exists(base + ['interface']): - fwd_ipv4_rule = 5 - inp_ipv4_rule = 5 - fwd_ipv6_rule = 5 - inp_ipv6_rule = 5 - for direction in ['in', 'out', 'local']: - for iface in config.list_nodes(base + ['interface']): - if config.exists(base + ['interface', iface, direction]): - if config.exists(base + ['interface', iface, direction, 'name']): - target = config.return_value(base + ['interface', iface, direction, 'name']) - if direction == 'in': - # Add default-action== accept for compatibility reasons: - config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept') - new_base = base + ['ipv4', 'forward', 'filter', 'rule'] - config.set(new_base) - config.set_tag(new_base) - config.set(new_base + [fwd_ipv4_rule, 'inbound-interface', 'interface-name'], value=iface) - config.set(new_base + [fwd_ipv4_rule, 'action'], value='jump') - config.set(new_base + [fwd_ipv4_rule, 'jump-target'], value=target) - fwd_ipv4_rule = fwd_ipv4_rule + 5 - elif direction == 'out': - # Add default-action== accept for compatibility reasons: - config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept') - new_base = base + ['ipv4', 'forward', 'filter', 'rule'] - config.set(new_base) - config.set_tag(new_base) - config.set(new_base + [fwd_ipv4_rule, 'outbound-interface', 'interface-name'], value=iface) - config.set(new_base + [fwd_ipv4_rule, 'action'], value='jump') - config.set(new_base + [fwd_ipv4_rule, 'jump-target'], value=target) - fwd_ipv4_rule = fwd_ipv4_rule + 5 - else: - # Add default-action== accept for compatibility reasons: - config.set(base + ['ipv4', 'input', 'filter', 'default-action'], value='accept') - new_base = base + ['ipv4', 'input', 'filter', 'rule'] - config.set(new_base) - config.set_tag(new_base) - config.set(new_base + [inp_ipv4_rule, 'inbound-interface', 'interface-name'], value=iface) - config.set(new_base + [inp_ipv4_rule, 'action'], value='jump') - config.set(new_base + [inp_ipv4_rule, 'jump-target'], value=target) - inp_ipv4_rule = inp_ipv4_rule + 5 - - if config.exists(base + ['interface', iface, direction, 'ipv6-name']): - target = config.return_value(base + ['interface', iface, direction, 'ipv6-name']) - if direction == 'in': - # Add default-action== accept for compatibility reasons: - config.set(base + ['ipv6', 'forward', 'filter', 'default-action'], value='accept') - new_base = base + ['ipv6', 'forward', 'filter', 'rule'] - config.set(new_base) - config.set_tag(new_base) - config.set(new_base + [fwd_ipv6_rule, 'inbound-interface', 'interface-name'], value=iface) - config.set(new_base + [fwd_ipv6_rule, 'action'], value='jump') - config.set(new_base + [fwd_ipv6_rule, 'jump-target'], value=target) - fwd_ipv6_rule = fwd_ipv6_rule + 5 - elif direction == 'out': - # Add default-action== accept for compatibility reasons: - config.set(base + ['ipv6', 'forward', 'filter', 'default-action'], value='accept') - new_base = base + ['ipv6', 'forward', 'filter', 'rule'] - config.set(new_base) - config.set_tag(new_base) - config.set(new_base + [fwd_ipv6_rule, 'outbound-interface', 'interface-name'], value=iface) - config.set(new_base + [fwd_ipv6_rule, 'action'], value='jump') - config.set(new_base + [fwd_ipv6_rule, 'jump-target'], value=target) - fwd_ipv6_rule = fwd_ipv6_rule + 5 - else: - new_base = base + ['ipv6', 'input', 'filter', 'rule'] - # Add default-action== accept for compatibility reasons: - config.set(base + ['ipv6', 'input', 'filter', 'default-action'], value='accept') - config.set(new_base) - config.set_tag(new_base) - config.set(new_base + [inp_ipv6_rule, 'inbound-interface', 'interface-name'], value=iface) - config.set(new_base + [inp_ipv6_rule, 'action'], value='jump') - config.set(new_base + [inp_ipv6_rule, 'jump-target'], value=target) - inp_ipv6_rule = inp_ipv6_rule + 5 - - config.delete(base + ['interface']) - -try: - with open(file_name, 'w') as f: - f.write(config.to_string()) -except OSError as e: - print("Failed to save the modified config: {}".format(e)) - exit(1) + config.set(base + ['ipv6', 'name', ipv6name, 'default-action'], value='return') + + if config.exists(base + ['ipv6', 'name', ipv6name, 'rule']): + for rule_id in config.list_nodes(base + ['ipv6', 'name', ipv6name, 'rule']): + action = config.return_value(base + ['ipv6', 'name', ipv6name, 'rule', rule_id, 'action']) + + if action == 'accept': + config.set(base + ['ipv6', 'name', ipv6name, 'rule', rule_id, 'action'], value='return') + + config.delete(base + ['ipv6-name']) + + ### Migration of firewall interface + if config.exists(base + ['interface']): + fwd_ipv4_rule = 5 + inp_ipv4_rule = 5 + fwd_ipv6_rule = 5 + inp_ipv6_rule = 5 + for direction in ['in', 'out', 'local']: + for iface in config.list_nodes(base + ['interface']): + if config.exists(base + ['interface', iface, direction]): + if config.exists(base + ['interface', iface, direction, 'name']): + target = config.return_value(base + ['interface', iface, direction, 'name']) + if direction == 'in': + # Add default-action== accept for compatibility reasons: + config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept') + new_base = base + ['ipv4', 'forward', 'filter', 'rule'] + config.set(new_base) + config.set_tag(new_base) + config.set(new_base + [fwd_ipv4_rule, 'inbound-interface', 'interface-name'], value=iface) + config.set(new_base + [fwd_ipv4_rule, 'action'], value='jump') + config.set(new_base + [fwd_ipv4_rule, 'jump-target'], value=target) + fwd_ipv4_rule = fwd_ipv4_rule + 5 + elif direction == 'out': + # Add default-action== accept for compatibility reasons: + config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept') + new_base = base + ['ipv4', 'forward', 'filter', 'rule'] + config.set(new_base) + config.set_tag(new_base) + config.set(new_base + [fwd_ipv4_rule, 'outbound-interface', 'interface-name'], value=iface) + config.set(new_base + [fwd_ipv4_rule, 'action'], value='jump') + config.set(new_base + [fwd_ipv4_rule, 'jump-target'], value=target) + fwd_ipv4_rule = fwd_ipv4_rule + 5 + else: + # Add default-action== accept for compatibility reasons: + config.set(base + ['ipv4', 'input', 'filter', 'default-action'], value='accept') + new_base = base + ['ipv4', 'input', 'filter', 'rule'] + config.set(new_base) + config.set_tag(new_base) + config.set(new_base + [inp_ipv4_rule, 'inbound-interface', 'interface-name'], value=iface) + config.set(new_base + [inp_ipv4_rule, 'action'], value='jump') + config.set(new_base + [inp_ipv4_rule, 'jump-target'], value=target) + inp_ipv4_rule = inp_ipv4_rule + 5 + + if config.exists(base + ['interface', iface, direction, 'ipv6-name']): + target = config.return_value(base + ['interface', iface, direction, 'ipv6-name']) + if direction == 'in': + # Add default-action== accept for compatibility reasons: + config.set(base + ['ipv6', 'forward', 'filter', 'default-action'], value='accept') + new_base = base + ['ipv6', 'forward', 'filter', 'rule'] + config.set(new_base) + config.set_tag(new_base) + config.set(new_base + [fwd_ipv6_rule, 'inbound-interface', 'interface-name'], value=iface) + config.set(new_base + [fwd_ipv6_rule, 'action'], value='jump') + config.set(new_base + [fwd_ipv6_rule, 'jump-target'], value=target) + fwd_ipv6_rule = fwd_ipv6_rule + 5 + elif direction == 'out': + # Add default-action== accept for compatibility reasons: + config.set(base + ['ipv6', 'forward', 'filter', 'default-action'], value='accept') + new_base = base + ['ipv6', 'forward', 'filter', 'rule'] + config.set(new_base) + config.set_tag(new_base) + config.set(new_base + [fwd_ipv6_rule, 'outbound-interface', 'interface-name'], value=iface) + config.set(new_base + [fwd_ipv6_rule, 'action'], value='jump') + config.set(new_base + [fwd_ipv6_rule, 'jump-target'], value=target) + fwd_ipv6_rule = fwd_ipv6_rule + 5 + else: + new_base = base + ['ipv6', 'input', 'filter', 'rule'] + # Add default-action== accept for compatibility reasons: + config.set(base + ['ipv6', 'input', 'filter', 'default-action'], value='accept') + config.set(new_base) + config.set_tag(new_base) + config.set(new_base + [inp_ipv6_rule, 'inbound-interface', 'interface-name'], value=iface) + config.set(new_base + [inp_ipv6_rule, 'action'], value='jump') + config.set(new_base + [inp_ipv6_rule, 'jump-target'], value=target) + inp_ipv6_rule = inp_ipv6_rule + 5 + + config.delete(base + ['interface']) diff --git a/src/migration-scripts/firewall/11-to-12 b/src/migration-scripts/firewall/11-to-12 index f9122e74c..80a74cca9 100755..100644 --- a/src/migration-scripts/firewall/11-to-12 +++ b/src/migration-scripts/firewall/11-to-12 @@ -1,18 +1,17 @@ -#!/usr/bin/env python3 +# Copyright 2023-2024 VyOS maintainers and contributors <maintainers@vyos.io> # -# Copyright (C) 2023-2024 VyOS maintainers and contributors +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. # -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, +# This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# You should have received a copy of the GNU Lesser General Public License +# along with this library. If not, see <http://www.gnu.org/licenses/>. # T5681: Firewall re-writing. Simplify cli when mathcing interface # From @@ -22,50 +21,31 @@ # set firewall ... rule <rule> [inbound-interface | outboubd-interface] name <iface> # set firewall ... rule <rule> [inbound-interface | outboubd-interface] group <iface_group> -from sys import argv -from sys import exit - from vyos.configtree import ConfigTree -if len(argv) < 2: - print("Must specify file name!") - exit(1) - -file_name = argv[1] - -with open(file_name, 'r') as f: - config_file = f.read() - base = ['firewall'] -config = ConfigTree(config_file) - -if not config.exists(base): - # Nothing to do - exit(0) - -## Migration from base chains -#if config.exists(base + ['interface', iface, direction]): -for family in ['ipv4', 'ipv6']: - if config.exists(base + [family]): - for hook in ['forward', 'input', 'output', 'name']: - if config.exists(base + [family, hook]): - for priority in config.list_nodes(base + [family, hook]): - if config.exists(base + [family, hook, priority, 'rule']): - for rule in config.list_nodes(base + [family, hook, priority, 'rule']): - for direction in ['inbound-interface', 'outbound-interface']: - if config.exists(base + [family, hook, priority, 'rule', rule, direction]): - if config.exists(base + [family, hook, priority, 'rule', rule, direction, 'interface-name']): - iface = config.return_value(base + [family, hook, priority, 'rule', rule, direction, 'interface-name']) - config.set(base + [family, hook, priority, 'rule', rule, direction, 'name'], value=iface) - config.delete(base + [family, hook, priority, 'rule', rule, direction, 'interface-name']) - elif config.exists(base + [family, hook, priority, 'rule', rule, direction, 'interface-group']): - group = config.return_value(base + [family, hook, priority, 'rule', rule, direction, 'interface-group']) - config.set(base + [family, hook, priority, 'rule', rule, direction, 'group'], value=group) - config.delete(base + [family, hook, priority, 'rule', rule, direction, 'interface-group']) -try: - with open(file_name, 'w') as f: - f.write(config.to_string()) -except OSError as e: - print("Failed to save the modified config: {}".format(e)) - exit(1) +def migrate(config: ConfigTree) -> None: + if not config.exists(base): + # Nothing to do + return + + ## Migration from base chains + #if config.exists(base + ['interface', iface, direction]): + for family in ['ipv4', 'ipv6']: + if config.exists(base + [family]): + for hook in ['forward', 'input', 'output', 'name']: + if config.exists(base + [family, hook]): + for priority in config.list_nodes(base + [family, hook]): + if config.exists(base + [family, hook, priority, 'rule']): + for rule in config.list_nodes(base + [family, hook, priority, 'rule']): + for direction in ['inbound-interface', 'outbound-interface']: + if config.exists(base + [family, hook, priority, 'rule', rule, direction]): + if config.exists(base + [family, hook, priority, 'rule', rule, direction, 'interface-name']): + iface = config.return_value(base + [family, hook, priority, 'rule', rule, direction, 'interface-name']) + config.set(base + [family, hook, priority, 'rule', rule, direction, 'name'], value=iface) + config.delete(base + [family, hook, priority, 'rule', rule, direction, 'interface-name']) + elif config.exists(base + [family, hook, priority, 'rule', rule, direction, 'interface-group']): + group = config.return_value(base + [family, hook, priority, 'rule', rule, direction, 'interface-group']) + config.set(base + [family, hook, priority, 'rule', rule, direction, 'group'], value=group) + config.delete(base + [family, hook, priority, 'rule', rule, direction, 'interface-group']) diff --git a/src/migration-scripts/firewall/12-to-13 b/src/migration-scripts/firewall/12-to-13 index d72ba834d..d7b801cd3 100755..100644 --- a/src/migration-scripts/firewall/12-to-13 +++ b/src/migration-scripts/firewall/12-to-13 @@ -1,18 +1,17 @@ -#!/usr/bin/env python3 +# Copyright 2023-2024 VyOS maintainers and contributors <maintainers@vyos.io> # -# Copyright (C) 2023-2024 VyOS maintainers and contributors +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. # -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, +# This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# You should have received a copy of the GNU Lesser General Public License +# along with this library. If not, see <http://www.gnu.org/licenses/>. # T5729: Switch to valueless whenever is possible. # From @@ -25,65 +24,46 @@ # set firewall ... rule <rule> state <state> # Remove command if log=disable or <state>=disable -from sys import argv -from sys import exit - from vyos.configtree import ConfigTree -if len(argv) < 2: - print("Must specify file name!") - exit(1) - -file_name = argv[1] - -with open(file_name, 'r') as f: - config_file = f.read() - base = ['firewall'] -config = ConfigTree(config_file) - -if not config.exists(base): - # Nothing to do - exit(0) -# State Policy logs: -if config.exists(base + ['global-options', 'state-policy']): - for state in config.list_nodes(base + ['global-options', 'state-policy']): - if config.exists(base + ['global-options', 'state-policy', state, 'log']): - log_value = config.return_value(base + ['global-options', 'state-policy', state, 'log']) - config.delete(base + ['global-options', 'state-policy', state, 'log']) - if log_value == 'enable': - config.set(base + ['global-options', 'state-policy', state, 'log']) +def migrate(config: ConfigTree) -> None: + if not config.exists(base): + # Nothing to do + return -for family in ['ipv4', 'ipv6', 'bridge']: - if config.exists(base + [family]): - for hook in ['forward', 'input', 'output', 'name']: - if config.exists(base + [family, hook]): - for priority in config.list_nodes(base + [family, hook]): - if config.exists(base + [family, hook, priority, 'rule']): - for rule in config.list_nodes(base + [family, hook, priority, 'rule']): - # Log - if config.exists(base + [family, hook, priority, 'rule', rule, 'log']): - log_value = config.return_value(base + [family, hook, priority, 'rule', rule, 'log']) - config.delete(base + [family, hook, priority, 'rule', rule, 'log']) - if log_value == 'enable': - config.set(base + [family, hook, priority, 'rule', rule, 'log']) - # State - if config.exists(base + [family, hook, priority, 'rule', rule, 'state']): - flag_enable = 'False' - for state in ['established', 'invalid', 'new', 'related']: - if config.exists(base + [family, hook, priority, 'rule', rule, 'state', state]): - state_value = config.return_value(base + [family, hook, priority, 'rule', rule, 'state', state]) - config.delete(base + [family, hook, priority, 'rule', rule, 'state', state]) - if state_value == 'enable': - config.set(base + [family, hook, priority, 'rule', rule, 'state'], value=state, replace=False) - flag_enable = 'True' - if flag_enable == 'False': - config.delete(base + [family, hook, priority, 'rule', rule, 'state']) + # State Policy logs: + if config.exists(base + ['global-options', 'state-policy']): + for state in config.list_nodes(base + ['global-options', 'state-policy']): + if config.exists(base + ['global-options', 'state-policy', state, 'log']): + log_value = config.return_value(base + ['global-options', 'state-policy', state, 'log']) + config.delete(base + ['global-options', 'state-policy', state, 'log']) + if log_value == 'enable': + config.set(base + ['global-options', 'state-policy', state, 'log']) -try: - with open(file_name, 'w') as f: - f.write(config.to_string()) -except OSError as e: - print("Failed to save the modified config: {}".format(e)) - exit(1) + for family in ['ipv4', 'ipv6', 'bridge']: + if config.exists(base + [family]): + for hook in ['forward', 'input', 'output', 'name']: + if config.exists(base + [family, hook]): + for priority in config.list_nodes(base + [family, hook]): + if config.exists(base + [family, hook, priority, 'rule']): + for rule in config.list_nodes(base + [family, hook, priority, 'rule']): + # Log + if config.exists(base + [family, hook, priority, 'rule', rule, 'log']): + log_value = config.return_value(base + [family, hook, priority, 'rule', rule, 'log']) + config.delete(base + [family, hook, priority, 'rule', rule, 'log']) + if log_value == 'enable': + config.set(base + [family, hook, priority, 'rule', rule, 'log']) + # State + if config.exists(base + [family, hook, priority, 'rule', rule, 'state']): + flag_enable = 'False' + for state in ['established', 'invalid', 'new', 'related']: + if config.exists(base + [family, hook, priority, 'rule', rule, 'state', state]): + state_value = config.return_value(base + [family, hook, priority, 'rule', rule, 'state', state]) + config.delete(base + [family, hook, priority, 'rule', rule, 'state', state]) + if state_value == 'enable': + config.set(base + [family, hook, priority, 'rule', rule, 'state'], value=state, replace=False) + flag_enable = 'True' + if flag_enable == 'False': + config.delete(base + [family, hook, priority, 'rule', rule, 'state']) diff --git a/src/migration-scripts/firewall/13-to-14 b/src/migration-scripts/firewall/13-to-14 index f45ff0674..723b0aea2 100755..100644 --- a/src/migration-scripts/firewall/13-to-14 +++ b/src/migration-scripts/firewall/13-to-14 @@ -1,18 +1,17 @@ -#!/usr/bin/env python3 +# Copyright 2023-2024 VyOS maintainers and contributors <maintainers@vyos.io> # -# Copyright (C) 2023 VyOS maintainers and contributors +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. # -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, +# This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# You should have received a copy of the GNU Lesser General Public License +# along with this library. If not, see <http://www.gnu.org/licenses/>. # T5834: Rename 'enable-default-log' to 'default-log' # From @@ -22,38 +21,19 @@ # set firewall ... filter default-log # set firewall ... name <name> default-log -from sys import argv -from sys import exit - from vyos.configtree import ConfigTree -if len(argv) < 2: - print("Must specify file name!") - exit(1) - -file_name = argv[1] - -with open(file_name, 'r') as f: - config_file = f.read() - base = ['firewall'] -config = ConfigTree(config_file) - -if not config.exists(base): - # Nothing to do - exit(0) - -for family in ['ipv4', 'ipv6', 'bridge']: - if config.exists(base + [family]): - for hook in ['forward', 'input', 'output', 'name']: - if config.exists(base + [family, hook]): - for priority in config.list_nodes(base + [family, hook]): - if config.exists(base + [family, hook, priority, 'enable-default-log']): - config.rename(base + [family, hook, priority, 'enable-default-log'], 'default-log') -try: - with open(file_name, 'w') as f: - f.write(config.to_string()) -except OSError as e: - print("Failed to save the modified config: {}".format(e)) - exit(1) +def migrate(config: ConfigTree) -> None: + if not config.exists(base): + # Nothing to do + return + + for family in ['ipv4', 'ipv6', 'bridge']: + if config.exists(base + [family]): + for hook in ['forward', 'input', 'output', 'name']: + if config.exists(base + [family, hook]): + for priority in config.list_nodes(base + [family, hook]): + if config.exists(base + [family, hook, priority, 'enable-default-log']): + config.rename(base + [family, hook, priority, 'enable-default-log'], 'default-log') diff --git a/src/migration-scripts/firewall/14-to-15 b/src/migration-scripts/firewall/14-to-15 index 735839365..e4a2aaee4 100755..100644 --- a/src/migration-scripts/firewall/14-to-15 +++ b/src/migration-scripts/firewall/14-to-15 @@ -1,46 +1,25 @@ -#!/usr/bin/env python3 +# Copyright 2024 VyOS maintainers and contributors <maintainers@vyos.io> # -# Copyright (C) 2022-2024 VyOS maintainers and contributors +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. # -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, +# This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# You should have received a copy of the GNU Lesser General Public License +# along with this library. If not, see <http://www.gnu.org/licenses/>. # T5535: Migrate <set system ip disable-directed-broadcast> to <set firewall global-options directed-broadcas [enable|disable] -from sys import argv -from sys import exit - from vyos.configtree import ConfigTree -if len(argv) < 2: - print("Must specify file name!") - exit(1) - -file_name = argv[1] - -with open(file_name, 'r') as f: - config_file = f.read() - -config = ConfigTree(config_file) - base = ['firewall'] -if config.exists(['system', 'ip', 'disable-directed-broadcast']): - config.set(['firewall', 'global-options', 'directed-broadcast'], value='disable') - config.delete(['system', 'ip', 'disable-directed-broadcast']) - -try: - with open(file_name, 'w') as f: - f.write(config.to_string()) -except OSError as e: - print("Failed to save the modified config: {}".format(e)) - exit(1)
\ No newline at end of file +def migrate(config: ConfigTree) -> None: + if config.exists(['system', 'ip', 'disable-directed-broadcast']): + config.set(['firewall', 'global-options', 'directed-broadcast'], value='disable') + config.delete(['system', 'ip', 'disable-directed-broadcast']) diff --git a/src/migration-scripts/firewall/15-to-16 b/src/migration-scripts/firewall/15-to-16 index 28df1256e..8e28bba6f 100755..100644 --- a/src/migration-scripts/firewall/15-to-16 +++ b/src/migration-scripts/firewall/15-to-16 @@ -18,39 +18,20 @@ # from: set system conntrack timeout .. # to: set firewall global-options timeout ... -from sys import argv -from sys import exit - from vyos.configtree import ConfigTree -if len(argv) < 2: - print("Must specify file name!") - exit(1) - -file_name = argv[1] - -with open(file_name, 'r') as f: - config_file = f.read() - firewall_base = ['firewall', 'global-options'] conntrack_base = ['system', 'conntrack', 'timeout'] -config = ConfigTree(config_file) - -if not config.exists(conntrack_base): - # Nothing to do - exit(0) -for protocol in ['icmp', 'tcp', 'udp', 'other']: - if config.exists(conntrack_base + [protocol]): - if not config.exists(firewall_base + ['timeout']): - config.set(firewall_base + ['timeout']) +def migrate(config: ConfigTree) -> None: + if not config.exists(conntrack_base): + # Nothing to do + return - config.copy(conntrack_base + [protocol], firewall_base + ['timeout', protocol]) - config.delete(conntrack_base + [protocol]) + for protocol in ['icmp', 'tcp', 'udp', 'other']: + if config.exists(conntrack_base + [protocol]): + if not config.exists(firewall_base + ['timeout']): + config.set(firewall_base + ['timeout']) -try: - with open(file_name, 'w') as f: - f.write(config.to_string()) -except OSError as e: - print("Failed to save the modified config: {}".format(e)) - exit(1) + config.copy(conntrack_base + [protocol], firewall_base + ['timeout', protocol]) + config.delete(conntrack_base + [protocol]) diff --git a/src/migration-scripts/firewall/5-to-6 b/src/migration-scripts/firewall/5-to-6 index e1eaea7a1..d01684787 100755..100644 --- a/src/migration-scripts/firewall/5-to-6 +++ b/src/migration-scripts/firewall/5-to-6 @@ -1,105 +1,85 @@ -#!/usr/bin/env python3 +# Copyright 2021-2024 VyOS maintainers and contributors <maintainers@vyos.io> # -# Copyright (C) 2021 VyOS maintainers and contributors +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. # -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, +# This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# You should have received a copy of the GNU Lesser General Public License +# along with this library. If not, see <http://www.gnu.org/licenses/>. # T3090: migrate "firewall options interface <name> adjust-mss" to the # individual interface. -from sys import argv -from sys import exit - from vyos.configtree import ConfigTree from vyos.ifconfig import Section -if len(argv) < 2: - print("Must specify file name!") - exit(1) - -file_name = argv[1] - -with open(file_name, 'r') as f: - config_file = f.read() - base = ['firewall', 'options', 'interface'] -config = ConfigTree(config_file) - -if not config.exists(base): - # Nothing to do - exit(0) - -for interface in config.list_nodes(base): - if config.exists(base + [interface, 'disable']): - continue - if config.exists(base + [interface, 'adjust-mss']): - section = Section.section(interface) - tmp = config.return_value(base + [interface, 'adjust-mss']) - - vlan = interface.split('.') - base_interface_path = ['interfaces', section, vlan[0]] - - if len(vlan) == 1: - # Normal interface, no VLAN - config.set(base_interface_path + ['ip', 'adjust-mss'], value=tmp) - elif len(vlan) == 2: - # Regular VIF or VIF-S interface - we need to check the config - vif = vlan[1] - if config.exists(base_interface_path + ['vif', vif]): - config.set(base_interface_path + ['vif', vif, 'ip', 'adjust-mss'], value=tmp) - elif config.exists(base_interface_path + ['vif-s', vif]): - config.set(base_interface_path + ['vif-s', vif, 'ip', 'adjust-mss'], value=tmp) - elif len(vlan) == 3: - # VIF-S interface with VIF-C subinterface - vif_s = vlan[1] - vif_c = vlan[2] - config.set(base_interface_path + ['vif-s', vif_s, 'vif-c', vif_c, 'ip', 'adjust-mss'], value=tmp) - config.set_tag(base_interface_path + ['vif-s']) - config.set_tag(base_interface_path + ['vif-s', vif_s, 'vif-c']) - - if config.exists(base + [interface, 'adjust-mss6']): - section = Section.section(interface) - tmp = config.return_value(base + [interface, 'adjust-mss6']) - - vlan = interface.split('.') - base_interface_path = ['interfaces', section, vlan[0]] - - if len(vlan) == 1: - # Normal interface, no VLAN - config.set(['interfaces', section, interface, 'ipv6', 'adjust-mss'], value=tmp) - elif len(vlan) == 2: - # Regular VIF or VIF-S interface - we need to check the config - vif = vlan[1] - if config.exists(base_interface_path + ['vif', vif]): - config.set(base_interface_path + ['vif', vif, 'ipv6', 'adjust-mss'], value=tmp) - config.set_tag(base_interface_path + ['vif']) - elif config.exists(base_interface_path + ['vif-s', vif]): - config.set(base_interface_path + ['vif-s', vif, 'ipv6', 'adjust-mss'], value=tmp) +def migrate(config: ConfigTree) -> None: + if not config.exists(base): + # Nothing to do + return + + for interface in config.list_nodes(base): + if config.exists(base + [interface, 'disable']): + continue + + if config.exists(base + [interface, 'adjust-mss']): + section = Section.section(interface) + tmp = config.return_value(base + [interface, 'adjust-mss']) + + vlan = interface.split('.') + base_interface_path = ['interfaces', section, vlan[0]] + + if len(vlan) == 1: + # Normal interface, no VLAN + config.set(base_interface_path + ['ip', 'adjust-mss'], value=tmp) + elif len(vlan) == 2: + # Regular VIF or VIF-S interface - we need to check the config + vif = vlan[1] + if config.exists(base_interface_path + ['vif', vif]): + config.set(base_interface_path + ['vif', vif, 'ip', 'adjust-mss'], value=tmp) + elif config.exists(base_interface_path + ['vif-s', vif]): + config.set(base_interface_path + ['vif-s', vif, 'ip', 'adjust-mss'], value=tmp) + elif len(vlan) == 3: + # VIF-S interface with VIF-C subinterface + vif_s = vlan[1] + vif_c = vlan[2] + config.set(base_interface_path + ['vif-s', vif_s, 'vif-c', vif_c, 'ip', 'adjust-mss'], value=tmp) config.set_tag(base_interface_path + ['vif-s']) - elif len(vlan) == 3: - # VIF-S interface with VIF-C subinterface - vif_s = vlan[1] - vif_c = vlan[2] - config.set(base_interface_path + ['vif-s', vif_s, 'vif-c', vif_c, 'ipv6', 'adjust-mss'], value=tmp) - config.set_tag(base_interface_path + ['vif-s']) - config.set_tag(base_interface_path + ['vif-s', vif_s, 'vif-c']) - -config.delete(['firewall', 'options']) + config.set_tag(base_interface_path + ['vif-s', vif_s, 'vif-c']) + + if config.exists(base + [interface, 'adjust-mss6']): + section = Section.section(interface) + tmp = config.return_value(base + [interface, 'adjust-mss6']) + + vlan = interface.split('.') + base_interface_path = ['interfaces', section, vlan[0]] + + if len(vlan) == 1: + # Normal interface, no VLAN + config.set(['interfaces', section, interface, 'ipv6', 'adjust-mss'], value=tmp) + elif len(vlan) == 2: + # Regular VIF or VIF-S interface - we need to check the config + vif = vlan[1] + if config.exists(base_interface_path + ['vif', vif]): + config.set(base_interface_path + ['vif', vif, 'ipv6', 'adjust-mss'], value=tmp) + config.set_tag(base_interface_path + ['vif']) + elif config.exists(base_interface_path + ['vif-s', vif]): + config.set(base_interface_path + ['vif-s', vif, 'ipv6', 'adjust-mss'], value=tmp) + config.set_tag(base_interface_path + ['vif-s']) + elif len(vlan) == 3: + # VIF-S interface with VIF-C subinterface + vif_s = vlan[1] + vif_c = vlan[2] + config.set(base_interface_path + ['vif-s', vif_s, 'vif-c', vif_c, 'ipv6', 'adjust-mss'], value=tmp) + config.set_tag(base_interface_path + ['vif-s']) + config.set_tag(base_interface_path + ['vif-s', vif_s, 'vif-c']) -try: - with open(file_name, 'w') as f: - f.write(config.to_string()) -except OSError as e: - print("Failed to save the modified config: {}".format(e)) - exit(1) + config.delete(['firewall', 'options']) diff --git a/src/migration-scripts/firewall/6-to-7 b/src/migration-scripts/firewall/6-to-7 index 938044c6d..1afbc780b 100755..100644 --- a/src/migration-scripts/firewall/6-to-7 +++ b/src/migration-scripts/firewall/6-to-7 @@ -1,18 +1,17 @@ -#!/usr/bin/env python3 +# Copyright 2021-2024 VyOS maintainers and contributors <maintainers@vyos.io> # -# Copyright (C) 2021-2024 VyOS maintainers and contributors +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. # -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, +# This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# You should have received a copy of the GNU Lesser General Public License +# along with this library. If not, see <http://www.gnu.org/licenses/>. # T2199: Remove unavailable nodes due to XML/Python implementation using nftables # monthdays: nftables does not have a monthdays equivalent @@ -23,28 +22,11 @@ import re -from sys import argv -from sys import exit - from vyos.configtree import ConfigTree -if len(argv) < 2: - print("Must specify file name!") - exit(1) - -file_name = argv[1] - -with open(file_name, 'r') as f: - config_file = f.read() - max_len_description = 255 base = ['firewall'] -config = ConfigTree(config_file) - -if not config.exists(base): - # Nothing to do - exit(0) icmp_remove = ['any'] icmp_translations = { @@ -107,216 +89,216 @@ icmpv6_translations = { 'unknown-option': [4, 2] } -v4_found = False -v6_found = False v4_groups = ["address-group", "network-group", "port-group"] v6_groups = ["ipv6-address-group", "ipv6-network-group", "port-group"] -translated_dict = {} -if config.exists(base + ['group']): - for group_type in config.list_nodes(base + ['group']): - for group_name in config.list_nodes(base + ['group', group_type]): - name_description = base + ['group', group_type, group_name, 'description'] +def migrate(config: ConfigTree) -> None: + if not config.exists(base): + # Nothing to do + return + + v4_found = False + v6_found = False + translated_dict = {} + + if config.exists(base + ['group']): + for group_type in config.list_nodes(base + ['group']): + for group_name in config.list_nodes(base + ['group', group_type]): + name_description = base + ['group', group_type, group_name, 'description'] + if config.exists(name_description): + tmp = config.return_value(name_description) + config.set(name_description, value=tmp[:max_len_description]) + if '+' in group_name: + replacement_string = "_" + if group_type in v4_groups and not v4_found: + v4_found = True + if group_type in v6_groups and not v6_found: + v6_found = True + new_group_name = group_name.replace('+', replacement_string) + while config.exists(base + ['group', group_type, new_group_name]): + replacement_string = replacement_string + "_" + new_group_name = group_name.replace('+', replacement_string) + translated_dict[group_name] = new_group_name + config.copy(base + ['group', group_type, group_name], base + ['group', group_type, new_group_name]) + config.delete(base + ['group', group_type, group_name]) + + if config.exists(base + ['name']): + for name in config.list_nodes(base + ['name']): + name_description = base + ['name', name, 'description'] if config.exists(name_description): tmp = config.return_value(name_description) config.set(name_description, value=tmp[:max_len_description]) - if '+' in group_name: - replacement_string = "_" - if group_type in v4_groups and not v4_found: - v4_found = True - if group_type in v6_groups and not v6_found: - v6_found = True - new_group_name = group_name.replace('+', replacement_string) - while config.exists(base + ['group', group_type, new_group_name]): - replacement_string = replacement_string + "_" - new_group_name = group_name.replace('+', replacement_string) - translated_dict[group_name] = new_group_name - config.copy(base + ['group', group_type, group_name], base + ['group', group_type, new_group_name]) - config.delete(base + ['group', group_type, group_name]) - -if config.exists(base + ['name']): - for name in config.list_nodes(base + ['name']): - name_description = base + ['name', name, 'description'] - if config.exists(name_description): - tmp = config.return_value(name_description) - config.set(name_description, value=tmp[:max_len_description]) - - if not config.exists(base + ['name', name, 'rule']): - continue - - for rule in config.list_nodes(base + ['name', name, 'rule']): - rule_description = base + ['name', name, 'rule', rule, 'description'] - if config.exists(rule_description): - tmp = config.return_value(rule_description) - config.set(rule_description, value=tmp[:max_len_description]) - - rule_recent = base + ['name', name, 'rule', rule, 'recent'] - rule_time = base + ['name', name, 'rule', rule, 'time'] - rule_tcp_flags = base + ['name', name, 'rule', rule, 'tcp', 'flags'] - rule_icmp = base + ['name', name, 'rule', rule, 'icmp'] - - if config.exists(rule_time + ['monthdays']): - config.delete(rule_time + ['monthdays']) - - if config.exists(rule_time + ['utc']): - config.delete(rule_time + ['utc']) - - if config.exists(rule_recent + ['time']): - tmp = int(config.return_value(rule_recent + ['time'])) - unit = 'minute' - if tmp > 600: - unit = 'hour' - elif tmp < 10: - unit = 'second' - config.set(rule_recent + ['time'], value=unit) - - if config.exists(rule_tcp_flags): - tmp = config.return_value(rule_tcp_flags) - config.delete(rule_tcp_flags) - for flag in tmp.split(","): - if flag[0] == '!': - config.set(rule_tcp_flags + ['not', flag[1:].lower()]) - else: - config.set(rule_tcp_flags + [flag.lower()]) - - if config.exists(rule_icmp + ['type-name']): - tmp = config.return_value(rule_icmp + ['type-name']) - if tmp in icmp_remove: - config.delete(rule_icmp + ['type-name']) - elif tmp in icmp_translations: - translate = icmp_translations[tmp] - if isinstance(translate, str): - config.set(rule_icmp + ['type-name'], value=translate) - elif isinstance(translate, list): + + if not config.exists(base + ['name', name, 'rule']): + continue + + for rule in config.list_nodes(base + ['name', name, 'rule']): + rule_description = base + ['name', name, 'rule', rule, 'description'] + if config.exists(rule_description): + tmp = config.return_value(rule_description) + config.set(rule_description, value=tmp[:max_len_description]) + + rule_recent = base + ['name', name, 'rule', rule, 'recent'] + rule_time = base + ['name', name, 'rule', rule, 'time'] + rule_tcp_flags = base + ['name', name, 'rule', rule, 'tcp', 'flags'] + rule_icmp = base + ['name', name, 'rule', rule, 'icmp'] + + if config.exists(rule_time + ['monthdays']): + config.delete(rule_time + ['monthdays']) + + if config.exists(rule_time + ['utc']): + config.delete(rule_time + ['utc']) + + if config.exists(rule_recent + ['time']): + tmp = int(config.return_value(rule_recent + ['time'])) + unit = 'minute' + if tmp > 600: + unit = 'hour' + elif tmp < 10: + unit = 'second' + config.set(rule_recent + ['time'], value=unit) + + if config.exists(rule_tcp_flags): + tmp = config.return_value(rule_tcp_flags) + config.delete(rule_tcp_flags) + for flag in tmp.split(","): + if flag[0] == '!': + config.set(rule_tcp_flags + ['not', flag[1:].lower()]) + else: + config.set(rule_tcp_flags + [flag.lower()]) + + if config.exists(rule_icmp + ['type-name']): + tmp = config.return_value(rule_icmp + ['type-name']) + if tmp in icmp_remove: config.delete(rule_icmp + ['type-name']) - config.set(rule_icmp + ['type'], value=translate[0]) - config.set(rule_icmp + ['code'], value=translate[1]) - - for direction in ['destination', 'source']: - if config.exists(base + ['name', name, 'rule', rule, direction]): - if config.exists(base + ['name', name, 'rule', rule, direction, 'group']) and v4_found: - for group_type in config.list_nodes(base + ['name', name, 'rule', rule, direction, 'group']): - group_name = config.return_value(base + ['name', name, 'rule', rule, direction, 'group', group_type]) - if '+' in group_name: - if group_name[0] == "!": - new_group_name = "!" + translated_dict[group_name[1:]] - else: - new_group_name = translated_dict[group_name] - config.set(base + ['name', name, 'rule', rule, direction, 'group', group_type], value=new_group_name) - - pg_base = base + ['name', name, 'rule', rule, direction, 'group', 'port-group'] - proto_base = base + ['name', name, 'rule', rule, 'protocol'] - if config.exists(pg_base) and not config.exists(proto_base): - config.set(proto_base, value='tcp_udp') - - if '+' in name: - replacement_string = "_" - new_name = name.replace('+', replacement_string) - while config.exists(base + ['name', new_name]): - replacement_string = replacement_string + "_" + elif tmp in icmp_translations: + translate = icmp_translations[tmp] + if isinstance(translate, str): + config.set(rule_icmp + ['type-name'], value=translate) + elif isinstance(translate, list): + config.delete(rule_icmp + ['type-name']) + config.set(rule_icmp + ['type'], value=translate[0]) + config.set(rule_icmp + ['code'], value=translate[1]) + + for direction in ['destination', 'source']: + if config.exists(base + ['name', name, 'rule', rule, direction]): + if config.exists(base + ['name', name, 'rule', rule, direction, 'group']) and v4_found: + for group_type in config.list_nodes(base + ['name', name, 'rule', rule, direction, 'group']): + group_name = config.return_value(base + ['name', name, 'rule', rule, direction, 'group', group_type]) + if '+' in group_name: + if group_name[0] == "!": + new_group_name = "!" + translated_dict[group_name[1:]] + else: + new_group_name = translated_dict[group_name] + config.set(base + ['name', name, 'rule', rule, direction, 'group', group_type], value=new_group_name) + + pg_base = base + ['name', name, 'rule', rule, direction, 'group', 'port-group'] + proto_base = base + ['name', name, 'rule', rule, 'protocol'] + if config.exists(pg_base) and not config.exists(proto_base): + config.set(proto_base, value='tcp_udp') + + if '+' in name: + replacement_string = "_" new_name = name.replace('+', replacement_string) - config.copy(base + ['name', name], base + ['name', new_name]) - config.delete(base + ['name', name]) - -if config.exists(base + ['ipv6-name']): - for name in config.list_nodes(base + ['ipv6-name']): - name_description = base + ['ipv6-name', name, 'description'] - if config.exists(name_description): - tmp = config.return_value(name_description) - config.set(name_description, value=tmp[:max_len_description]) - - if not config.exists(base + ['ipv6-name', name, 'rule']): - continue - - for rule in config.list_nodes(base + ['ipv6-name', name, 'rule']): - rule_description = base + ['ipv6-name', name, 'rule', rule, 'description'] - if config.exists(rule_description): - tmp = config.return_value(rule_description) - config.set(rule_description, value=tmp[:max_len_description]) - - rule_recent = base + ['ipv6-name', name, 'rule', rule, 'recent'] - rule_time = base + ['ipv6-name', name, 'rule', rule, 'time'] - rule_tcp_flags = base + ['ipv6-name', name, 'rule', rule, 'tcp', 'flags'] - rule_icmp = base + ['ipv6-name', name, 'rule', rule, 'icmpv6'] - - if config.exists(rule_time + ['monthdays']): - config.delete(rule_time + ['monthdays']) - - if config.exists(rule_time + ['utc']): - config.delete(rule_time + ['utc']) - - if config.exists(rule_recent + ['time']): - tmp = int(config.return_value(rule_recent + ['time'])) - unit = 'minute' - if tmp > 600: - unit = 'hour' - elif tmp < 10: - unit = 'second' - config.set(rule_recent + ['time'], value=unit) - - if config.exists(rule_tcp_flags): - tmp = config.return_value(rule_tcp_flags) - config.delete(rule_tcp_flags) - for flag in tmp.split(","): - if flag[0] == '!': - config.set(rule_tcp_flags + ['not', flag[1:].lower()]) - else: - config.set(rule_tcp_flags + [flag.lower()]) - - if config.exists(base + ['ipv6-name', name, 'rule', rule, 'protocol']): - tmp = config.return_value(base + ['ipv6-name', name, 'rule', rule, 'protocol']) - if tmp == 'icmpv6': - config.set(base + ['ipv6-name', name, 'rule', rule, 'protocol'], value='ipv6-icmp') - - if config.exists(rule_icmp + ['type']): - tmp = config.return_value(rule_icmp + ['type']) - type_code_match = re.match(r'^(\d+)(?:/(\d+))?$', tmp) - - if type_code_match: - config.set(rule_icmp + ['type'], value=type_code_match[1]) - if type_code_match[2]: - config.set(rule_icmp + ['code'], value=type_code_match[2]) - elif tmp in icmpv6_remove: - config.delete(rule_icmp + ['type']) - elif tmp in icmpv6_translations: - translate = icmpv6_translations[tmp] - if isinstance(translate, str): + while config.exists(base + ['name', new_name]): + replacement_string = replacement_string + "_" + new_name = name.replace('+', replacement_string) + config.copy(base + ['name', name], base + ['name', new_name]) + config.delete(base + ['name', name]) + + if config.exists(base + ['ipv6-name']): + for name in config.list_nodes(base + ['ipv6-name']): + name_description = base + ['ipv6-name', name, 'description'] + if config.exists(name_description): + tmp = config.return_value(name_description) + config.set(name_description, value=tmp[:max_len_description]) + + if not config.exists(base + ['ipv6-name', name, 'rule']): + continue + + for rule in config.list_nodes(base + ['ipv6-name', name, 'rule']): + rule_description = base + ['ipv6-name', name, 'rule', rule, 'description'] + if config.exists(rule_description): + tmp = config.return_value(rule_description) + config.set(rule_description, value=tmp[:max_len_description]) + + rule_recent = base + ['ipv6-name', name, 'rule', rule, 'recent'] + rule_time = base + ['ipv6-name', name, 'rule', rule, 'time'] + rule_tcp_flags = base + ['ipv6-name', name, 'rule', rule, 'tcp', 'flags'] + rule_icmp = base + ['ipv6-name', name, 'rule', rule, 'icmpv6'] + + if config.exists(rule_time + ['monthdays']): + config.delete(rule_time + ['monthdays']) + + if config.exists(rule_time + ['utc']): + config.delete(rule_time + ['utc']) + + if config.exists(rule_recent + ['time']): + tmp = int(config.return_value(rule_recent + ['time'])) + unit = 'minute' + if tmp > 600: + unit = 'hour' + elif tmp < 10: + unit = 'second' + config.set(rule_recent + ['time'], value=unit) + + if config.exists(rule_tcp_flags): + tmp = config.return_value(rule_tcp_flags) + config.delete(rule_tcp_flags) + for flag in tmp.split(","): + if flag[0] == '!': + config.set(rule_tcp_flags + ['not', flag[1:].lower()]) + else: + config.set(rule_tcp_flags + [flag.lower()]) + + if config.exists(base + ['ipv6-name', name, 'rule', rule, 'protocol']): + tmp = config.return_value(base + ['ipv6-name', name, 'rule', rule, 'protocol']) + if tmp == 'icmpv6': + config.set(base + ['ipv6-name', name, 'rule', rule, 'protocol'], value='ipv6-icmp') + + if config.exists(rule_icmp + ['type']): + tmp = config.return_value(rule_icmp + ['type']) + type_code_match = re.match(r'^(\d+)(?:/(\d+))?$', tmp) + + if type_code_match: + config.set(rule_icmp + ['type'], value=type_code_match[1]) + if type_code_match[2]: + config.set(rule_icmp + ['code'], value=type_code_match[2]) + elif tmp in icmpv6_remove: config.delete(rule_icmp + ['type']) - config.set(rule_icmp + ['type-name'], value=translate) - elif isinstance(translate, list): - config.set(rule_icmp + ['type'], value=translate[0]) - config.set(rule_icmp + ['code'], value=translate[1]) - else: - config.rename(rule_icmp + ['type'], 'type-name') - - for direction in ['destination', 'source']: - if config.exists(base + ['ipv6-name', name, 'rule', rule, direction]): - if config.exists(base + ['ipv6-name', name, 'rule', rule, direction, 'group']) and v6_found: - for group_type in config.list_nodes(base + ['ipv6-name', name, 'rule', rule, direction, 'group']): - group_name = config.return_value(base + ['ipv6-name', name, 'rule', rule, direction, 'group', group_type]) - if '+' in group_name: - if group_name[0] == "!": - new_group_name = "!" + translated_dict[group_name[1:]] - else: - new_group_name = translated_dict[group_name] - config.set(base + ['ipv6-name', name, 'rule', rule, direction, 'group', group_type], value=new_group_name) - - pg_base = base + ['ipv6-name', name, 'rule', rule, direction, 'group', 'port-group'] - proto_base = base + ['ipv6-name', name, 'rule', rule, 'protocol'] - if config.exists(pg_base) and not config.exists(proto_base): - config.set(proto_base, value='tcp_udp') - - if '+' in name: - replacement_string = "_" - new_name = name.replace('+', replacement_string) - while config.exists(base + ['ipv6-name', new_name]): - replacement_string = replacement_string + "_" + elif tmp in icmpv6_translations: + translate = icmpv6_translations[tmp] + if isinstance(translate, str): + config.delete(rule_icmp + ['type']) + config.set(rule_icmp + ['type-name'], value=translate) + elif isinstance(translate, list): + config.set(rule_icmp + ['type'], value=translate[0]) + config.set(rule_icmp + ['code'], value=translate[1]) + else: + config.rename(rule_icmp + ['type'], 'type-name') + + for direction in ['destination', 'source']: + if config.exists(base + ['ipv6-name', name, 'rule', rule, direction]): + if config.exists(base + ['ipv6-name', name, 'rule', rule, direction, 'group']) and v6_found: + for group_type in config.list_nodes(base + ['ipv6-name', name, 'rule', rule, direction, 'group']): + group_name = config.return_value(base + ['ipv6-name', name, 'rule', rule, direction, 'group', group_type]) + if '+' in group_name: + if group_name[0] == "!": + new_group_name = "!" + translated_dict[group_name[1:]] + else: + new_group_name = translated_dict[group_name] + config.set(base + ['ipv6-name', name, 'rule', rule, direction, 'group', group_type], value=new_group_name) + + pg_base = base + ['ipv6-name', name, 'rule', rule, direction, 'group', 'port-group'] + proto_base = base + ['ipv6-name', name, 'rule', rule, 'protocol'] + if config.exists(pg_base) and not config.exists(proto_base): + config.set(proto_base, value='tcp_udp') + + if '+' in name: + replacement_string = "_" new_name = name.replace('+', replacement_string) - config.copy(base + ['ipv6-name', name], base + ['ipv6-name', new_name]) - config.delete(base + ['ipv6-name', name]) -try: - with open(file_name, 'w') as f: - f.write(config.to_string()) -except OSError as e: - print("Failed to save the modified config: {}".format(e)) - exit(1) + while config.exists(base + ['ipv6-name', new_name]): + replacement_string = replacement_string + "_" + new_name = name.replace('+', replacement_string) + config.copy(base + ['ipv6-name', name], base + ['ipv6-name', new_name]) + config.delete(base + ['ipv6-name', name]) diff --git a/src/migration-scripts/firewall/7-to-8 b/src/migration-scripts/firewall/7-to-8 index bbaba113a..f46994ce2 100755..100644 --- a/src/migration-scripts/firewall/7-to-8 +++ b/src/migration-scripts/firewall/7-to-8 @@ -1,43 +1,25 @@ -#!/usr/bin/env python3 +# Copyright 2022-2024 VyOS maintainers and contributors <maintainers@vyos.io> # -# Copyright (C) 2022-2024 VyOS maintainers and contributors +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. # -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, +# This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# You should have received a copy of the GNU Lesser General Public License +# along with this library. If not, see <http://www.gnu.org/licenses/>. # T2199: Migrate interface firewall nodes to firewall interfaces <ifname> <direction> name/ipv6-name <name> # T2199: Migrate zone-policy to firewall node -from sys import argv -from sys import exit - from vyos.configtree import ConfigTree -if len(argv) < 2: - print("Must specify file name!") - exit(1) - -file_name = argv[1] - -with open(file_name, 'r') as f: - config_file = f.read() - base = ['firewall'] zone_base = ['zone-policy'] -config = ConfigTree(config_file) - -if not config.exists(base) and not config.exists(zone_base): - # Nothing to do - exit(0) def migrate_interface(config, iftype, ifname, vif=None, vifs=None, vifc=None): if_path = ['interfaces', iftype, ifname] @@ -63,33 +45,31 @@ def migrate_interface(config, iftype, ifname, vif=None, vifs=None, vifc=None): config.copy(if_path + ['firewall'], ['firewall', 'interface', ifname_full]) config.delete(if_path + ['firewall']) -for iftype in config.list_nodes(['interfaces']): - for ifname in config.list_nodes(['interfaces', iftype]): - migrate_interface(config, iftype, ifname) +def migrate(config: ConfigTree) -> None: + if not config.exists(base) and not config.exists(zone_base): + # Nothing to do + return - if config.exists(['interfaces', iftype, ifname, 'vif']): - for vif in config.list_nodes(['interfaces', iftype, ifname, 'vif']): - migrate_interface(config, iftype, ifname, vif=vif) + for iftype in config.list_nodes(['interfaces']): + for ifname in config.list_nodes(['interfaces', iftype]): + migrate_interface(config, iftype, ifname) - if config.exists(['interfaces', iftype, ifname, 'vif-s']): - for vifs in config.list_nodes(['interfaces', iftype, ifname, 'vif-s']): - migrate_interface(config, iftype, ifname, vifs=vifs) + if config.exists(['interfaces', iftype, ifname, 'vif']): + for vif in config.list_nodes(['interfaces', iftype, ifname, 'vif']): + migrate_interface(config, iftype, ifname, vif=vif) - if config.exists(['interfaces', iftype, ifname, 'vif-s', vifs, 'vif-c']): - for vifc in config.list_nodes(['interfaces', iftype, ifname, 'vif-s', vifs, 'vif-c']): - migrate_interface(config, iftype, ifname, vifs=vifs, vifc=vifc) + if config.exists(['interfaces', iftype, ifname, 'vif-s']): + for vifs in config.list_nodes(['interfaces', iftype, ifname, 'vif-s']): + migrate_interface(config, iftype, ifname, vifs=vifs) -if config.exists(zone_base + ['zone']): - config.set(['firewall', 'zone']) - config.set_tag(['firewall', 'zone']) + if config.exists(['interfaces', iftype, ifname, 'vif-s', vifs, 'vif-c']): + for vifc in config.list_nodes(['interfaces', iftype, ifname, 'vif-s', vifs, 'vif-c']): + migrate_interface(config, iftype, ifname, vifs=vifs, vifc=vifc) - for zone in config.list_nodes(zone_base + ['zone']): - config.copy(zone_base + ['zone', zone], ['firewall', 'zone', zone]) - config.delete(zone_base) + if config.exists(zone_base + ['zone']): + config.set(['firewall', 'zone']) + config.set_tag(['firewall', 'zone']) -try: - with open(file_name, 'w') as f: - f.write(config.to_string()) -except OSError as e: - print("Failed to save the modified config: {}".format(e)) - exit(1) + for zone in config.list_nodes(zone_base + ['zone']): + config.copy(zone_base + ['zone', zone], ['firewall', 'zone', zone]) + config.delete(zone_base) diff --git a/src/migration-scripts/firewall/8-to-9 b/src/migration-scripts/firewall/8-to-9 index 6e019beb2..3c9e84662 100755..100644 --- a/src/migration-scripts/firewall/8-to-9 +++ b/src/migration-scripts/firewall/8-to-9 @@ -1,18 +1,17 @@ -#!/usr/bin/env python3 +# Copyright 2022-2024 VyOS maintainers and contributors <maintainers@vyos.io> # -# Copyright (C) 2022-2024 VyOS maintainers and contributors +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. # -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, +# This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# You should have received a copy of the GNU Lesser General Public License +# along with this library. If not, see <http://www.gnu.org/licenses/>. # T4780: Add firewall interface group # cli changes from: @@ -20,69 +19,50 @@ # To # set firewall [name | ipv6-name] <name> rule <number> [inbound-interface | outbound-interface] [interface-name | interface-group] <interface_name | interface_group> -from sys import argv -from sys import exit - from vyos.configtree import ConfigTree -if len(argv) < 2: - print("Must specify file name!") - exit(1) - -file_name = argv[1] - -with open(file_name, 'r') as f: - config_file = f.read() - base = ['firewall'] -config = ConfigTree(config_file) - -if not config.exists(base): - # Nothing to do - exit(0) - -if config.exists(base + ['name']): - for name in config.list_nodes(base + ['name']): - if not config.exists(base + ['name', name, 'rule']): - continue - - for rule in config.list_nodes(base + ['name', name, 'rule']): - rule_iiface = base + ['name', name, 'rule', rule, 'inbound-interface'] - rule_oiface = base + ['name', name, 'rule', rule, 'outbound-interface'] - - if config.exists(rule_iiface): - tmp = config.return_value(rule_iiface) - config.delete(rule_iiface) - config.set(rule_iiface + ['interface-name'], value=tmp) - - if config.exists(rule_oiface): - tmp = config.return_value(rule_oiface) - config.delete(rule_oiface) - config.set(rule_oiface + ['interface-name'], value=tmp) - - -if config.exists(base + ['ipv6-name']): - for name in config.list_nodes(base + ['ipv6-name']): - if not config.exists(base + ['ipv6-name', name, 'rule']): - continue - - for rule in config.list_nodes(base + ['ipv6-name', name, 'rule']): - rule_iiface = base + ['ipv6-name', name, 'rule', rule, 'inbound-interface'] - rule_oiface = base + ['ipv6-name', name, 'rule', rule, 'outbound-interface'] - - if config.exists(rule_iiface): - tmp = config.return_value(rule_iiface) - config.delete(rule_iiface) - config.set(rule_iiface + ['interface-name'], value=tmp) - - if config.exists(rule_oiface): - tmp = config.return_value(rule_oiface) - config.delete(rule_oiface) - config.set(rule_oiface + ['interface-name'], value=tmp) -try: - with open(file_name, 'w') as f: - f.write(config.to_string()) -except OSError as e: - print("Failed to save the modified config: {}".format(e)) - exit(1) +def migrate(config: ConfigTree) -> None: + if not config.exists(base): + # Nothing to do + return + + if config.exists(base + ['name']): + for name in config.list_nodes(base + ['name']): + if not config.exists(base + ['name', name, 'rule']): + continue + + for rule in config.list_nodes(base + ['name', name, 'rule']): + rule_iiface = base + ['name', name, 'rule', rule, 'inbound-interface'] + rule_oiface = base + ['name', name, 'rule', rule, 'outbound-interface'] + + if config.exists(rule_iiface): + tmp = config.return_value(rule_iiface) + config.delete(rule_iiface) + config.set(rule_iiface + ['interface-name'], value=tmp) + + if config.exists(rule_oiface): + tmp = config.return_value(rule_oiface) + config.delete(rule_oiface) + config.set(rule_oiface + ['interface-name'], value=tmp) + + + if config.exists(base + ['ipv6-name']): + for name in config.list_nodes(base + ['ipv6-name']): + if not config.exists(base + ['ipv6-name', name, 'rule']): + continue + + for rule in config.list_nodes(base + ['ipv6-name', name, 'rule']): + rule_iiface = base + ['ipv6-name', name, 'rule', rule, 'inbound-interface'] + rule_oiface = base + ['ipv6-name', name, 'rule', rule, 'outbound-interface'] + + if config.exists(rule_iiface): + tmp = config.return_value(rule_iiface) + config.delete(rule_iiface) + config.set(rule_iiface + ['interface-name'], value=tmp) + + if config.exists(rule_oiface): + tmp = config.return_value(rule_oiface) + config.delete(rule_oiface) + config.set(rule_oiface + ['interface-name'], value=tmp) diff --git a/src/migration-scripts/firewall/9-to-10 b/src/migration-scripts/firewall/9-to-10 index ce509a731..306a53a86 100755..100644 --- a/src/migration-scripts/firewall/9-to-10 +++ b/src/migration-scripts/firewall/9-to-10 @@ -1,18 +1,17 @@ -#!/usr/bin/env python3 +# Copyright 2023-2024 VyOS maintainers and contributors <maintainers@vyos.io> # -# Copyright (C) 2023-2024 VyOS maintainers and contributors +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. # -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, +# This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. # -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# You should have received a copy of the GNU Lesser General Public License +# along with this library. If not, see <http://www.gnu.org/licenses/>. # T5050: Log options # cli changes from: @@ -20,58 +19,39 @@ # To # set firewall [name | ipv6-name] <name> rule <number> log-options level <log_level> -from sys import argv -from sys import exit - from vyos.configtree import ConfigTree -if len(argv) < 2: - print("Must specify file name!") - exit(1) - -file_name = argv[1] - -with open(file_name, 'r') as f: - config_file = f.read() - base = ['firewall'] -config = ConfigTree(config_file) - -if not config.exists(base): - # Nothing to do - exit(0) - -if config.exists(base + ['name']): - for name in config.list_nodes(base + ['name']): - if not config.exists(base + ['name', name, 'rule']): - continue - - for rule in config.list_nodes(base + ['name', name, 'rule']): - log_options_base = base + ['name', name, 'rule', rule, 'log-options'] - rule_log_level = base + ['name', name, 'rule', rule, 'log-level'] - - if config.exists(rule_log_level): - tmp = config.return_value(rule_log_level) - config.delete(rule_log_level) - config.set(log_options_base + ['level'], value=tmp) - -if config.exists(base + ['ipv6-name']): - for name in config.list_nodes(base + ['ipv6-name']): - if not config.exists(base + ['ipv6-name', name, 'rule']): - continue - - for rule in config.list_nodes(base + ['ipv6-name', name, 'rule']): - log_options_base = base + ['ipv6-name', name, 'rule', rule, 'log-options'] - rule_log_level = base + ['ipv6-name', name, 'rule', rule, 'log-level'] - - if config.exists(rule_log_level): - tmp = config.return_value(rule_log_level) - config.delete(rule_log_level) - config.set(log_options_base + ['level'], value=tmp) -try: - with open(file_name, 'w') as f: - f.write(config.to_string()) -except OSError as e: - print("Failed to save the modified config: {}".format(e)) - exit(1) +def migrate(config: ConfigTree) -> None: + if not config.exists(base): + # Nothing to do + return + + if config.exists(base + ['name']): + for name in config.list_nodes(base + ['name']): + if not config.exists(base + ['name', name, 'rule']): + continue + + for rule in config.list_nodes(base + ['name', name, 'rule']): + log_options_base = base + ['name', name, 'rule', rule, 'log-options'] + rule_log_level = base + ['name', name, 'rule', rule, 'log-level'] + + if config.exists(rule_log_level): + tmp = config.return_value(rule_log_level) + config.delete(rule_log_level) + config.set(log_options_base + ['level'], value=tmp) + + if config.exists(base + ['ipv6-name']): + for name in config.list_nodes(base + ['ipv6-name']): + if not config.exists(base + ['ipv6-name', name, 'rule']): + continue + + for rule in config.list_nodes(base + ['ipv6-name', name, 'rule']): + log_options_base = base + ['ipv6-name', name, 'rule', rule, 'log-options'] + rule_log_level = base + ['ipv6-name', name, 'rule', rule, 'log-level'] + + if config.exists(rule_log_level): + tmp = config.return_value(rule_log_level) + config.delete(rule_log_level) + config.set(log_options_base + ['level'], value=tmp) |