7 files changed, 469 insertions, 15 deletions

diff --git a/src/migration-scripts/dns-dynamic/0-to-1 b/src/migration-scripts/dns-dynamic/0-to-1
index d80e8d44a..b7674a9c8 100755
--- a/src/migration-scripts/dns-dynamic/0-to-1
+++ b/src/migration-scripts/dns-dynamic/0-to-1
@@ -25,8 +25,10 @@
 #        to "service dns dynamic address <address> service <config> username ..."
 # - apply global 'ipv6-enable' to per <config> 'ip-version: ipv6'
 # - apply service protocol mapping upfront, they are not 'auto-detected' anymore
+# - migrate web-options url to stricter format
 
 import sys
+import re
 from vyos.configtree import ConfigTree
 
 service_protocol_mapping = {
@@ -81,20 +83,42 @@ for address in config.list_nodes(new_base_path):
                 config.rename(new_base_path + [address, 'service', svc_cfg, 'login'], 'username')
             # Apply global 'ipv6-enable' to per <config> 'ip-version: ipv6'
             if config.exists(new_base_path + [address, 'ipv6-enable']):
-                config.set(new_base_path + [address, 'service', svc_cfg, 'ip-version'],
-                           value='ipv6', replace=False)
+                config.set(new_base_path + [address, 'service', svc_cfg, 'ip-version'], 'ipv6')
                 config.delete(new_base_path + [address, 'ipv6-enable'])
             # Apply service protocol mapping upfront, they are not 'auto-detected' anymore
             if svc_cfg in service_protocol_mapping:
                 config.set(new_base_path + [address, 'service', svc_cfg, 'protocol'],
-                           value=service_protocol_mapping.get(svc_cfg), replace=False)
+                           service_protocol_mapping.get(svc_cfg))
 
-    # Migrate "service dns dynamic interface <interface> use-web"
-    #      to "service dns dynamic address <address> web-options"
-    # Also, rename <address> to 'web' literal for backward compatibility
+    # If use-web is set, then:
+    #   Move "service dns dynamic address <address> <service|rfc2136> <service> ..."
+    #     to "service dns dynamic address web <service|rfc2136> <service>-<address> ..."
+    #   Move "service dns dynamic address web use-web ..."
+    #     to "service dns dynamic address web web-options ..."
+    # Note: The config is named <service>-<address> to avoid name conflict with old entries
     if config.exists(new_base_path + [address, 'use-web']):
-        config.rename(new_base_path + [address], 'web')
-        config.rename(new_base_path + ['web', 'use-web'], 'web-options')
+        for svc_type in ['rfc2136', 'service']:
+            if config.exists(new_base_path + [address, svc_type]):
+                config.set(new_base_path + ['web', svc_type])
+                config.set_tag(new_base_path + ['web', svc_type])
+                for svc_cfg in config.list_nodes(new_base_path + [address, svc_type]):
+                    config.copy(new_base_path + [address, svc_type, svc_cfg],
+                                new_base_path + ['web', svc_type, f'{svc_cfg}-{address}'])
+
+        # Multiple web-options were not supported, so copy only the first one
+        # Also, migrate web-options url to stricter format and transition
+        # checkip.dyndns.org to https://domains.google.com/checkip for better
+        # TLS support (see: https://github.com/ddclient/ddclient/issues/597)
+        if not config.exists(new_base_path + ['web', 'web-options']):
+            config.copy(new_base_path + [address, 'use-web'], new_base_path + ['web', 'web-options'])
+            if config.exists(new_base_path + ['web', 'web-options', 'url']):
+                url = config.return_value(new_base_path + ['web', 'web-options', 'url'])
+                if re.search("^(https?://)?checkip\.dyndns\.org", url):
+                    config.set(new_base_path + ['web', 'web-options', 'url'], 'https://domains.google.com/checkip')
+                if not url.startswith(('http://', 'https://')):
+                    config.set(new_base_path + ['web', 'web-options', 'url'], f'https://{url}')
+
+        config.delete(new_base_path + [address])
 
 try:
     with open(file_name, 'w') as f:
diff --git a/src/migration-scripts/dns-dynamic/2-to-3 b/src/migration-scripts/dns-dynamic/2-to-3
index 187c2a895..4e0aa37d5 100755
--- a/src/migration-scripts/dns-dynamic/2-to-3
+++ b/src/migration-scripts/dns-dynamic/2-to-3
@@ -21,10 +21,27 @@
 #        to "service dns dynamic name <service> address <interface> protocol 'nsupdate'"
 # - migrate "service dns dynamic address <interface> service <service> ..."
 #        to "service dns dynamic name <service> address <interface> ..."
+# - normalize the all service names to conform with name constraints
 
 import sys
+import re
+from unicodedata import normalize
 from vyos.configtree import ConfigTree
 
+def normalize_name(name):
+    """Normalize service names to conform with name constraints.
+
+    This is necessary as part of migration because there were no constraints in
+    the old name format.
+    """
+    # Normalize unicode characters to ASCII (NFKD)
+    # Replace all separators with hypens, strip leading and trailing hyphens
+    name = normalize('NFKD', name).encode('ascii', 'ignore').decode()
+    name = re.sub(r'(\s|_|\W)+', '-', name).strip('-')
+
+    return name
+
+
 if len(sys.argv) < 2:
     print("Must specify file name!")
     sys.exit(1)
@@ -64,22 +81,36 @@ for address in config.list_nodes(address_path):
 
     for svc_type in ['service', 'rfc2136']:
         if config.exists(address_path_tag + [svc_type]):
-            # Move RFC2136 as service configuration, rename to avoid name conflict and set protocol to 'nsupdate'
+            # Set protocol to 'nsupdate' for RFC2136 configuration
             if svc_type == 'rfc2136':
-                for rfc_cfg_old in config.list_nodes(address_path_tag + ['rfc2136']):
-                    rfc_cfg_new = f'{rfc_cfg_old}-rfc2136'
-                    config.rename(address_path_tag + ['rfc2136', rfc_cfg_old], rfc_cfg_new)
-                    config.set(address_path_tag + ['rfc2136', rfc_cfg_new, 'protocol'], 'nsupdate')
+                for rfc_cfg in config.list_nodes(address_path_tag + ['rfc2136']):
+                    config.set(address_path_tag + ['rfc2136', rfc_cfg, 'protocol'], 'nsupdate')
 
             # Add address as config value in each service before moving the service path
-            # And then copy the services from 'address <interface> service <service>' to 'name <service>'
+            # And then copy the services from 'address <interface> service <service>'
+            #                              to 'name (service|rfc2136)-<service>-<address>'
+            # Note: The new service is named (service|rfc2136)-<service>-<address>
+            #       to avoid name conflict with old entries
             for svc_cfg in config.list_nodes(address_path_tag + [svc_type]):
                 config.set(address_path_tag + [svc_type, svc_cfg, 'address'], address)
-                config.copy(address_path_tag + [svc_type, svc_cfg], name_path + [svc_cfg])
+                config.copy(address_path_tag + [svc_type, svc_cfg],
+                            name_path + ['-'.join([svc_type, svc_cfg, address])])
 
 # Finally cleanup the old address path
 config.delete(address_path)
 
+# Normalize the all service names to conform with name constraints
+index = 1
+for name in config.list_nodes(name_path):
+    new_name = normalize_name(name)
+    if new_name != name:
+        # Append index if there is still a name conflicts after normalization
+        # For example, "foo-?(" and "foo-!)" both normalize to "foo-"
+        if config.exists(name_path + [new_name]):
+            new_name = f'{new_name}-{index}'
+            index += 1
+        config.rename(name_path + [name], new_name)
+
 try:
     with open(file_name, 'w') as f:
         f.write(config.to_string())
diff --git a/src/migration-scripts/ipoe-server/1-to-2 b/src/migration-scripts/ipoe-server/1-to-2
new file mode 100755
index 000000000..c8cec6835
--- /dev/null
+++ b/src/migration-scripts/ipoe-server/1-to-2
@@ -0,0 +1,87 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# - changed cli of all named pools
+# - moved gateway-address from pool to global configuration with / netmask
+#   gateway can exist without pool if radius is used
+#   and Framed-ip-address is transmited
+# - There are several gateway-addresses in ipoe
+# - default-pool by migration.
+#       1. The first pool that contains next-poll.
+#       2. Else, the first pool in the list
+
+import os
+
+from sys import argv
+from sys import exit
+from vyos.configtree import ConfigTree
+
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+base = ['service', 'ipoe-server']
+pool_base = base + ['client-ip-pool']
+if not config.exists(base):
+    exit(0)
+
+if not config.exists(pool_base):
+    exit(0)
+default_pool = ''
+gateway = ''
+
+#named pool migration
+namedpools_base = pool_base + ['name']
+
+for pool_name in config.list_nodes(namedpools_base):
+    pool_path = namedpools_base + [pool_name]
+    if config.exists(pool_path + ['subnet']):
+        subnet = config.return_value(pool_path + ['subnet'])
+        config.set(pool_base + [pool_name, 'range'], value=subnet)
+        # Get netmask from subnet
+        mask = subnet.split("/")[1]
+    if config.exists(pool_path + ['next-pool']):
+        next_pool = config.return_value(pool_path + ['next-pool'])
+        config.set(pool_base + [pool_name, 'next-pool'], value=next_pool)
+        if not default_pool:
+            default_pool = pool_name
+    if config.exists(pool_path + ['gateway-address']) and mask:
+        gateway = f'{config.return_value(pool_path + ["gateway-address"])}/{mask}'
+        config.set(base + ['gateway-address'], value=gateway, replace=False)
+
+if not default_pool and config.list_nodes(namedpools_base):
+    default_pool = config.list_nodes(namedpools_base)[0]
+
+config.delete(namedpools_base)
+
+if default_pool:
+    config.set(base + ['default-pool'], value=default_pool)
+# format as tag node
+config.set_tag(pool_base)
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
diff --git a/src/migration-scripts/l2tp/4-to-5 b/src/migration-scripts/l2tp/4-to-5
new file mode 100755
index 000000000..fe8ab357e
--- /dev/null
+++ b/src/migration-scripts/l2tp/4-to-5
@@ -0,0 +1,77 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# - move all pool to named pools
+#       'start-stop' migrate to namedpool 'default-range-pool'
+#       'subnet' migrate to namedpool 'default-subnet-pool'
+#       'default-subnet-pool' is the next pool for 'default-range-pool'
+
+import os
+
+from sys import argv
+from sys import exit
+from vyos.configtree import ConfigTree
+
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+base = ['vpn', 'l2tp', 'remote-access']
+pool_base = base + ['client-ip-pool']
+if not config.exists(base):
+    exit(0)
+
+if not config.exists(pool_base):
+    exit(0)
+default_pool = ''
+range_pool_name = 'default-range-pool'
+subnet_pool_name = 'default-subnet-pool'
+if config.exists(pool_base + ['subnet']):
+    subnet = config.return_value(pool_base + ['subnet'])
+    config.delete(pool_base + ['subnet'])
+    config.set(pool_base + [subnet_pool_name, 'range'], value=subnet)
+    default_pool = subnet_pool_name
+
+if config.exists(pool_base + ['start']) and config.exists(pool_base + ['stop']):
+    start_ip = config.return_value(pool_base + ['start'])
+    stop_ip = config.return_value(pool_base + ['stop'])
+    ip_range = f'{start_ip}-{stop_ip}'
+    config.delete(pool_base + ['start'])
+    config.delete(pool_base + ['stop'])
+    config.set(pool_base + [range_pool_name, 'range'], value=ip_range)
+    if default_pool:
+        config.set(pool_base + [range_pool_name, 'next-pool'],
+                   value=subnet_pool_name)
+    default_pool = range_pool_name
+
+if default_pool:
+    config.set(base + ['default-pool'], value=default_pool)
+# format as tag node
+config.set_tag(pool_base)
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
diff --git a/src/migration-scripts/pppoe-server/6-to-7 b/src/migration-scripts/pppoe-server/6-to-7
new file mode 100755
index 000000000..34996d8fe
--- /dev/null
+++ b/src/migration-scripts/pppoe-server/6-to-7
@@ -0,0 +1,111 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# - move all pool to named pools
+#       'start-stop' migrate to namedpool 'default-range-pool'
+#       'subnet' migrate to namedpool 'default-subnet-pool'
+#       'default-subnet-pool' is the next pool for 'default-range-pool'
+# - There is only one gateway-address, take the first which is configured
+# - default-pool by migration.
+#       1. If authentication mode = 'local' then it is first named pool.
+#       If there are not named pools, namedless pool will be default.
+#       2. If authentication mode = 'radius' then namedless pool will be default
+
+import os
+
+from sys import argv
+from sys import exit
+from vyos.configtree import ConfigTree
+
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+base = ['service', 'pppoe-server']
+pool_base = base + ['client-ip-pool']
+if not config.exists(base):
+    exit(0)
+
+if not config.exists(pool_base):
+    exit(0)
+default_pool = ''
+range_pool_name = 'default-range-pool'
+subnet_pool_name = 'default-subnet-pool'
+#Default nameless pools migrations
+if config.exists(pool_base + ['subnet']):
+    subnet = config.return_value(pool_base + ['subnet'])
+    config.delete(pool_base + ['subnet'])
+    config.set(pool_base + [subnet_pool_name, 'range'], value=subnet)
+    default_pool = subnet_pool_name
+
+if config.exists(pool_base + ['start']) and config.exists(pool_base + ['stop']):
+    start_ip = config.return_value(pool_base + ['start'])
+    stop_ip = config.return_value(pool_base + ['stop'])
+    ip_range = f'{start_ip}-{stop_ip}'
+    config.delete(pool_base + ['start'])
+    config.delete(pool_base + ['stop'])
+    config.set(pool_base + [range_pool_name, 'range'], value=ip_range)
+    if default_pool:
+        config.set(pool_base + [range_pool_name, 'next-pool'],
+                   value=subnet_pool_name)
+    default_pool = range_pool_name
+
+gateway = ''
+if config.exists(base + ['gateway-address']):
+    gateway = config.return_value(base + ['gateway-address'])
+
+#named pool migration
+namedpools_base = pool_base + ['name']
+if config.exists(namedpools_base):
+    if config.exists(base + ['authentication', 'mode']):
+        if config.return_value(base + ['authentication', 'mode']) == 'local':
+            if config.list_nodes(namedpools_base):
+                default_pool = config.list_nodes(namedpools_base)[0]
+
+    for pool_name in config.list_nodes(namedpools_base):
+        pool_path = namedpools_base + [pool_name]
+        if config.exists(pool_path + ['subnet']):
+            subnet = config.return_value(pool_path + ['subnet'])
+            config.set(pool_base + [pool_name, 'range'], value=subnet)
+        if config.exists(pool_path + ['next-pool']):
+            next_pool = config.return_value(pool_path + ['next-pool'])
+            config.set(pool_base + [pool_name, 'next-pool'], value=next_pool)
+        if not gateway:
+            if config.exists(pool_path + ['gateway-address']):
+                gateway = config.return_value(pool_path + ['gateway-address'])
+
+    config.delete(namedpools_base)
+
+if gateway:
+    config.set(base + ['gateway-address'], value=gateway)
+if default_pool:
+    config.set(base + ['default-pool'], value=default_pool)
+# format as tag node
+config.set_tag(pool_base)
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
diff --git a/src/migration-scripts/pptp/2-to-3 b/src/migration-scripts/pptp/2-to-3
new file mode 100755
index 000000000..98dc5c2a6
--- /dev/null
+++ b/src/migration-scripts/pptp/2-to-3
@@ -0,0 +1,64 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# - move all pool to named pools
+#       'start-stop' migrate to namedpool 'default-range-pool'
+#       'default-subnet-pool' is the next pool for 'default-range-pool'
+
+import os
+
+from sys import argv
+from sys import exit
+from vyos.configtree import ConfigTree
+
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+base = ['vpn', 'pptp', 'remote-access']
+pool_base = base + ['client-ip-pool']
+if not config.exists(base):
+    exit(0)
+
+if not config.exists(pool_base):
+    exit(0)
+
+range_pool_name = 'default-range-pool'
+
+if config.exists(pool_base + ['start']) and config.exists(pool_base + ['stop']):
+    start_ip = config.return_value(pool_base + ['start'])
+    stop_ip = config.return_value(pool_base + ['stop'])
+    ip_range = f'{start_ip}-{stop_ip}'
+    config.delete(pool_base + ['start'])
+    config.delete(pool_base + ['stop'])
+    config.set(pool_base + [range_pool_name, 'range'], value=ip_range)
+    config.set(base + ['default-pool'], value=range_pool_name)
+# format as tag node
+config.set_tag(pool_base)
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
diff --git a/src/migration-scripts/sstp/4-to-5 b/src/migration-scripts/sstp/4-to-5
new file mode 100755
index 000000000..0f332e04f
--- /dev/null
+++ b/src/migration-scripts/sstp/4-to-5
@@ -0,0 +1,60 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# - move all pool to named pools
+#       'subnet' migrate to namedpool 'default-subnet-pool'
+#       'default-subnet-pool' is the next pool for 'default-range-pool'
+
+import os
+
+from sys import argv
+from sys import exit
+from vyos.configtree import ConfigTree
+
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+base = ['vpn', 'sstp']
+pool_base = base + ['client-ip-pool']
+if not config.exists(base):
+    exit(0)
+
+if not config.exists(pool_base):
+    exit(0)
+
+subnet_pool_name = 'default-subnet-pool'
+if config.exists(pool_base + ['subnet']):
+    subnet = config.return_value(pool_base + ['subnet'])
+    config.delete(pool_base + ['subnet'])
+    config.set(pool_base + [subnet_pool_name, 'range'], value=subnet)
+    config.set(base + ['default-pool'], value=subnet_pool_name)
+# format as tag node
+config.set_tag(pool_base)
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)