4 files changed, 84 insertions, 3 deletions
diff --git a/src/init/vyos-router b/src/init/vyos-router
index 2b4fac5ef..eac3e7e47 100755
--- a/src/init/vyos-router
+++ b/src/init/vyos-router
@@ -1,5 +1,5 @@
 #!/bin/bash
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2021-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -449,7 +449,7 @@ start ()
 
     run_postconfig_scripts
     tmp=$(${vyos_libexec_dir}/read-saved-value.py --path "protocols rpki cache")
-    if [ ! -z $tmp ]; then
+    if [[ ! -z "$tmp" ]]; then
         vtysh -c "rpki start"
     fi
 }
diff --git a/src/migration-scripts/dhcpv6-server/4-to-5 b/src/migration-scripts/dhcpv6-server/4-to-5
new file mode 100755
index 000000000..e808edbe0
--- /dev/null
+++ b/src/migration-scripts/dhcpv6-server/4-to-5
@@ -0,0 +1,68 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2024 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# T5993: Check if subnet is locally accessible and assign interface to subnet
+
+import sys
+from ipaddress import ip_network
+from vyos.configtree import ConfigTree
+
+if (len(sys.argv) < 1):
+    print("Must specify file name!")
+    sys.exit(1)
+
+file_name = sys.argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+base = ['service', 'dhcpv6-server', 'shared-network-name']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+    # Nothing to do
+    exit(0)
+
+def find_subnet_interface(subnet):
+    subnet_net = ip_network(subnet)
+
+    for iftype in config.list_nodes(['interfaces']):
+        for ifname in config.list_nodes(['interfaces', iftype]):
+            if_base = ['interfaces', iftype, ifname]
+
+            if config.exists(if_base + ['address']):
+                for addr in config.return_values(if_base + ['address']):
+                    if ip_network(addr, strict=False) == subnet_net:
+                        return ifname
+
+    return False
+
+for network in config.list_nodes(base):
+    if not config.exists(base + [network, 'subnet']):
+        continue
+
+    for subnet in config.list_nodes(base + [network, 'subnet']):
+        subnet_interface = find_subnet_interface(subnet)
+
+        if subnet_interface:
+            config.set(base + [network, 'subnet', subnet, 'interface'], value=subnet_interface)
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
diff --git a/src/migration-scripts/ipsec/6-to-7 b/src/migration-scripts/ipsec/6-to-7
index 71fbbe8a1..f8b6de560 100755
--- a/src/migration-scripts/ipsec/6-to-7
+++ b/src/migration-scripts/ipsec/6-to-7
@@ -63,7 +63,7 @@ if config.exists(ipsec_site_base):
         changes_made = True
 
         peer_x509_base = ipsec_site_base + [peer, 'authentication', 'x509']
-        pki_name = 'peer_' + peer.replace(".", "-")
+        pki_name = 'peer_' + peer.replace(".", "-").replace("@", "")
 
         if config.exists(peer_x509_base + ['cert-file']):
             cert_file = config.return_value(peer_x509_base + ['cert-file'])
diff --git a/src/validators/ipv6-srv6-segments b/src/validators/ipv6-srv6-segments
new file mode 100755
index 000000000..e72a4f90f
--- /dev/null
+++ b/src/validators/ipv6-srv6-segments
@@ -0,0 +1,13 @@
+#!/bin/sh
+segments="$1"
+export IFS="/"
+
+for ipv6addr in $segments; do
+    ipaddrcheck --is-ipv6-single $ipv6addr
+    if [ $? -gt 0 ]; then
+        echo "Error: $1 is not a valid IPv6 address"
+        exit 1
+    fi
+done
+exit 0
+