2 files changed, 72 insertions, 0 deletions
diff --git a/src/conf_mode/interfaces_wireguard.py b/src/conf_mode/interfaces_wireguard.py
index 877d013cf..192937dba 100755
--- a/src/conf_mode/interfaces_wireguard.py
+++ b/src/conf_mode/interfaces_wireguard.py
@@ -19,6 +19,9 @@ from sys import exit
 from vyos.config import Config
 from vyos.configdict import get_interface_dict
 from vyos.configdict import is_node_changed
+from vyos.configdict import is_source_interface
+from vyos.configdep import set_dependents
+from vyos.configdep import call_dependents
 from vyos.configverify import verify_vrf
 from vyos.configverify import verify_address
 from vyos.configverify import verify_bridge_delete
@@ -35,6 +38,7 @@ from vyos import airbag
 from pathlib import Path
 airbag.enable()
 
+
 def get_config(config=None):
     """
     Retrive CLI config as dictionary. Dictionary can never be empty, as at least the
@@ -61,11 +65,25 @@ def get_config(config=None):
             if 'disable' not in peer_config and 'host_name' in peer_config:
                 wireguard['peers_need_resolve'].append(peer)
 
+    # Check if interface is used as source-interface on VXLAN interface
+    tmp = is_source_interface(conf, ifname, 'vxlan')
+    if tmp:
+        if 'deleted' not in wireguard:
+            set_dependents('vxlan', conf, tmp)
+        else:
+            wireguard['is_source_interface'] = tmp
+
     return wireguard
 
+
 def verify(wireguard):
     if 'deleted' in wireguard:
         verify_bridge_delete(wireguard)
+        if 'is_source_interface' in wireguard:
+            raise ConfigError(
+                f'Interface "{wireguard["ifname"]}" cannot be deleted as it is used '
+                f'as source interface for "{wireguard["is_source_interface"]}"!'
+            )
         return None
 
     verify_mtu_ipv6(wireguard)
@@ -119,9 +137,11 @@ def verify(wireguard):
 
             public_keys.append(peer['public_key'])
 
+
 def generate(wireguard):
     return None
 
+
 def apply(wireguard):
     check_kmod('wireguard')
 
@@ -157,8 +177,11 @@ def apply(wireguard):
             domain_action = 'stop'
     call(f'systemctl {domain_action} vyos-domain-resolver.service')
 
+    call_dependents()
+
     return None
 
+
 if __name__ == '__main__':
     try:
         c = get_config()
diff --git a/src/migration-scripts/policy/8-to-9 b/src/migration-scripts/policy/8-to-9
new file mode 100644
index 000000000..355e48e00
--- /dev/null
+++ b/src/migration-scripts/policy/8-to-9
@@ -0,0 +1,49 @@
+# Copyright (C) 2025 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# T7116: Remove unsupported "internet" community following FRR removal
+# From
+    # set policy route-map <name> rule <ord> set community [add | replace] internet
+    # set policy community-list <name> rule <ord> regex internet
+# To
+    # set policy route-map <name> rule <ord> set community [add | replace] 0:0
+    # set policy community-list <name> rule <ord> regex _0:0_
+
+# NOTE: In FRR expanded community-lists, without the '_' delimiters, a regex of 
+# "0:0" will match "65000:0" as well as "0:0". This doesn't line up with what
+# we want when replacing "internet". 
+
+from vyos.configtree import ConfigTree
+
+rm_base = ['policy', 'route-map']
+cl_base = ['policy', 'community-list']
+
+def migrate(config: ConfigTree) -> None:
+    if config.exists(rm_base):
+        for policy_name in config.list_nodes(rm_base):
+            for rule_ord in config.list_nodes(rm_base + [policy_name, 'rule'], path_must_exist=False):
+                tmp_path = rm_base + [policy_name, 'rule', rule_ord, 'set', 'community']
+                if config.exists(tmp_path + ['add']) and config.return_value(tmp_path + ['add']) == 'internet':
+                    config.set(tmp_path + ['add'], '0:0')
+                if config.exists(tmp_path + ['replace']) and config.return_value(tmp_path + ['replace']) == 'internet':
+                    config.set(tmp_path + ['replace'], '0:0')
+
+    if config.exists(cl_base):
+        for policy_name in config.list_nodes(cl_base):
+            for rule_ord in config.list_nodes(cl_base + [policy_name, 'rule'], path_must_exist=False):
+                tmp_path = cl_base + [policy_name, 'rule', rule_ord, 'regex']
+                if config.exists(tmp_path) and config.return_value(tmp_path) == 'internet':
+                    config.set(tmp_path, '_0:0_')
+