From 3d42009c0e3cf5ea7ea0ed167b4d8f655667edd8 Mon Sep 17 00:00:00 2001
From: Andrew Topp <andrewt@telekinetica.net>
Date: Tue, 30 Jul 2024 01:05:21 +1000
Subject: firewall: T4694: incomplete node checks in migration script

This patch on #3616 will only attempt to fix ipsec matches in rules if the
firewall config tree passed to migrate_chain() has rules attached.
---
 src/migration-scripts/firewall/16-to-17 | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/migration-scripts/firewall/16-to-17 b/src/migration-scripts/firewall/16-to-17
index 9ad7a30f8..ad0706f04 100755
--- a/src/migration-scripts/firewall/16-to-17
+++ b/src/migration-scripts/firewall/16-to-17
@@ -27,13 +27,14 @@
 # (nftables rejects 'meta ipsec' in output hooks), they are not considered here.
 #
 
-import sys
-
 from vyos.configtree import ConfigTree
 
 firewall_base = ['firewall']
 
 def migrate_chain(config: ConfigTree, path: list[str]) -> None:
+    if not config.exists(path + ['rule']):
+        return 
+
     for rule_num in config.list_nodes(path + ['rule']):
         tmp_path = path + ['rule', rule_num, 'ipsec']
         if config.exists(tmp_path + ['match-ipsec']):
@@ -56,5 +57,4 @@ def migrate(config: ConfigTree) -> None:
 
         for base_hook in [['forward', 'filter'], ['input', 'filter'], ['prerouting', 'raw']]:
             tmp_path = firewall_base + [family] + base_hook
-            if config.exists(tmp_path):
-                migrate_chain(config, tmp_path)
+            migrate_chain(config, tmp_path)
-- 
cgit v1.2.3