From 2cbc4eb005fc936e37a34a1ef539d164f21f90b5 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Tue, 11 Jun 2024 09:49:11 +0200 Subject: firewall: T3900: fix migration and smoketests Commit 770edf016838523 ("T3900: T6394: extend functionalities in firewall") changed the position in the CLI for conntrack timeout. This lead to failing smoketests because of a regression in the migrator. --- smoketest/config-tests/dialup-router-wireguard-ipv6 | 8 ++++---- src/migration-scripts/firewall/15-to-16 | 5 +++-- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/smoketest/config-tests/dialup-router-wireguard-ipv6 b/smoketest/config-tests/dialup-router-wireguard-ipv6 index c054b4650..814a62d55 100644 --- a/smoketest/config-tests/dialup-router-wireguard-ipv6 +++ b/smoketest/config-tests/dialup-router-wireguard-ipv6 @@ -192,10 +192,6 @@ set service snmp location 'CLOUD' set system conntrack expect-table-size '2048' set system conntrack hash-size '32768' set system conntrack table-size '262144' -set system conntrack timeout icmp '30' -set system conntrack timeout other '600' -set system conntrack timeout udp other '300' -set system conntrack timeout udp stream '300' set system domain-name 'vyos.net' set system host-name 'r1' set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/' @@ -216,6 +212,10 @@ set firewall global-options receive-redirects 'disable' set firewall global-options send-redirects 'enable' set firewall global-options source-validation 'disable' set firewall global-options syn-cookies 'enable' +set firewall global-options timeout icmp '30' +set firewall global-options timeout other '600' +set firewall global-options timeout udp other '300' +set firewall global-options timeout udp stream '300' set firewall global-options twa-hazards-protection 'disable' set firewall group address-group DMZ-RDP-SERVER address '172.16.33.40' set firewall group address-group DMZ-RDP-SERVER description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata' diff --git a/src/migration-scripts/firewall/15-to-16 b/src/migration-scripts/firewall/15-to-16 index 7c8d38fe6..28df1256e 100755 --- a/src/migration-scripts/firewall/15-to-16 +++ b/src/migration-scripts/firewall/15-to-16 @@ -42,8 +42,9 @@ if not config.exists(conntrack_base): for protocol in ['icmp', 'tcp', 'udp', 'other']: if config.exists(conntrack_base + [protocol]): - if not config.exists(firewall_base): + if not config.exists(firewall_base + ['timeout']): config.set(firewall_base + ['timeout']) + config.copy(conntrack_base + [protocol], firewall_base + ['timeout', protocol]) config.delete(conntrack_base + [protocol]) @@ -52,4 +53,4 @@ try: f.write(config.to_string()) except OSError as e: print("Failed to save the modified config: {}".format(e)) - exit(1) \ No newline at end of file + exit(1) -- cgit v1.2.3