From 68d14fe80145542ffd08a5f7d5cde6c090a0de07 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Wed, 31 May 2023 15:07:42 +0000 Subject: T5160: firewall refactor: change firewall ip to firewall ipv4 --- src/migration-scripts/firewall/10-to-11 | 110 ++++++++++++++++---------------- 1 file changed, 55 insertions(+), 55 deletions(-) (limited to 'src/migration-scripts/firewall/10-to-11') diff --git a/src/migration-scripts/firewall/10-to-11 b/src/migration-scripts/firewall/10-to-11 index b2880afac..9dad86b62 100755 --- a/src/migration-scripts/firewall/10-to-11 +++ b/src/migration-scripts/firewall/10-to-11 @@ -20,22 +20,22 @@ # set firewall name ... # set firewall ipv6-name ... # To -# set firewall ip name +# set firewall ipv4 name # set firewall ipv6 ipv6-name ## Also from 'firewall interface' removed. ## in and out: # set firewall interface [in|out] [name | ipv6-name] # To - # set firewall [ip | ipv6] forward filter rule <5,10,15,...> [inbound-interface | outboubd-interface] interface-name - # set firewall [ip | ipv6] forward filter rule <5,10,15,...> action jump - # set firewall [ip | ipv6] forward filter rule <5,10,15,...> jump-target + # set firewall [ipv4 | ipv6] forward filter rule <5,10,15,...> [inbound-interface | outboubd-interface] interface-name + # set firewall [ipv4 | ipv6] forward filter rule <5,10,15,...> action jump + # set firewall [ipv4 | ipv6] forward filter rule <5,10,15,...> jump-target ## local: # set firewall interface local [name | ipv6-name] # To - # set firewall [ip | ipv6] input filter rule <5,10,15,...> inbound-interface interface-name - # set firewall [ip | ipv6] input filter rule <5,10,15,...> action jump - # set firewall [ip | ipv6] input filter rule <5,10,15,...> jump-target + # set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> inbound-interface interface-name + # set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> action jump + # set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> jump-target import re @@ -63,7 +63,7 @@ if not config.exists(base): ### Migration of state policies if config.exists(base + ['state-policy']): - for family in ['ip', 'ipv6']: + for family in ['ipv4', 'ipv6']: for hook in ['forward', 'input', 'output']: for priority in ['filter']: # Add default-action== accept for compatibility reasons: @@ -89,11 +89,11 @@ for option in ['all-ping', 'broadcast-ping', 'config-trap', 'ip-src-route', 'ipv ### Migration of firewall name and ipv6-name if config.exists(base + ['name']): - config.set(['firewall', 'ip', 'name']) - config.set_tag(['firewall', 'ip', 'name']) + config.set(['firewall', 'ipv4', 'name']) + config.set_tag(['firewall', 'ipv4', 'name']) for ipv4name in config.list_nodes(base + ['name']): - config.copy(base + ['name', ipv4name], base + ['ip', 'name', ipv4name]) + config.copy(base + ['name', ipv4name], base + ['ipv4', 'name', ipv4name]) config.delete(base + ['name']) if config.exists(base + ['ipv6-name']): @@ -117,8 +117,8 @@ if config.exists(base + ['interface']): target = config.return_value(base + ['interface', iface, direction, 'name']) if direction == 'in': # Add default-action== accept for compatibility reasons: - config.set(base + ['ip', 'forward', 'filter', 'default-action'], value='accept') - new_base = base + ['ip', 'forward', 'filter', 'rule'] + config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept') + new_base = base + ['ipv4', 'forward', 'filter', 'rule'] config.set(new_base) config.set_tag(new_base) config.set(new_base + [fwd_ipv4_rule, 'inbound-interface', 'interface-name'], value=iface) @@ -127,8 +127,8 @@ if config.exists(base + ['interface']): fwd_ipv4_rule = fwd_ipv4_rule + 5 elif direction == 'out': # Add default-action== accept for compatibility reasons: - config.set(base + ['ip', 'forward', 'filter', 'default-action'], value='accept') - new_base = base + ['ip', 'forward', 'filter', 'rule'] + config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept') + new_base = base + ['ipv4', 'forward', 'filter', 'rule'] config.set(new_base) config.set_tag(new_base) config.set(new_base + [fwd_ipv4_rule, 'outbound-interface', 'interface-name'], value=iface) @@ -137,8 +137,8 @@ if config.exists(base + ['interface']): fwd_ipv4_rule = fwd_ipv4_rule + 5 else: # Add default-action== accept for compatibility reasons: - config.set(base + ['ip', 'input', 'filter', 'default-action'], value='accept') - new_base = base + ['ip', 'input', 'filter', 'rule'] + config.set(base + ['ipv4', 'input', 'filter', 'default-action'], value='accept') + new_base = base + ['ipv4', 'input', 'filter', 'rule'] config.set(new_base) config.set_tag(new_base) config.set(new_base + [inp_ipv4_rule, 'inbound-interface', 'interface-name'], value=iface) @@ -197,20 +197,20 @@ if config.exists(base + ['zone']): if config.exists(base + ['zone', zone, 'local-zone']): local_zone = 'True' # Add default-action== accept for compatibility reasons: - config.set(base + ['ip', 'input', 'filter', 'default-action'], value='accept') + config.set(base + ['ipv4', 'input', 'filter', 'default-action'], value='accept') config.set(base + ['ipv6', 'input', 'filter', 'default-action'], value='accept') - config.set(base + ['ip', 'output', 'filter', 'default-action'], value='accept') + config.set(base + ['ipv4', 'output', 'filter', 'default-action'], value='accept') config.set(base + ['ipv6', 'output', 'filter', 'default-action'], value='accept') for from_zone in config.list_nodes(base + ['zone', zone, 'from']): group_name = 'IG_' + from_zone if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'name']): # ipv4 input ruleset target_ipv4_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'name']) - config.set(base + ['ip', 'input', 'filter', 'rule']) - config.set_tag(base + ['ip', 'input', 'filter', 'rule']) - config.set(base + ['ip', 'input', 'filter', 'rule', inp_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name) - config.set(base + ['ip', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value='jump') - config.set(base + ['ip', 'input', 'filter', 'rule', inp_ipv4_rule, 'jump-target'], value=target_ipv4_chain) + config.set(base + ['ipv4', 'input', 'filter', 'rule']) + config.set_tag(base + ['ipv4', 'input', 'filter', 'rule']) + config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name) + config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value='jump') + config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'jump-target'], value=target_ipv4_chain) inp_ipv4_rule = inp_ipv4_rule + 5 if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name']): # ipv6 input ruleset @@ -228,21 +228,21 @@ if config.exists(base + ['zone']): local_def_action = config.return_value(base + ['zone', zone, 'default-action']) else: local_def_action = 'drop' - config.set(base + ['ip', 'input', 'filter', 'rule']) - config.set_tag(base + ['ip', 'input', 'filter', 'rule']) - config.set(base + ['ip', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value=local_def_action) + config.set(base + ['ipv4', 'input', 'filter', 'rule']) + config.set_tag(base + ['ipv4', 'input', 'filter', 'rule']) + config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value=local_def_action) config.set(base + ['ipv6', 'input', 'filter', 'rule']) config.set_tag(base + ['ipv6', 'input', 'filter', 'rule']) config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'action'], value=local_def_action) if config.exists(base + ['zone', zone, 'enable-default-log']): - config.set(base + ['ip', 'input', 'filter', 'rule', inp_ipv4_rule, 'log'], value='enable') + config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'log'], value='enable') config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'log'], value='enable') else: # It's not a local zone group_name = 'IG_' + zone # Add default-action== accept for compatibility reasons: - config.set(base + ['ip', 'forward', 'filter', 'default-action'], value='accept') + config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept') config.set(base + ['ipv6', 'forward', 'filter', 'default-action'], value='accept') # intra-filtering migration. By default accept intra_zone_ipv4_action = 'accept' @@ -258,11 +258,11 @@ if config.exists(base + ['zone']): if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']): intra_zone_ipv6_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']) intra_zone_ipv6_action = 'jump' - config.set(base + ['ip', 'forward', 'filter', 'rule']) - config.set_tag(base + ['ip', 'forward', 'filter', 'rule']) - config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name) - config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name) - config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=intra_zone_ipv4_action) + config.set(base + ['ipv4', 'forward', 'filter', 'rule']) + config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule']) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=intra_zone_ipv4_action) config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule']) config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name) config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'inbound-interface', 'interface-group'], value=group_name) @@ -270,7 +270,7 @@ if config.exists(base + ['zone']): if intra_zone_ipv4_action == 'jump': if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name']): intra_zone_ipv4_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name']) - config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=intra_zone_ipv4_target) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=intra_zone_ipv4_target) if intra_zone_ipv6_action == 'jump': if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']): intra_zone_ipv6_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']) @@ -293,20 +293,20 @@ if config.exists(base + ['zone']): target_ipv4_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'name']) if config.exists(base + ['zone', from_zone, 'local-zone']): # It's from LOCAL zone -> Output filtering - config.set(base + ['ip', 'output', 'filter', 'rule']) - config.set_tag(base + ['ip', 'output', 'filter', 'rule']) - config.set(base + ['ip', 'output', 'filter', 'rule', out_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name) - config.set(base + ['ip', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value='jump') - config.set(base + ['ip', 'output', 'filter', 'rule', out_ipv4_rule, 'jump-target'], value=target_ipv4_chain) + config.set(base + ['ipv4', 'output', 'filter', 'rule']) + config.set_tag(base + ['ipv4', 'output', 'filter', 'rule']) + config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name) + config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value='jump') + config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'jump-target'], value=target_ipv4_chain) out_ipv4_rule = out_ipv4_rule + 5 else: # It's not LOCAL zone -> forward filtering - config.set(base + ['ip', 'forward', 'filter', 'rule']) - config.set_tag(base + ['ip', 'forward', 'filter', 'rule']) - config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name) - config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=from_group) - config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value='jump') - config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=target_ipv4_chain) + config.set(base + ['ipv4', 'forward', 'filter', 'rule']) + config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule']) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=from_group) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value='jump') + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=target_ipv4_chain) fwd_ipv4_rule = fwd_ipv4_rule + 5 if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name']): target_ipv6_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name']) @@ -333,12 +333,12 @@ if config.exists(base + ['zone']): def_action = config.return_value(base + ['zone', zone, 'default-action']) else: def_action = 'drop' - config.set(base + ['ip', 'forward', 'filter', 'rule']) - config.set_tag(base + ['ip', 'forward', 'filter', 'rule']) - config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name) - config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=def_action) + config.set(base + ['ipv4', 'forward', 'filter', 'rule']) + config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule']) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=def_action) description = 'zone_' + zone + ' default-action' - config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'description'], value=description) + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'description'], value=description) config.set(base + ['ipv6', 'forward', 'filter', 'rule']) config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule']) config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name) @@ -346,7 +346,7 @@ if config.exists(base + ['zone']): config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'description'], value=description) if config.exists(base + ['zone', zone, 'enable-default-log']): - config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'log'], value='enable') + config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'log'], value='enable') config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'log'], value='enable') fwd_ipv4_rule = fwd_ipv4_rule + 5 fwd_ipv6_rule = fwd_ipv6_rule + 5 @@ -354,9 +354,9 @@ if config.exists(base + ['zone']): # Migrate default-action (force to be drop in output chain) if local zone is defined if local_zone == 'True': # General drop in output change if needed - config.set(base + ['ip', 'output', 'filter', 'rule']) - config.set_tag(base + ['ip', 'output', 'filter', 'rule']) - config.set(base + ['ip', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value=local_def_action) + config.set(base + ['ipv4', 'output', 'filter', 'rule']) + config.set_tag(base + ['ipv4', 'output', 'filter', 'rule']) + config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value=local_def_action) config.set(base + ['ipv6', 'output', 'filter', 'rule']) config.set_tag(base + ['ipv6', 'output', 'filter', 'rule']) config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'action'], value=local_def_action) -- cgit v1.2.3