T6216: firewall: add patch while migrating from 1.3 to 1.4 in order t…

…o avoid errors when using character <+> in 1.3 in firewall groups and custom firewall chains.
vyos · Apr 11, 2024 · 36baf77 · 36baf77
1 parent 41abc30
commit 36baf77
Showing 1 changed file with 69 additions and 11 deletions.
diff --git a/src/migration-scripts/firewall/6-to-7 b/src/migration-scripts/firewall/6-to-7
@@ -107,13 +107,32 @@ icmpv6_translations = {
     'unknown-option': [4, 2]
 }
 
+v4_found = False
+v6_found = False
+v4_groups = ["address-group", "network-group", "port-group"]
+v6_groups = ["ipv6-address-group", "ipv6-network-group", "port-group"]
+translated_dict = {}
+
 if config.exists(base + ['group']):
     for group_type in config.list_nodes(base + ['group']):
         for group_name in config.list_nodes(base + ['group', group_type]):
             name_description = base + ['group', group_type, group_name, 'description']
             if config.exists(name_description):
                 tmp = config.return_value(name_description)
                 config.set(name_description, value=tmp[:max_len_description])
+            if '+' in group_name:
+                replacement_string = "_"
+                if group_type in v4_groups and not v4_found:
+                    v4_found = True
+                if group_type in v6_groups and not v6_found:
+                    v6_found = True
+                new_group_name = group_name.replace('+', replacement_string)
+                while config.exists(base + ['group', group_type, new_group_name]):
+                    replacement_string = replacement_string + "_"
+                    new_group_name = group_name.replace('+', replacement_string)
+                translated_dict[group_name] = new_group_name
+                config.copy(base + ['group', group_type, group_name], base + ['group', group_type, new_group_name])
+                config.delete(base + ['group', group_type, group_name])
 
 if config.exists(base + ['name']):
     for name in config.list_nodes(base + ['name']):
@@ -173,11 +192,31 @@ if config.exists(base + ['name']):
                         config.set(rule_icmp + ['type'], value=translate[0])
                         config.set(rule_icmp + ['code'], value=translate[1])
 
-            for src_dst in ['destination', 'source']:
-                pg_base = base + ['name', name, 'rule', rule, src_dst, 'group', 'port-group']
-                proto_base = base + ['name', name, 'rule', rule, 'protocol']
-                if config.exists(pg_base) and not config.exists(proto_base):
-                    config.set(proto_base, value='tcp_udp')
+            for direction in ['destination', 'source']:
+                if config.exists(base + ['name', name, 'rule', rule, direction]):
+                    if config.exists(base + ['name', name, 'rule', rule, direction, 'group']) and v4_found:
+                        for group_type in config.list_nodes(base + ['name', name, 'rule', rule, direction, 'group']):
+                            group_name = config.return_value(base + ['name', name, 'rule', rule, direction, 'group', group_type])
+                            if '+' in group_name:
+                                if group_name[0] == "!":
+                                    new_group_name = "!" + translated_dict[group_name[1:]]
+                                else:
+                                    new_group_name = translated_dict[group_name]
+                                config.set(base + ['name', name, 'rule', rule, direction, 'group', group_type], value=new_group_name)
+
+                    pg_base = base + ['name', name, 'rule', rule, direction, 'group', 'port-group']
+                    proto_base = base + ['name', name, 'rule', rule, 'protocol']
+                    if config.exists(pg_base) and not config.exists(proto_base):
+                        config.set(proto_base, value='tcp_udp')
+
+        if '+' in name:
+            replacement_string = "_"
+            new_name = name.replace('+', replacement_string)
+            while config.exists(base + ['name', new_name]):
+                replacement_string = replacement_string + "_"
+                new_name = name.replace('+', replacement_string)
+            config.copy(base + ['name', name], base + ['name', new_name])
+            config.delete(base + ['name', name])
 
 if config.exists(base + ['ipv6-name']):
     for name in config.list_nodes(base + ['ipv6-name']):
@@ -250,12 +289,31 @@ if config.exists(base + ['ipv6-name']):
                 else:
                     config.rename(rule_icmp + ['type'], 'type-name')
 
-            for src_dst in ['destination', 'source']:
-                pg_base = base + ['ipv6-name', name, 'rule', rule, src_dst, 'group', 'port-group']
-                proto_base = base + ['ipv6-name', name, 'rule', rule, 'protocol']
-                if config.exists(pg_base) and not config.exists(proto_base):
-                    config.set(proto_base, value='tcp_udp')
-
+            for direction in ['destination', 'source']:
+                if config.exists(base + ['ipv6-name', name, 'rule', rule, direction]):
+                    if config.exists(base + ['ipv6-name', name, 'rule', rule, direction, 'group']) and v6_found:
+                        for group_type in config.list_nodes(base + ['ipv6-name', name, 'rule', rule, direction, 'group']):
+                            group_name = config.return_value(base + ['ipv6-name', name, 'rule', rule, direction, 'group', group_type])
+                            if '+' in group_name:
+                                if group_name[0] == "!":
+                                    new_group_name = "!" + translated_dict[group_name[1:]]
+                                else:
+                                    new_group_name = translated_dict[group_name]
+                                config.set(base + ['ipv6-name', name, 'rule', rule, direction, 'group', group_type], value=new_group_name)
+
+                    pg_base = base + ['ipv6-name', name, 'rule', rule, direction, 'group', 'port-group']
+                    proto_base = base + ['ipv6-name', name, 'rule', rule, 'protocol']
+                    if config.exists(pg_base) and not config.exists(proto_base):
+                        config.set(proto_base, value='tcp_udp')
+
+        if '+' in name:
+            replacement_string = "_"
+            new_name = name.replace('+', replacement_string)
+            while config.exists(base + ['ipv6-name', new_name]):
+                replacement_string = replacement_string + "_"
+                new_name = name.replace('+', replacement_string)
+            config.copy(base + ['ipv6-name', name], base + ['ipv6-name', new_name])
+            config.delete(base + ['ipv6-name', name])
 try:
     with open(file_name, 'w') as f:
         f.write(config.to_string())