diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 98ceebaa5..1c70a6b77 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -1,281 +1,225 @@
#!/usr/sbin/nft -f
{% import 'firewall/nftables-defines.j2' as group_tmpl %}
{% if first_install is not vyos_defined %}
delete table ip vyos_filter
{% endif %}
table ip vyos_filter {
{% if ipv4 is vyos_defined %}
+{% set ns = namespace(sets=[]) %}
{% if ipv4.forward is vyos_defined %}
-{% set ns = namespace(sets=[]) %}
{% for prior, conf in ipv4.forward.items() %}
{% set def_action = conf.default_action %}
chain VYOS_FORWARD_{{ prior }} {
type filter hook forward priority {{ prior }}; policy {{ def_action }};
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule('FWD', prior, rule_id) }}
{% if rule_conf.recent is vyos_defined %}
{% set ns.sets = ns.sets + ['FWD_' + prior + '_' + rule_id] %}
{% endif %}
{% endfor %}
{% endif %}
}
{% endfor %}
-{% for set_name in ns.sets %}
- set RECENT_{{ set_name }} {
- type ipv4_addr
- size 65535
- flags dynamic
- }
-{% endfor %}
{% endif %}
{% if ipv4.input is vyos_defined %}
-{% set ns = namespace(sets=[]) %}
{% for prior, conf in ipv4.input.items() %}
{% set def_action = conf.default_action %}
chain VYOS_INPUT_{{ prior }} {
type filter hook input priority {{ prior }}; policy {{ def_action }};
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule('INP',prior, rule_id) }}
{% if rule_conf.recent is vyos_defined %}
{% set ns.sets = ns.sets + ['INP_' + prior + '_' + rule_id] %}
{% endif %}
{% endfor %}
{% endif %}
}
{% endfor %}
-{% for set_name in ns.sets %}
- set RECENT_{{ set_name }} {
- type ipv4_addr
- size 65535
- flags dynamic
- }
-{% endfor %}
{% endif %}
{% if ipv4.output is vyos_defined %}
-{% set ns = namespace(sets=[]) %}
{% for prior, conf in ipv4.output.items() %}
{% set def_action = conf.default_action %}
chain VYOS_OUTPUT_{{ prior }} {
type filter hook output priority {{ prior }}; policy {{ def_action }};
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule('OUT', prior, rule_id) }}
{% if rule_conf.recent is vyos_defined %}
{% set ns.sets = ns.sets + ['OUT_' + prior + '_' + rule_id] %}
{% endif %}
{% endfor %}
{% endif %}
}
{% endfor %}
-{% for set_name in ns.sets %}
- set RECENT_{{ set_name }} {
- type ipv4_addr
- size 65535
- flags dynamic
- }
-{% endfor %}
{% endif %}
-
chain VYOS_FRAG_MARK {
type filter hook prerouting priority -450; policy accept;
ip frag-off & 0x3fff != 0 meta mark set 0xffff1 return
}
{% if ipv4.prerouting is vyos_defined %}
-{% set ns = namespace(sets=[]) %}
{% for prior, conf in ipv4.prerouting.items() %}
+{% set def_action = conf.default_action %}
chain VYOS_PREROUTING_{{ prior }} {
- type filter hook prerouting priority {{ prior }}; policy accept;
+ type filter hook prerouting priority {{ prior }}; policy {{ def_action }};
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule('PRE', prior, rule_id) }}
{% if rule_conf.recent is vyos_defined %}
{% set ns.sets = ns.sets + ['PRE_' + prior + '_' + rule_id] %}
{% endif %}
{% endfor %}
{% endif %}
{{ conf | nft_default_rule(prior) }}
- # jump VYOS_POST_FW
- }
-{% endfor %}
-{% for set_name in ns.sets %}
- set RECENT_{{ set_name }} {
- type ipv4_addr
- size 65535
- flags dynamic
}
{% endfor %}
{% endif %}
+
{% if ipv4.name is vyos_defined %}
-{% set ns = namespace(sets=[]) %}
{% for name_text, conf in ipv4.name.items() %}
chain NAME_{{ name_text }} {
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule('NAM', name_text, rule_id) }}
{% if rule_conf.recent is vyos_defined %}
{% set ns.sets = ns.sets + ['NAM_' + name_text + '_' + rule_id] %}
{% endif %}
{% endfor %}
{% endif %}
{{ conf | nft_default_rule(name_text) }}
}
{% endfor %}
-{% for set_name in ns.sets %}
+{% endif %}
+
+{% for set_name in ns.sets %}
set RECENT_{{ set_name }} {
type ipv4_addr
size 65535
flags dynamic
}
-{% endfor %}
-{% for set_name in ip_fqdn %}
+{% endfor %}
+{% for set_name in ip_fqdn %}
set FQDN_{{ set_name }} {
type ipv4_addr
flags interval
}
-{% endfor %}
-{% if geoip_updated.name is vyos_defined %}
-{% for setname in geoip_updated.name %}
+{% endfor %}
+{% if geoip_updated.name is vyos_defined %}
+{% for setname in geoip_updated.name %}
set {{ setname }} {
type ipv4_addr
flags interval
}
-{% endfor %}
-{% endif %}
+{% endfor %}
{% endif %}
{% endif %}
-
{{ group_tmpl.groups(group, False) }}
}
{% if first_install is not vyos_defined %}
delete table ip6 vyos_filter
{% endif %}
table ip6 vyos_filter {
{% if ipv6 is vyos_defined %}
+{% set ns = namespace(sets=[]) %}
{% if ipv6.forward is vyos_defined %}
-{% set ns = namespace(sets=[]) %}
{% for prior, conf in ipv6.forward.items() %}
{% set def_action = conf.default_action %}
chain VYOS_IPV6_FORWARD_{{ prior }} {
type filter hook forward priority {{ prior }}; policy {{ def_action }};
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule('FWD', prior, rule_id ,'ip6') }}
{% if rule_conf.recent is vyos_defined %}
{% set ns.sets = ns.sets + ['FWD_' + prior + '_' + rule_id] %}
{% endif %}
{% endfor %}
{% endif %}
}
{% endfor %}
-{% for set_name in ns.sets %}
- set RECENT6_{{ set_name }} {
- type ipv6_addr
- size 65535
- flags dynamic
- }
-{% endfor %}
{% endif %}
{% if ipv6.input is vyos_defined %}
-{% set ns = namespace(sets=[]) %}
{% for prior, conf in ipv6.input.items() %}
{% set def_action = conf.default_action %}
chain VYOS_IPV6_INPUT_{{ prior }} {
type filter hook input priority {{ prior }}; policy {{ def_action }};
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule('INP', prior, rule_id ,'ip6') }}
{% if rule_conf.recent is vyos_defined %}
{% set ns.sets = ns.sets + ['INP_' + prior + '_' + rule_id] %}
{% endif %}
{% endfor %}
{% endif %}
}
{% endfor %}
-{% for set_name in ns.sets %}
- set RECENT6_{{ set_name }} {
- type ipv6_addr
- size 65535
- flags dynamic
- }
-{% endfor %}
{% endif %}
{% if ipv6.output is vyos_defined %}
-{% set ns = namespace(sets=[]) %}
{% for prior, conf in ipv6.output.items() %}
{% set def_action = conf.default_action %}
chain VYOS_IPV6_OUTPUT_{{ prior }} {
type filter hook output priority {{ prior }}; policy {{ def_action }};
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule('OUT', prior, rule_id ,'ip6') }}
{% if rule_conf.recent is vyos_defined %}
{% set ns.sets = ns.sets + ['OUT_ ' + prior + '_' + rule_id] %}
{% endif %}
{% endfor %}
{% endif %}
}
{% endfor %}
-{% for set_name in ns.sets %}
- set RECENT6_{{ set_name }} {
- type ipv6_addr
- size 65535
- flags dynamic
- }
-{% endfor %}
{% endif %}
+
chain VYOS_FRAG6_MARK {
type filter hook prerouting priority -450; policy accept;
exthdr frag exists meta mark set 0xffff1 return
}
{% if ipv6.ipv6_name is vyos_defined %}
-{% set ns = namespace(sets=[]) %}
{% for name_text, conf in ipv6.ipv6_name.items() %}
chain NAME6_{{ name_text }} {
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule('NAM', name_text, rule_id, 'ip6') }}
{% if rule_conf.recent is vyos_defined %}
{% set ns.sets = ns.sets + ['NAM_' + name_text + '_' + rule_id] %}
{% endif %}
{% endfor %}
{% endif %}
{{ conf | nft_default_rule(name_text, ipv6=True) }}
}
{% endfor %}
-{% for set_name in ip6_fqdn %}
- set FQDN_{{ set_name }} {
- type ipv6_addr
- flags interval
- }
-{% endfor %}
-{% for set_name in ns.sets %}
+{% endif %}
+
+{% for set_name in ns.sets %}
set RECENT6_{{ set_name }} {
type ipv6_addr
size 65535
flags dynamic
}
-{% endfor %}
-{% if geoip_updated.ipv6_name is vyos_defined %}
-{% for setname in geoip_updated.ipv6_name %}
+{% endfor %}
+{% for set_name in ip6_fqdn %}
+ set FQDN_{{ set_name }} {
+ type ipv6_addr
+ flags interval
+ }
+{% endfor %}
+{% if geoip_updated.ipv6_name is vyos_defined %}
+{% for setname in geoip_updated.ipv6_name %}
set {{ setname }} {
type ipv6_addr
flags interval
}
-{% endfor %}
-{% endif %}
+{% endfor %}
{% endif %}
{% endif %}
-
{{ group_tmpl.groups(group, True) }}
-
}
\ No newline at end of file
diff --git a/src/migration-scripts/firewall/10-to-11 b/src/migration-scripts/firewall/10-to-11
index 9dad86b62..8cd2a4df8 100755
--- a/src/migration-scripts/firewall/10-to-11
+++ b/src/migration-scripts/firewall/10-to-11
@@ -1,373 +1,374 @@
#!/usr/bin/env python3
#
# Copyright (C) 2023 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# T5160: Firewall re-writing
# cli changes from:
# set firewall name <name> ...
# set firewall ipv6-name <name> ...
# To
# set firewall ipv4 name <name>
# set firewall ipv6 ipv6-name <name>
## Also from 'firewall interface' removed.
## in and out:
# set firewall interface <iface> [in|out] [name | ipv6-name] <name>
# To
# set firewall [ipv4 | ipv6] forward filter rule <5,10,15,...> [inbound-interface | outboubd-interface] interface-name <iface>
# set firewall [ipv4 | ipv6] forward filter rule <5,10,15,...> action jump
# set firewall [ipv4 | ipv6] forward filter rule <5,10,15,...> jump-target <name>
## local:
# set firewall interface <iface> local [name | ipv6-name] <name>
# To
# set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> inbound-interface interface-name <iface>
# set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> action jump
# set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> jump-target <name>
import re
from sys import argv
from sys import exit
from vyos.configtree import ConfigTree
from vyos.ifconfig import Section
if (len(argv) < 1):
print("Must specify file name!")
exit(1)
file_name = argv[1]
with open(file_name, 'r') as f:
config_file = f.read()
base = ['firewall']
config = ConfigTree(config_file)
if not config.exists(base):
# Nothing to do
exit(0)
### Migration of state policies
if config.exists(base + ['state-policy']):
for family in ['ipv4', 'ipv6']:
for hook in ['forward', 'input', 'output']:
for priority in ['filter']:
# Add default-action== accept for compatibility reasons:
config.set(base + [family, hook, priority, 'default-action'], value='accept')
position = 1
for state in config.list_nodes(base + ['state-policy']):
action = config.return_value(base + ['state-policy', state, 'action'])
config.set(base + [family, hook, priority, 'rule'])
config.set_tag(base + [family, hook, priority, 'rule'])
config.set(base + [family, hook, priority, 'rule', position, 'state', state], value='enable')
config.set(base + [family, hook, priority, 'rule', position, 'action'], value=action)
position = position + 1
config.delete(base + ['state-policy'])
############
## migration of global options:
for option in ['all-ping', 'broadcast-ping', 'config-trap', 'ip-src-route', 'ipv6-receive-redirects', 'ipv6-src-route', 'log-martians',
'receive-redirects', 'resolver-cache', 'resolver-internal', 'send-redirects', 'source-validation', 'syn-cookies', 'twa-hazards-protection']:
if config.exists(base + [option]):
val = config.return_value(base + [option])
config.set(base + ['global-options', option], value=val)
config.delete(base + [option])
### Migration of firewall name and ipv6-name
if config.exists(base + ['name']):
config.set(['firewall', 'ipv4', 'name'])
config.set_tag(['firewall', 'ipv4', 'name'])
for ipv4name in config.list_nodes(base + ['name']):
config.copy(base + ['name', ipv4name], base + ['ipv4', 'name', ipv4name])
config.delete(base + ['name'])
if config.exists(base + ['ipv6-name']):
config.set(['firewall', 'ipv6', 'ipv6-name'])
config.set_tag(['firewall', 'ipv6', 'ipv6-name'])
for ipv6name in config.list_nodes(base + ['ipv6-name']):
config.copy(base + ['ipv6-name', ipv6name], base + ['ipv6', 'ipv6-name', ipv6name])
config.delete(base + ['ipv6-name'])
### Migration of firewall interface
if config.exists(base + ['interface']):
fwd_ipv4_rule = 5
inp_ipv4_rule = 5
fwd_ipv6_rule = 5
inp_ipv6_rule = 5
for iface in config.list_nodes(base + ['interface']):
for direction in ['in', 'out', 'local']:
if config.exists(base + ['interface', iface, direction]):
if config.exists(base + ['interface', iface, direction, 'name']):
target = config.return_value(base + ['interface', iface, direction, 'name'])
if direction == 'in':
# Add default-action== accept for compatibility reasons:
config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept')
new_base = base + ['ipv4', 'forward', 'filter', 'rule']
config.set(new_base)
config.set_tag(new_base)
config.set(new_base + [fwd_ipv4_rule, 'inbound-interface', 'interface-name'], value=iface)
config.set(new_base + [fwd_ipv4_rule, 'action'], value='jump')
config.set(new_base + [fwd_ipv4_rule, 'jump-target'], value=target)
fwd_ipv4_rule = fwd_ipv4_rule + 5
elif direction == 'out':
# Add default-action== accept for compatibility reasons:
config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept')
new_base = base + ['ipv4', 'forward', 'filter', 'rule']
config.set(new_base)
config.set_tag(new_base)
config.set(new_base + [fwd_ipv4_rule, 'outbound-interface', 'interface-name'], value=iface)
config.set(new_base + [fwd_ipv4_rule, 'action'], value='jump')
config.set(new_base + [fwd_ipv4_rule, 'jump-target'], value=target)
fwd_ipv4_rule = fwd_ipv4_rule + 5
else:
# Add default-action== accept for compatibility reasons:
config.set(base + ['ipv4', 'input', 'filter', 'default-action'], value='accept')
new_base = base + ['ipv4', 'input', 'filter', 'rule']
config.set(new_base)
config.set_tag(new_base)
config.set(new_base + [inp_ipv4_rule, 'inbound-interface', 'interface-name'], value=iface)
config.set(new_base + [inp_ipv4_rule, 'action'], value='jump')
config.set(new_base + [inp_ipv4_rule, 'jump-target'], value=target)
inp_ipv4_rule = inp_ipv4_rule + 5
if config.exists(base + ['interface', iface, direction, 'ipv6-name']):
target = config.return_value(base + ['interface', iface, direction, 'ipv6-name'])
if direction == 'in':
# Add default-action== accept for compatibility reasons:
config.set(base + ['ipv6', 'forward', 'filter', 'default-action'], value='accept')
new_base = base + ['ipv6', 'forward', 'filter', 'rule']
config.set(new_base)
config.set_tag(new_base)
config.set(new_base + [fwd_ipv6_rule, 'inbound-interface', 'interface-name'], value=iface)
config.set(new_base + [fwd_ipv6_rule, 'action'], value='jump')
config.set(new_base + [fwd_ipv6_rule, 'jump-target'], value=target)
fwd_ipv6_rule = fwd_ipv6_rule + 5
elif direction == 'out':
# Add default-action== accept for compatibility reasons:
config.set(base + ['ipv6', 'forward', 'filter', 'default-action'], value='accept')
new_base = base + ['ipv6', 'forward', 'filter', 'rule']
config.set(new_base)
config.set_tag(new_base)
config.set(new_base + [fwd_ipv6_rule, 'outbound-interface', 'interface-name'], value=iface)
config.set(new_base + [fwd_ipv6_rule, 'action'], value='jump')
config.set(new_base + [fwd_ipv6_rule, 'jump-target'], value=target)
fwd_ipv6_rule = fwd_ipv6_rule + 5
else:
new_base = base + ['ipv6', 'input', 'filter', 'rule']
# Add default-action== accept for compatibility reasons:
config.set(base + ['ipv6', 'input', 'filter', 'default-action'], value='accept')
config.set(new_base)
config.set_tag(new_base)
config.set(new_base + [inp_ipv6_rule, 'inbound-interface', 'interface-name'], value=iface)
config.set(new_base + [inp_ipv6_rule, 'action'], value='jump')
config.set(new_base + [inp_ipv6_rule, 'jump-target'], value=target)
inp_ipv6_rule = inp_ipv6_rule + 5
config.delete(base + ['interface'])
### Migration of zones config v2:
### User interface groups
if config.exists(base + ['zone']):
inp_ipv4_rule = 101
inp_ipv6_rule = 101
fwd_ipv4_rule = 101
fwd_ipv6_rule = 101
out_ipv4_rule = 101
out_ipv6_rule = 101
local_zone = 'False'
for zone in config.list_nodes(base + ['zone']):
if config.exists(base + ['zone', zone, 'local-zone']):
local_zone = 'True'
# Add default-action== accept for compatibility reasons:
config.set(base + ['ipv4', 'input', 'filter', 'default-action'], value='accept')
config.set(base + ['ipv6', 'input', 'filter', 'default-action'], value='accept')
config.set(base + ['ipv4', 'output', 'filter', 'default-action'], value='accept')
config.set(base + ['ipv6', 'output', 'filter', 'default-action'], value='accept')
for from_zone in config.list_nodes(base + ['zone', zone, 'from']):
group_name = 'IG_' + from_zone
if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'name']):
# ipv4 input ruleset
target_ipv4_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'name'])
config.set(base + ['ipv4', 'input', 'filter', 'rule'])
config.set_tag(base + ['ipv4', 'input', 'filter', 'rule'])
config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name)
config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value='jump')
config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
inp_ipv4_rule = inp_ipv4_rule + 5
if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name']):
# ipv6 input ruleset
target_ipv6_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name'])
config.set(base + ['ipv6', 'input', 'filter', 'rule'])
config.set_tag(base + ['ipv6', 'input', 'filter', 'rule'])
config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'inbound-interface', 'interface-group'], value=group_name)
config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'action'], value='jump')
config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'jump-target'], value=target_ipv6_chain)
inp_ipv6_rule = inp_ipv6_rule + 5
# Migrate: set firewall zone <zone> default-action <action>
# Options: drop or reject. If not specified, is drop
if config.exists(base + ['zone', zone, 'default-action']):
local_def_action = config.return_value(base + ['zone', zone, 'default-action'])
else:
local_def_action = 'drop'
config.set(base + ['ipv4', 'input', 'filter', 'rule'])
config.set_tag(base + ['ipv4', 'input', 'filter', 'rule'])
config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value=local_def_action)
config.set(base + ['ipv6', 'input', 'filter', 'rule'])
config.set_tag(base + ['ipv6', 'input', 'filter', 'rule'])
config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'action'], value=local_def_action)
if config.exists(base + ['zone', zone, 'enable-default-log']):
config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'log'], value='enable')
config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'log'], value='enable')
else:
# It's not a local zone
group_name = 'IG_' + zone
# Add default-action== accept for compatibility reasons:
config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept')
config.set(base + ['ipv6', 'forward', 'filter', 'default-action'], value='accept')
# intra-filtering migration. By default accept
intra_zone_ipv4_action = 'accept'
intra_zone_ipv6_action = 'accept'
if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'action']):
intra_zone_ipv4_action = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'action'])
intra_zone_ipv6_action = intra_zone_ipv4_action
else:
if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name']):
intra_zone_ipv4_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name'])
intra_zone_ipv4_action = 'jump'
if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']):
intra_zone_ipv6_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name'])
intra_zone_ipv6_action = 'jump'
config.set(base + ['ipv4', 'forward', 'filter', 'rule'])
config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule'])
config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name)
config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=intra_zone_ipv4_action)
+ config.set(base + ['ipv6', 'forward', 'filter', 'rule'])
config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule'])
config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name)
config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'inbound-interface', 'interface-group'], value=group_name)
config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'action'], value=intra_zone_ipv6_action)
if intra_zone_ipv4_action == 'jump':
if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name']):
intra_zone_ipv4_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name'])
config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=intra_zone_ipv4_target)
if intra_zone_ipv6_action == 'jump':
if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']):
intra_zone_ipv6_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name'])
config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'jump-target'], value=intra_zone_ipv6_target)
fwd_ipv4_rule = fwd_ipv4_rule + 5
fwd_ipv6_rule = fwd_ipv6_rule + 5
if config.exists(base + ['zone', zone, 'interface']):
# Create interface group IG_<zone>
group_name = 'IG_' + zone
config.set(base + ['group', 'interface-group'], value=group_name)
config.set_tag(base + ['group', 'interface-group'])
for iface in config.return_values(base + ['zone', zone, 'interface']):
config.set(base + ['group', 'interface-group', group_name, 'interface'], value=iface, replace=False)
if config.exists(base + ['zone', zone, 'from']):
for from_zone in config.list_nodes(base + ['zone', zone, 'from']):
from_group = 'IG_' + from_zone
if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'name']):
target_ipv4_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'name'])
if config.exists(base + ['zone', from_zone, 'local-zone']):
# It's from LOCAL zone -> Output filtering
config.set(base + ['ipv4', 'output', 'filter', 'rule'])
config.set_tag(base + ['ipv4', 'output', 'filter', 'rule'])
config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value='jump')
config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
out_ipv4_rule = out_ipv4_rule + 5
else:
# It's not LOCAL zone -> forward filtering
config.set(base + ['ipv4', 'forward', 'filter', 'rule'])
config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule'])
config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=from_group)
config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value='jump')
config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
fwd_ipv4_rule = fwd_ipv4_rule + 5
if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name']):
target_ipv6_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name'])
if config.exists(base + ['zone', from_zone, 'local-zone']):
# It's from LOCAL zone -> Output filtering
config.set(base + ['ipv6', 'output', 'filter', 'rule'])
config.set_tag(base + ['ipv6', 'output', 'filter', 'rule'])
config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name)
config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'action'], value='jump')
config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'jump-target'], value=target_ipv6_chain)
out_ipv6_rule = out_ipv6_rule + 5
else:
# It's not LOCAL zone -> forward filtering
config.set(base + ['ipv6', 'forward', 'filter', 'rule'])
config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule'])
config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name)
config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'inbound-interface', 'interface-group'], value=from_group)
config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'action'], value='jump')
config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'jump-target'], value=target_ipv6_chain)
fwd_ipv6_rule = fwd_ipv6_rule + 5
## Now need to migrate: set firewall zone <zone> default-action <action> # action=drop if not specified.
if config.exists(base + ['zone', zone, 'default-action']):
def_action = config.return_value(base + ['zone', zone, 'default-action'])
else:
def_action = 'drop'
config.set(base + ['ipv4', 'forward', 'filter', 'rule'])
config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule'])
config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=def_action)
description = 'zone_' + zone + ' default-action'
config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'description'], value=description)
config.set(base + ['ipv6', 'forward', 'filter', 'rule'])
config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule'])
config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name)
config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'action'], value=def_action)
config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'description'], value=description)
if config.exists(base + ['zone', zone, 'enable-default-log']):
config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'log'], value='enable')
config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'log'], value='enable')
fwd_ipv4_rule = fwd_ipv4_rule + 5
fwd_ipv6_rule = fwd_ipv6_rule + 5
# Migrate default-action (force to be drop in output chain) if local zone is defined
if local_zone == 'True':
# General drop in output change if needed
config.set(base + ['ipv4', 'output', 'filter', 'rule'])
config.set_tag(base + ['ipv4', 'output', 'filter', 'rule'])
config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value=local_def_action)
config.set(base + ['ipv6', 'output', 'filter', 'rule'])
config.set_tag(base + ['ipv6', 'output', 'filter', 'rule'])
config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'action'], value=local_def_action)
config.delete(base + ['zone'])
###### END migration zones v2
try:
with open(file_name, 'w') as f:
f.write(config.to_string())
except OSError as e:
print("Failed to save the modified config: {}".format(e))
exit(1)
\ No newline at end of file