From f3c30e9c9198bb2d5dbd2be351ebf5285ab37d4b Mon Sep 17 00:00:00 2001 From: Giacomo Sanchietti Date: Tue, 11 Feb 2025 13:58:44 +0100 Subject: [PATCH 1/2] fix(migration): remove unused policies Avoid the following error when there is a conflict of names: Traceback (most recent call last): File "/usr/share/ns-migration/20wan", line 89, in mwan.store_policy(u, f'{pname[0:6]}_only', [i]) File "/usr/lib/python3.11/site-packages/nethsec/mwan/__init__.py", line 257, in store_policy nethsec.utils.ValidationError: ('name', 'unique', 'timene_only') --- packages/ns-migration/files/scripts/wan | 6 ------ 1 file changed, 6 deletions(-) diff --git a/packages/ns-migration/files/scripts/wan b/packages/ns-migration/files/scripts/wan index 19748d911..9f1c67b9c 100755 --- a/packages/ns-migration/files/scripts/wan +++ b/packages/ns-migration/files/scripts/wan @@ -82,12 +82,6 @@ else: # create mwan policy mwan.store_policy(u, policy_name, interfaces) -# generate one policy for each interface to ease divert rules creation -for i in interfaces: - pname = i.get("name") - # make sure to not exceed 12 chars - mwan.store_policy(u, f'{pname[0:6]}_only', [i]) - # divert rule are not migrated # push default rule to the end From a82b8d4c14091633de08b94531a240bd2ed5e00b Mon Sep 17 00:00:00 2001 From: Giacomo Sanchietti Date: Tue, 11 Feb 2025 13:59:05 +0100 Subject: [PATCH 2/2] fix(migration): network, use truncated names Before the commit, if a network was truncated to 15 chars, the new short name was used inside the `network` config database but not inside the `firewall` database: the firewall zone was pointing to a non existing network, Example: - original name of the interface was 'timenet_ftth_12345' - value saved inside the network db: config interface 'timenet_ftth_1' option proto 'static' - value saved inside 'firewall' db: config zone 'ns_wan' option name 'wan' option output 'ACCEPT' option input 'DROP' option forward 'REJECT' list network 'timenet_ftth_12345' --- packages/ns-migration/files/scripts/network | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/packages/ns-migration/files/scripts/network b/packages/ns-migration/files/scripts/network index ca1e60436..076979207 100755 --- a/packages/ns-migration/files/scripts/network +++ b/packages/ns-migration/files/scripts/network @@ -19,6 +19,7 @@ alias_zones = dict() devices = dict() bond_zones = dict() bonds = dict() +interface_names = dict() def exists(key): try: @@ -236,11 +237,12 @@ for a in data['aliases']: # Create interfaces for i in data['interfaces']: - iname = utils.sanitize(i["interface"]) + siname = utils.sanitize(i["interface"]) if i["proto"] == "pppoe": - iname = iname[0:8] # make sure interface name is 8 chars max, reserve space for "pppoe-" prefix + iname = siname[0:8] # make sure interface name is 8 chars max, reserve space for "pppoe-" prefix else: - iname = iname[0:14] # make sure interface name is 15 chars max + iname = siname[0:14] # make sure interface name is 15 chars max + interface_names[siname] = iname nsmigration.vprint(f'Creating interface {iname}') u.set("network", iname, "interface") # create named record u.set("network", iname, "proto", i["proto"]) @@ -290,7 +292,8 @@ for z in data['zones']: if base_name in z["network"]: z["network"].remove(base_name) # avoid duplicate bond like bond0 and bond0_lan z["network"] = z["network"] + bond_zones[z["name"]] - u.set("firewall", zname, "network", [utils.sanitize(n) for n in z["network"]]) + # retrieve reduced network name, if present + u.set("firewall", zname, "network", [interface_names.get(utils.sanitize(n), utils.sanitize(n)) for n in z["network"]]) if z["name"].startswith("wan"): # setup masquerading for wans u.set("firewall", zname, "masq", '1') u.set("firewall", zname, "mtu_fix", '1')