Merge pull request #3632 from c-po/fixup-firewall

firewall: T3900: fix migration and smoketests
vyos · Jun 11, 2024 · dd813e5 · dd813e5
2 parents 397743f + 2cbc4eb
commit dd813e5
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 6 deletions.
diff --git a/smoketest/config-tests/dialup-router-wireguard-ipv6 b/smoketest/config-tests/dialup-router-wireguard-ipv6
@@ -192,10 +192,6 @@ set service snmp location 'CLOUD'
 set system conntrack expect-table-size '2048'
 set system conntrack hash-size '32768'
 set system conntrack table-size '262144'
-set system conntrack timeout icmp '30'
-set system conntrack timeout other '600'
-set system conntrack timeout udp other '300'
-set system conntrack timeout udp stream '300'
 set system domain-name 'vyos.net'
 set system host-name 'r1'
 set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/'
@@ -216,6 +212,10 @@ set firewall global-options receive-redirects 'disable'
 set firewall global-options send-redirects 'enable'
 set firewall global-options source-validation 'disable'
 set firewall global-options syn-cookies 'enable'
+set firewall global-options timeout icmp '30'
+set firewall global-options timeout other '600'
+set firewall global-options timeout udp other '300'
+set firewall global-options timeout udp stream '300'
 set firewall global-options twa-hazards-protection 'disable'
 set firewall group address-group DMZ-RDP-SERVER address '172.16.33.40'
 set firewall group address-group DMZ-RDP-SERVER description 'Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata'

diff --git a/src/migration-scripts/firewall/15-to-16 b/src/migration-scripts/firewall/15-to-16
@@ -42,8 +42,9 @@ if not config.exists(conntrack_base):
 
 for protocol in ['icmp', 'tcp', 'udp', 'other']:
     if config.exists(conntrack_base + [protocol]):
-        if not config.exists(firewall_base):
+        if not config.exists(firewall_base + ['timeout']):
             config.set(firewall_base + ['timeout'])
+
         config.copy(conntrack_base + [protocol], firewall_base + ['timeout', protocol])
         config.delete(conntrack_base + [protocol])
 
@@ -52,4 +53,4 @@ try:
         f.write(config.to_string())
 except OSError as e:
     print("Failed to save the modified config: {}".format(e))
-    exit(1)
+    exit(1)