wlb: T7196: Migrate interface wildcards to nftables format

* wlb: T7196: Migrate interface wildcards to nftables format * wlb: T7196: Fix exclude/interface verify check * wlb: T7196: Extra sanity check on ipv4 address function
vyos · Feb 26, 2025 · 92ad401 · 92ad401
1 parent 4ce3b92
commit 92ad401
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 7 deletions.
diff --git a/interface-definitions/include/version/wanloadbalance-version.xml.i b/interface-definitions/include/version/wanloadbalance-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/wanloadbalance-version.xml.i -->
-<syntaxVersion component='wanloadbalance' version='3'></syntaxVersion>
+<syntaxVersion component='wanloadbalance' version='4'></syntaxVersion>
 <!-- include end -->
diff --git a/smoketest/scripts/cli/test_load-balancing_wan.py b/smoketest/scripts/cli/test_load-balancing_wan.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2022-2024 VyOS maintainers and contributors
+# Copyright (C) 2022-2025 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -272,6 +272,9 @@ def test_criteria_failover_hook(self):
         self.cli_set(base_path + ['wan', 'interface-health', isp2_iface, 'failure-count', '1'])
         self.cli_set(base_path + ['wan', 'interface-health', isp2_iface, 'nexthop', '192.0.2.2'])
         self.cli_set(base_path + ['wan', 'interface-health', isp2_iface, 'success-count', '1'])
+        self.cli_set(base_path + ['wan', 'rule', '5', 'exclude'])
+        self.cli_set(base_path + ['wan', 'rule', '5', 'inbound-interface', 'eth*'])
+        self.cli_set(base_path + ['wan', 'rule', '5', 'destination', 'address', '10.0.0.0/8'])
         self.cli_set(base_path + ['wan', 'rule', '10', 'failover'])
         self.cli_set(base_path + ['wan', 'rule', '10', 'inbound-interface', lan_iface])
         self.cli_set(base_path + ['wan', 'rule', '10', 'protocol', 'udp'])
@@ -291,6 +294,7 @@ def test_criteria_failover_hook(self):
         # Verify isp1 + criteria
 
         nftables_search = [
+            [f'iifname "eth*"', 'ip daddr 10.0.0.0/8', 'return'],
             [f'iifname "{lan_iface}"', 'ip saddr 198.51.100.0/24', 'udp sport 53', 'ip daddr 192.0.2.0/24', 'udp dport 53', f'jump wlb_mangle_isp_{isp1_iface}']
         ]
 

diff --git a/src/conf_mode/load-balancing_wan.py b/src/conf_mode/load-balancing_wan.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2023-2024 VyOS maintainers and contributors
+# Copyright (C) 2023-2025 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -71,8 +71,8 @@ def verify(lb):
 
     if 'rule' in lb:
         for rule_id, rule_conf in lb['rule'].items():
-            if 'interface' not in rule_conf:
-                raise ConfigError(f'Interface not specified on load-balancing wan rule {rule_id}')
+            if 'interface' not in rule_conf and 'exclude' not in rule_conf:
+                raise ConfigError(f'Interface or exclude not specified on load-balancing wan rule {rule_id}')
 
             if 'failover' in rule_conf and 'exclude' in rule_conf:
                 raise ConfigError(f'Failover cannot be configured with exclude on load-balancing wan rule {rule_id}')

diff --git a/src/helpers/vyos-load-balancer.py b/src/helpers/vyos-load-balancer.py
@@ -1,6 +1,6 @@
 #!/usr/bin/python3
 
-# Copyright 2024 VyOS maintainers and contributors <[email protected]>
+# Copyright 2024-2025 VyOS maintainers and contributors <[email protected]>
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -95,7 +95,7 @@ def on_state_change(lb, ifname, state):
 def get_ipv4_address(ifname):
     # Get primary ipv4 address on interface (for source nat)
     addr_json = get_interface_address(ifname)
-    if 'addr_info' in addr_json and len(addr_json['addr_info']) > 0:
+    if addr_json and 'addr_info' in addr_json and len(addr_json['addr_info']) > 0:
         for addr_info in addr_json['addr_info']:
             if addr_info['family'] == 'inet':
                 if 'local' in addr_info:

diff --git a/src/migration-scripts/wanloadbalance/3-to-4 b/src/migration-scripts/wanloadbalance/3-to-4
@@ -0,0 +1,33 @@
+# Copyright 2025 VyOS maintainers and contributors <[email protected]>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+from vyos.configtree import ConfigTree
+
+base = ['load-balancing', 'wan']
+
+def migrate(config: ConfigTree) -> None:
+    if not config.exists(base):
+        # Nothing to do
+        return
+
+    if config.exists(base + ['rule']):
+        for rule in config.list_nodes(base + ['rule']):
+            rule_base = base + ['rule', rule]
+
+            if config.exists(rule_base + ['inbound-interface']):
+                ifname = config.return_value(rule_base + ['inbound-interface'])
+
+                if ifname.endswith('+'):
+                    config.set(rule_base + ['inbound-interface'], value=ifname.replace('+', '*'))