From 581f1d68c4e6903f8da5530d20baa7611f5cd640 Mon Sep 17 00:00:00 2001 From: l0crian1 Date: Sat, 30 Mar 2024 11:21:03 -0400 Subject: T6188: add description to show firewall (cherry picked from commit b2ced47bdc547ada59b37e6617422188e150282c) --- src/op_mode/firewall.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'src/op_mode/firewall.py') diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py index cae8ace8c..d9a50d1b2 100755 --- a/src/op_mode/firewall.py +++ b/src/op_mode/firewall.py @@ -102,7 +102,7 @@ def output_firewall_name(family, hook, priority, firewall_conf, single_rule_id=N if 'disable' in rule_conf: continue - row = [rule_id, rule_conf['action'], rule_conf['protocol'] if 'protocol' in rule_conf else 'all'] + row = [rule_id, rule_conf.get('description', ''), rule_conf['action'], rule_conf['protocol'] if 'protocol' in rule_conf else 'all'] if rule_id in details: rule_details = details[rule_id] row.append(rule_details.get('packets', 0)) @@ -114,7 +114,7 @@ def output_firewall_name(family, hook, priority, firewall_conf, single_rule_id=N def_action = firewall_conf['default_action'] if 'default_action' in firewall_conf else 'accept' else: def_action = firewall_conf['default_action'] if 'default_action' in firewall_conf else 'drop' - row = ['default', def_action, 'all'] + row = ['default', '', def_action, 'all'] rule_details = details['default-action'] row.append(rule_details.get('packets', 0)) row.append(rule_details.get('bytes', 0)) @@ -122,7 +122,7 @@ def output_firewall_name(family, hook, priority, firewall_conf, single_rule_id=N rows.append(row) if rows: - header = ['Rule', 'Action', 'Protocol', 'Packets', 'Bytes', 'Conditions'] + header = ['Rule', 'Description', 'Action', 'Protocol', 'Packets', 'Bytes', 'Conditions'] print(tabulate.tabulate(rows, header) + '\n') def output_firewall_name_statistics(family, hook, prior, prior_conf, single_rule_id=None): @@ -191,7 +191,7 @@ def output_firewall_name_statistics(family, hook, prior, prior_conf, single_rule if not oiface: oiface = 'any' - row = [rule_id] + row = [rule_id, rule_conf.get('description', '')] if rule_id in details: rule_details = details[rule_id] row.append(rule_details.get('packets', 0)) @@ -208,7 +208,7 @@ def output_firewall_name_statistics(family, hook, prior, prior_conf, single_rule if hook in ['input', 'forward', 'output']: - row = ['default'] + row = ['default', ''] rule_details = details['default-action'] row.append(rule_details.get('packets', 0)) row.append(rule_details.get('bytes', 0)) @@ -223,7 +223,7 @@ def output_firewall_name_statistics(family, hook, prior, prior_conf, single_rule rows.append(row) elif 'default_action' in prior_conf and not single_rule_id: - row = ['default'] + row = ['default', ''] if 'default-action' in details: rule_details = details['default-action'] row.append(rule_details.get('packets', 0)) @@ -239,7 +239,7 @@ def output_firewall_name_statistics(family, hook, prior, prior_conf, single_rule rows.append(row) if rows: - header = ['Rule', 'Packets', 'Bytes', 'Action', 'Source', 'Destination', 'Inbound-Interface', 'Outbound-interface'] + header = ['Rule', 'Description', 'Packets', 'Bytes', 'Action', 'Source', 'Destination', 'Inbound-Interface', 'Outbound-interface'] print(tabulate.tabulate(rows, header) + '\n') def show_firewall(): -- cgit v1.2.3 From 484d5ab1fce46c70ec70cf09099e13d31b094f6e Mon Sep 17 00:00:00 2001 From: l0crian1 Date: Mon, 1 Apr 2024 11:14:54 -0400 Subject: modified: op-mode-definitions/firewall.xml.in - Added show firewall detail paths modified: src/op_mode/firewall.py - Added Description as a header to normal "show firewall" commands - Added 'detail' view which shows the output in a list key-pair format Description column was added for these commands and their subsections: show firewall statistics show firewall groups show firewall Detail view was added for these commands: show firewall bridge forward filter detail show firewall bridge forward filter rule detail show firewall bridge name detail show firewall bridge name rule detail show firewall ipv4 forward filter detail show firewall ipv4 forward filter rule detail show firewall ipv4 input filter detail show firewall ipv4 input filter rule detail show firewall ipv4 output filter detail show firewall ipv4 output filter rule detail show firewall ipv4 name detail show firewall ipv4 name rule detail show firewall ipv6 forward filter detail show firewall ipv6 forward filter rule detail show firewall ipv6 input filter detail show firewall ipv6 input filter rule detail show firewall ipv6 output filter detail show firewall ipv6 output filter rule detail show firewall ipv6 name detail show firewall ipv6 name rule detail show firewall group detail show firewall group detail (cherry picked from commit 025438ccacc654274efbd3bea8b13fcc73ae08b6) --- op-mode-definitions/firewall.xml.in | 241 +++++++++++++++++++++++++++++++++++- src/op_mode/firewall.py | 38 ++++-- 2 files changed, 267 insertions(+), 12 deletions(-) (limited to 'src/op_mode/firewall.py') diff --git a/op-mode-definitions/firewall.xml.in b/op-mode-definitions/firewall.xml.in index 50d52d6ca..6a254ee11 100644 --- a/op-mode-definitions/firewall.xml.in +++ b/op-mode-definitions/firewall.xml.in @@ -19,14 +19,36 @@ firewall group ipv6-network-group + + + + Show list view of firewall groups + + firewall group detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show_group --name $4 --detail $5 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show_group --name $4 - + Show firewall group + + + + Show list view of firewall group + + firewall group detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show_group --detail $4 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show_group - + Show bridge firewall @@ -42,6 +64,15 @@ Show bridge forward filter firewall ruleset + + + Show list view of bridge forward filter firewall rules + + firewall bridge forward filter detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6 + Show summary of bridge forward filter firewall rules @@ -49,6 +80,17 @@ firewall bridge forward filter rule + + + + Show list view of specific bridge forward filter firewall rule + + firewall bridge forward filter detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 @@ -64,6 +106,15 @@ + + + Show list view of bridge custom firewall chains + + firewall bridge name detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6 + Show summary of bridge custom firewall ruleset @@ -71,6 +122,17 @@ firewall bridge name ${COMP_WORDS[5]} rule + + + + Show list view of bridge custom firewall rules + + firewall bridge name ${COMP_WORDS[5]} rule detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 @@ -94,6 +156,15 @@ Show IPv6 forward filter firewall ruleset + + + Show list view of IPv6 forward filter firewall ruleset + + firewall ipv6 forward filter detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6 + Show summary of IPv6 forward filter firewall rules @@ -101,6 +172,17 @@ firewall ipv6 forward filter rule + + + + Show list view of IPv6 forward filter firewall rules + + firewall ipv6 forward filter rule detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 @@ -118,6 +200,15 @@ Show IPv6 forward input firewall ruleset + + + Show list view of IPv6 input firewall ruleset + + firewall ipv6 input filter detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6 + Show summary of IPv6 input filter firewall rules @@ -125,6 +216,17 @@ firewall ipv6 input filter rule + + + + Show list view of IPv6 input filter firewall rules + + firewall ipv6 input filter rule detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 @@ -142,6 +244,15 @@ Show IPv6 output filter firewall ruleset + + + Show list view of IPv6 output input firewall ruleset + + firewall ipv6 output filter detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6 + Show summary of IPv6 output filter firewall rules @@ -149,6 +260,17 @@ firewall ipv6 output filter rule + + + + Show list view of IPv6 output filter firewall rules + + firewall ipv6 output filter rule detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 @@ -164,6 +286,15 @@ + + + Show list view of IPv6 custom firewall chains + + firewall ipv6 name detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6 + Show summary of IPv6 custom firewall ruleset @@ -171,6 +302,17 @@ firewall ipv6 name ${COMP_WORDS[5]} rule + + + + Show list view of IPv6 custom firewall rules + + firewall ipv6 name ${COMP_WORDS[5]} rule detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 @@ -194,6 +336,15 @@ Show IPv4 forward filter firewall ruleset + + + Show list view of IPv4 forward filter firewall ruleset + + firewall ipv4 forward filter detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6 + Show summary of IPv4 forward filter firewall rules @@ -201,6 +352,17 @@ firewall ipv4 forward filter rule + + + + Show list view of IPv4 forward filter firewall rules + + firewall ipv4 forward filter rule detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 @@ -218,6 +380,15 @@ Show IPv4 forward input firewall ruleset + + + Show list view of IPv4 input filter firewall ruleset + + firewall ipv4 input filter detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6 + Show summary of IPv4 input filter firewall rules @@ -225,6 +396,17 @@ firewall ipv4 input filter rule + + + + Show list view of IPv4 input filter firewall rules + + firewall ipv4 input filter rule detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 @@ -242,6 +424,15 @@ Show IPv4 output filter firewall ruleset + + + Show list view of IPv4 output filter firewall ruleset + + firewall ipv4 input output detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6 + Show summary of IPv4 output filter firewall rules @@ -249,6 +440,17 @@ firewall ipv4 output filter rule + + + + Show list view of IPv4 output filter firewall rules + + firewall ipv4 input output rule detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 @@ -264,6 +466,15 @@ + + + Show list view of IPv4 custom firewall chains + + firewall ipv4 name detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6 + Show summary of IPv4 custom firewall ruleset @@ -271,6 +482,17 @@ firewall ipv4 name ${COMP_WORDS[5]} rule + + + + Show list view of IPv4 custom firewall ruleset + + firewall ipv4 name ${COMP_WORDS[5]} rule detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 @@ -279,12 +501,23 @@ sudo ${vyos_op_scripts_dir}/firewall.py --action show_family --family $3 - + Show statistics of firewall application + + + + Show list view of firewall statistics + + firewall statistics detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show_statistics --detail $4 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show_statistics - + Show summary of firewall application diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py index d9a50d1b2..b7c3d87c2 100755 --- a/src/op_mode/firewall.py +++ b/src/op_mode/firewall.py @@ -18,6 +18,7 @@ import argparse import ipaddress import re import tabulate +import textwrap from vyos.config import Config from vyos.utils.process import cmd @@ -88,6 +89,17 @@ def get_nftables_details(family, hook, priority): out[rule_id] = rule return out +def output_firewall_vertical(rules, headers): + if args.rule: + rules.pop() + + for rule in rules: + adjusted_rule = rule + [""] * (len(headers) - len(rule)) # account for different header length, like default-action + transformed_rule = [[header, textwrap.fill(adjusted_rule[i].replace('\n', ' '), 100)] for i, header in enumerate(headers)] # create key-pair list from headers and rules lists; wrap at 100 char + + print(tabulate.tabulate(transformed_rule, tablefmt="presto")) + print() + def output_firewall_name(family, hook, priority, firewall_conf, single_rule_id=None): print(f'\n---------------------------------\n{family} Firewall "{hook} {priority}"\n') @@ -102,7 +114,7 @@ def output_firewall_name(family, hook, priority, firewall_conf, single_rule_id=N if 'disable' in rule_conf: continue - row = [rule_id, rule_conf.get('description', ''), rule_conf['action'], rule_conf['protocol'] if 'protocol' in rule_conf else 'all'] + row = [rule_id, textwrap.fill(rule_conf.get('description') or '', 50), rule_conf['action'], rule_conf['protocol'] if 'protocol' in rule_conf else 'all'] if rule_id in details: rule_details = details[rule_id] row.append(rule_details.get('packets', 0)) @@ -123,7 +135,10 @@ def output_firewall_name(family, hook, priority, firewall_conf, single_rule_id=N if rows: header = ['Rule', 'Description', 'Action', 'Protocol', 'Packets', 'Bytes', 'Conditions'] - print(tabulate.tabulate(rows, header) + '\n') + if args.detail: + output_firewall_vertical(rows, header) + else: + print(tabulate.tabulate(rows, header) + '\n') def output_firewall_name_statistics(family, hook, prior, prior_conf, single_rule_id=None): print(f'\n---------------------------------\n{family} Firewall "{hook} {prior}"\n') @@ -191,7 +206,7 @@ def output_firewall_name_statistics(family, hook, prior, prior_conf, single_rule if not oiface: oiface = 'any' - row = [rule_id, rule_conf.get('description', '')] + row = [rule_id, textwrap.fill(rule_conf.get('description') or '', 50)] if rule_id in details: rule_details = details[rule_id] row.append(rule_details.get('packets', 0)) @@ -240,7 +255,10 @@ def output_firewall_name_statistics(family, hook, prior, prior_conf, single_rule if rows: header = ['Rule', 'Description', 'Packets', 'Bytes', 'Action', 'Source', 'Destination', 'Inbound-Interface', 'Outbound-interface'] - print(tabulate.tabulate(rows, header) + '\n') + if args.detail: + output_firewall_vertical(rows, header) + else: + print(tabulate.tabulate(rows, header) + '\n') def show_firewall(): print('Rulesets Information') @@ -428,7 +446,7 @@ def show_firewall_group(name=None): return out - header = ['Name', 'Type', 'References', 'Members'] + header = ['Name', 'Description','Type', 'References', 'Members'] rows = [] for group_type, group_type_conf in firewall['group'].items(): @@ -440,7 +458,7 @@ def show_firewall_group(name=None): continue references = find_references(group_type, group_name) - row = [group_name, group_type, '\n'.join(references) or 'N/D'] + row = [group_name, textwrap.fill(group_conf.get('description') or '', 50), group_type, '\n'.join(references) or 'N/D'] if 'address' in group_conf: row.append("\n".join(sorted(group_conf['address']))) elif 'network' in group_conf: @@ -460,13 +478,16 @@ def show_firewall_group(name=None): if dynamic_type in firewall['group']['dynamic_group']: for dynamic_name, dynamic_conf in firewall['group']['dynamic_group'][dynamic_type].items(): references = find_references(dynamic_type, dynamic_name) - row = [dynamic_name, dynamic_type + '(dynamic)', '\n'.join(references) or 'N/D'] + row = [dynamic_name, textwrap.fill(dynamic_conf.get('description') or '', 50), dynamic_type + '(dynamic)', '\n'.join(references) or 'N/D'] row.append('N/D') rows.append(row) if rows: print('Firewall Groups\n') - print(tabulate.tabulate(rows, header)) + if args.detail: + output_firewall_vertical(rows, header) + else: + print(tabulate.tabulate(rows, header)) def show_summary(): print('Ruleset Summary') @@ -538,6 +559,7 @@ if __name__ == '__main__': parser.add_argument('--priority', help='Firewall priority', required=False, action='store', nargs='?', default='') parser.add_argument('--rule', help='Firewall Rule ID', required=False) parser.add_argument('--ipv6', help='IPv6 toggle', action='store_true') + parser.add_argument('--detail', help='Firewall view select', required=False) args = parser.parse_args() -- cgit v1.2.3 From 9a682c0a4116785f9611f7804f35c28db8fea2b5 Mon Sep 17 00:00:00 2001 From: l0crian1 Date: Mon, 1 Apr 2024 11:32:32 -0400 Subject: T6188: - modified: src/op_mode/firewall.py Changed behavior of "show firewall" for specific rule to only show rule and not also default-action (cherry picked from commit a7c5205ab12e767c6c60887033694c597e01f21b) --- src/op_mode/firewall.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src/op_mode/firewall.py') diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py index b7c3d87c2..26f3a5156 100755 --- a/src/op_mode/firewall.py +++ b/src/op_mode/firewall.py @@ -90,9 +90,6 @@ def get_nftables_details(family, hook, priority): return out def output_firewall_vertical(rules, headers): - if args.rule: - rules.pop() - for rule in rules: adjusted_rule = rule + [""] * (len(headers) - len(rule)) # account for different header length, like default-action transformed_rule = [[header, textwrap.fill(adjusted_rule[i].replace('\n', ' '), 100)] for i, header in enumerate(headers)] # create key-pair list from headers and rules lists; wrap at 100 char @@ -134,6 +131,9 @@ def output_firewall_name(family, hook, priority, firewall_conf, single_rule_id=N rows.append(row) if rows: + if args.rule: + rows.pop() + header = ['Rule', 'Description', 'Action', 'Protocol', 'Packets', 'Bytes', 'Conditions'] if args.detail: output_firewall_vertical(rows, header) -- cgit v1.2.3 From f08ccb6635d63c920b36f1d57b1ef4f3e6603e27 Mon Sep 17 00:00:00 2001 From: l0crian1 <143656816+l0crian1@users.noreply.github.com> Date: Fri, 5 Apr 2024 08:48:15 -0400 Subject: T6188: Add description to detail view only For readability in console sessions, moved the description column to only be shown in the detail view. Changed wrapping in the detail view for description to 65 characters to prevent full line wrapping in console sessions. (cherry picked from commit 4dba82c7517f4a93b9727d22104e4a339bad127a) --- src/op_mode/firewall.py | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) (limited to 'src/op_mode/firewall.py') diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py index 26f3a5156..25554b781 100755 --- a/src/op_mode/firewall.py +++ b/src/op_mode/firewall.py @@ -92,7 +92,7 @@ def get_nftables_details(family, hook, priority): def output_firewall_vertical(rules, headers): for rule in rules: adjusted_rule = rule + [""] * (len(headers) - len(rule)) # account for different header length, like default-action - transformed_rule = [[header, textwrap.fill(adjusted_rule[i].replace('\n', ' '), 100)] for i, header in enumerate(headers)] # create key-pair list from headers and rules lists; wrap at 100 char + transformed_rule = [[header, textwrap.fill(adjusted_rule[i].replace('\n', ' '), 65)] for i, header in enumerate(headers)] # create key-pair list from headers and rules lists; wrap at 100 char print(tabulate.tabulate(transformed_rule, tablefmt="presto")) print() @@ -134,10 +134,13 @@ def output_firewall_name(family, hook, priority, firewall_conf, single_rule_id=N if args.rule: rows.pop() - header = ['Rule', 'Description', 'Action', 'Protocol', 'Packets', 'Bytes', 'Conditions'] if args.detail: + header = ['Rule', 'Description', 'Action', 'Protocol', 'Packets', 'Bytes', 'Conditions'] output_firewall_vertical(rows, header) else: + header = ['Rule', 'Action', 'Protocol', 'Packets', 'Bytes', 'Conditions'] + for i in rows: + rows[rows.index(i)].pop(1) print(tabulate.tabulate(rows, header) + '\n') def output_firewall_name_statistics(family, hook, prior, prior_conf, single_rule_id=None): @@ -254,10 +257,13 @@ def output_firewall_name_statistics(family, hook, prior, prior_conf, single_rule rows.append(row) if rows: - header = ['Rule', 'Description', 'Packets', 'Bytes', 'Action', 'Source', 'Destination', 'Inbound-Interface', 'Outbound-interface'] if args.detail: + header = ['Rule', 'Description', 'Packets', 'Bytes', 'Action', 'Source', 'Destination', 'Inbound-Interface', 'Outbound-interface'] output_firewall_vertical(rows, header) else: + header = ['Rule', 'Packets', 'Bytes', 'Action', 'Source', 'Destination', 'Inbound-Interface', 'Outbound-interface'] + for i in rows: + rows[rows.index(i)].pop(1) print(tabulate.tabulate(rows, header) + '\n') def show_firewall(): @@ -446,7 +452,6 @@ def show_firewall_group(name=None): return out - header = ['Name', 'Description','Type', 'References', 'Members'] rows = [] for group_type, group_type_conf in firewall['group'].items(): @@ -485,8 +490,12 @@ def show_firewall_group(name=None): if rows: print('Firewall Groups\n') if args.detail: + header = ['Name', 'Description','Type', 'References', 'Members'] output_firewall_vertical(rows, header) else: + header = ['Name', 'Type', 'References', 'Members'] + for i in rows: + rows[rows.index(i)].pop(1) print(tabulate.tabulate(rows, header)) def show_summary(): -- cgit v1.2.3