1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
#!/usr/bin/perl
#
# Module: vyatta-show-ignore.pl
#
# **** License ****
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# This code was originally developed by Vyatta, Inc.
# Portions created by Vyatta are Copyright (C) 2010 Vyatta, Inc.
# All Rights Reserved.
#
# Author: Gaurav Sinha
# Date: Aug 2012
# Description: Script to show conntrack ignore entries
#
#
# **** End License ****
#
use Getopt::Long;
use XML::Simple;
use Data::Dumper;
use POSIX;
use lib "/opt/vyatta/share/perl5";
use Vyatta::Conntrack::ConntrackUtil;
use Vyatta::Misc;
use warnings;
use strict;
sub numerically { $a <=> $b; }
sub print_ignore_rules {
my $format_ignore_rules = "%-5s %-22s %-22s %-10s %-5s %-5s %-5s\n";
print "\n";
my $config = new Vyatta::Config;
$config->setLevel("system conntrack ignore rule");
my @rules = sort numerically $config->listOrigNodes();
my @rules_in_chain = `sudo iptables-nft -L VYOS_CT_IGNORE -t raw -nv`;
if (!(@rules_in_chain)){
die "Error: no ignore rules configured\n";
}
printf($format_ignore_rules, 'rule', 'source', 'destination', 'protocol', 'int', 'pkts', 'bytes');
splice(@rules_in_chain, 0, 2); # dont need first two lines
my $rulecount = 0;
foreach (@rules) {
my $sourceAddress = "any";
my $sourcePort = "any";
my $destinationAddress = "any";
my $destPort = "any";
my $protocol = "any";
my $interface = "any";
$config->setLevel("system conntrack ignore rule $_");
$sourceAddress = $config->returnOrigValue("source address");
$sourcePort = $config->returnOrigValue("source port");
$destinationAddress = $config->returnOrigValue("destination address");
$destPort = $config->returnOrigValue("destination port");
$protocol = $config->returnOrigValue("protocol");
$interface = $config->returnOrigValue("inbound-interface");
if (!defined ($sourcePort)) { $sourcePort = "any";}
if (!defined ($sourceAddress)) { $sourceAddress = "0.0.0.0";}
if (!defined ($destPort)) { $destPort = "any";}
if (!defined ($destinationAddress)) { $destinationAddress = "0.0.0.0";}
if (!defined ($protocol)) { $protocol = "all";}
if (!defined ($interface)) { $interface = "all";}
$sourceAddress .= ":$sourcePort";
$destinationAddress .= ":$destPort";
my $rule_ipt = $rules_in_chain[$rulecount];
my @words = split(' ', $rule_ipt);
printf ($format_ignore_rules, $_, $sourceAddress, $destinationAddress, $protocol, $interface, $words[0], $words[1]);
$rulecount+=2;
}
}
#
# main
#
print_ignore_rules();
# end of file
|
