diff options
| author | Bob Gilligan <gilligan@sydney.vyatta.com> | 2007-12-14 18:26:36 -0800 |
|---|---|---|
| committer | Bob Gilligan <gilligan@sydney.vyatta.com> | 2007-12-14 18:26:36 -0800 |
| commit | 543de3ad1e144d0ab8f31a47bee8b21bb1fae264 (patch) | |
| tree | 6d3b8ec7df301c01c1a0e9b203a0ce50ea03064d | |
| download | vyatta-op-firewall-543de3ad1e144d0ab8f31a47bee8b21bb1fae264.tar.gz vyatta-op-firewall-543de3ad1e144d0ab8f31a47bee8b21bb1fae264.zip | |
Initial commit of operational mode templates and scripts for the
firewall subsystem.
29 files changed, 1108 insertions, 0 deletions
@@ -0,0 +1 @@ +eng@vyatta.com @@ -0,0 +1,27 @@ +/* + * Package: vyatt-op-firewall + * + * **** License **** + * Version: VPL 1.0 + * + * The contents of this file are subject to the Vyatta Public License + * Version 1.0 ("License"); you may not use this file except in + * compliance with the License. You may obtain a copy of the License at + * http://www.vyatta.com/vpl + * + * Software distributed under the License is distributed on an "AS IS" + * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See + * the License for the specific language governing rights and limitations + * under the License. + * + * This code was originally developed by Vyatta, Inc. + * Portions created by Vyatta are Copyright (C) "YEAR" Vyatta, Inc. + * All Rights Reserved. + * + * Author: Bob Gilligan + * Date: 2007 + * Description: Vyatta operational command completion and base templates + * + * **** End License **** + * + */ diff --git a/ChangeLog b/ChangeLog new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/ChangeLog diff --git a/Makefile.am b/Makefile.am new file mode 100644 index 0000000..d44534a --- /dev/null +++ b/Makefile.am @@ -0,0 +1,22 @@ +opdir = $(datadir)/vyatta-op/templates + +xsldir = @XSLDIR@ + +sbin_SCRIPTS = +xsl_DATA = + +sbin_SCRIPTS += scripts/firewall/vyatta-show-firewall.pl + +xsl_DATA += src/xsl/show_firewall_detail.xsl +xsl_DATA += src/xsl/show_firewall_statistics_brief.xsl +xsl_DATA += src/xsl/show_firewall_statistics.xsl +xsl_DATA += src/xsl/show_firewall.xsl + +cpiop = find . ! -regex '\(.*~\|.*\.bak\|.*\.swp\|.*\#.*\#\)' -print0 | \ + cpio -0pd + +install-exec-hook: + mkdir -p $(DESTDIR)$(opdir) + cd templates; $(cpiop) $(DESTDIR)$(opdir) + + @@ -0,0 +1 @@ +see http://www.vyatta.com/news/ @@ -0,0 +1,48 @@ +This package has the Vyatta operational command completion script and +base template tree. The default root of this tree is: + /opt/vyatta/share/vyatta-op/templates + +Each directory within this tree is a respective command line argument; +for example, the .../templates/show/interfaces/ethernet directory +completes the command line "show interfaces ethernet". Thus, the +directory name is generally equivalent to the command or argument +name. The only exception are directories named "node.tag"; these +represent dynamic or variable command arguments. For example, +.../templates/show/interfaces/ethernet/node.tag completes the active +system interfaces like "show interfaces ethernet eth0". + +Every template directory must have one and only one file named +"node.def". This file defines the node help string and run command, +like .../templates/show/interfaces/node.def: + +help: "Show network interface information" +run: ${vyatta_bindir}/vyatta-show-interfaces + +Notes: + - field tags (i.e. help and run) must be at the start of line + - try to limit help strings to 64 characters + - run commands may span multiple lines but subsequent lines must + not begin with "WORD:" + +The run command is an evaluated shell expression that may contain the +positional command line argument variables (i.e. $1, $*, $@). +However, since the command itself, is evaluated through an aliased +function, $1 is the command name rather than the usual $0. So, the +command "show interfaces ethernet eth0" would evaluate the respective +run command with $4 == eth0. + +The variable argument .../node.tag/node.def files may also define an +"allowed" field. This is a misnomer since it's really used to produce +a list of possible completions rather than what is allowed during +execution. The fields contents are evaluated shell expression that +outputs (stdout) the list of possible completion values; like +.../templates/show/interfaces/ethernet/node.tag/node.def: + +help: "Show given ethernet interface information" +allowed: local -a array=( /sys/class/net/{eth,vmnet}* ) ; + echo -n ${array[@]##*/} +run: ${vyatta_bindir}/vyatta-show-interfaces ethernet $4 + +A blank or missing "allowed" field means that there is no completion +for the respective node; for such nodes a '*' placeholder tag is +displayed with the help text. diff --git a/configure.ac b/configure.ac new file mode 100644 index 0000000..b9f650c --- /dev/null +++ b/configure.ac @@ -0,0 +1,32 @@ +# Process this file with autoconf to produce a configure script. +AC_PREREQ(2.59) + +m4_define([VERSION_ID], [m4_esyscmd([ + if test -f .version ; then + head -n 1 .version | tr -d \\n + else + echo -n 2.4 + fi])]) +AC_INIT([vyatta-op-firewall], VERSION_ID, [vyatta-support@vyatta.com]) + +test -n "$VYATTA_VERSION" || VYATTA_VERSION=$PACKAGE_VERSION + +AC_CONFIG_AUX_DIR([config]) +AM_INIT_AUTOMAKE([gnu no-dist-gzip dist-bzip2 subdir-objects]) +AC_PREFIX_DEFAULT([/opt/vyatta]) + +XSLDIR=/opt/vyatta/share/xsl/ + +AC_ARG_ENABLE([nostrip], + AC_HELP_STRING([--enable-nostrip], + [include -nostrip option during packaging]), + [NOSTRIP=-nostrip], [NOSTRIP=]) + +AC_CONFIG_FILES( + [Makefile]) + +AC_SUBST(NOSTRIP) +AC_SUBST(XSLDIR) + +AC_OUTPUT + diff --git a/debian/README b/debian/README new file mode 100644 index 0000000..8f18bbd --- /dev/null +++ b/debian/README @@ -0,0 +1,7 @@ +The Debian Package vyatta-op-firewall +------------------------------------- + +This package has the CLI template for the "show firewall" command + + + -- Bob Gilligan <gilligan@vyatta.com> Wed 12 Dec 2007 diff --git a/debian/autogen.sh b/debian/autogen.sh new file mode 100755 index 0000000..ff125d1 --- /dev/null +++ b/debian/autogen.sh @@ -0,0 +1,37 @@ +#!/bin/sh + + +if [ -d .git ] ; then +# generate GNU/Debian format ChangeLog from git log + + rm -f ChangeLog + + if which git2cl >/dev/null ; then + git-log --pretty --numstat --summary | git2cl >> ChangeLog + else + git-log --pretty=short >> ChangeLog + fi + +# append repository reference + + url=` git repo-config --get remote.origin.url` + test "x$url" = "x" && url=`pwd` + + branch=`git-branch --no-color | sed '/^\* /!d; s/^\* //'` + test "x$branch" = "x" && branch=master + + sha=`git log --pretty=oneline --no-color -n 1 | cut -c-8` + test "x$sha" = "x" && sha=00000000 + + echo "$url#$branch-$sha" >> ChangeLog + +fi + +rm -rf config +rm -f aclocal.m4 config.guess config.statusconfig.sub configure INSTALL + +autoreconf --force --install + +rm -f config.sub config.guess +ln -s /usr/share/misc/config.sub . +ln -s /usr/share/misc/config.guess . diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..1e047b4 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,5 @@ +vyatta-op-firewall (0.1) unstable; urgency=low + + * Initial Release. + + -- Bob Gilligan <gilligan@vyatta.co> Wed, 12 Nov 2007 15:29:15 -0700 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..7ed6ff8 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +5 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..b4acc52 --- /dev/null +++ b/debian/control @@ -0,0 +1,18 @@ +Source: vyatta-op-firewall +Section: contrib/net +Priority: extra +Maintainer: Bob Gilligan <gilligan@vyatta.com> +Build-Depends: debhelper (>= 5), autotools-dev +Standards-Version: 3.7.2 + +Package: vyatta-op-firewall +Architecture: all +Depends: bash (>= 3.1), + vyatta-op +Suggests: util-linux (>= 2.13-5), + net-tools, + ethtool, + ncurses-bin (>= 5.5-5), + ntpdate +Description: Vyatta operational commands for firewall. + Vyatta operational commands for firewall. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..372ac2b --- /dev/null +++ b/debian/copyright @@ -0,0 +1,35 @@ +This package was debianized by Bob Gilligan <gilligan@vyatta.com> on +Wed Dec 12 15:31:43 PST 2007 + + +It's original content from the GIT repository <http://vyatt.com/git/> + +Upstream Author: + + <eng@vyatta.com> + +Copyright: + + Copyright (C) 2007 Vyatta, Inc. + All Rights Reserved. + +License: + + The contents of this package are subject to the Vyatta Public License + Version 1.0 ("License"); you may not use this file except in + compliance with the License. You may obtain a copy of the License at + http://www.vyatta.com/vpl + + Software distributed under the License is distributed on an "AS IS" + basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See + the License for the specific language governing rights and limitations + under the License. + + This code was originally developed by Vyatta, Inc. + Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. + +On Debian systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL'. + +The Debian packaging is (C) 2007, Vyatta, Inc., and +is licensed under the GPL, see above. diff --git a/debian/docs b/debian/docs new file mode 100644 index 0000000..50bd824 --- /dev/null +++ b/debian/docs @@ -0,0 +1,2 @@ +NEWS +README diff --git a/debian/linda b/debian/linda new file mode 100644 index 0000000..0381d9d --- /dev/null +++ b/debian/linda @@ -0,0 +1 @@ +Tag: file-in-opt diff --git a/debian/lintian b/debian/lintian new file mode 100644 index 0000000..b648e16 --- /dev/null +++ b/debian/lintian @@ -0,0 +1,2 @@ +vyatta-op-firewall: file-in-unusual-dir +vyatta-op-firewall: dir-or-file-in-opt diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..a0aa472 --- /dev/null +++ b/debian/rules @@ -0,0 +1,102 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# Sample debian/rules that uses debhelper. +# This file was originally written by Joey Hess and Craig Small. +# As a special exception, when this file is copied by dh-make into a +# dh-make output file, you may use that output file without restriction. +# This special exception was added by Craig Small in version 0.37 of dh-make. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + + +# These are used for cross-compiling and for saving the configure script +# from having to guess our platform (since we know it already) +DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) +PACKAGE=vyatta-op-firewall +PKGDIR=$(CURDIR)/debian/$(PACKAGE) + +CFLAGS = -Wall -g + +configure = ./configure +configure += --host=$(DEB_HOST_GNU_TYPE) +configure += --build=$(DEB_BUILD_GNU_TYPE) +configure += --prefix=/opt/vyatta +configure += --mandir=\$${prefix}/share/man +configure += --infodir=\$${prefix}/share/info +configure += CFLAGS="$(CFLAGS)" +configure += LDFLAGS="-Wl,-z,defs" + +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O0 +else + CFLAGS += -O2 +endif + +configure: configure.ac Makefile.am + chmod +x debian/autogen.sh + debian/autogen.sh + +config.status: configure + dh_testdir + rm -f config.cache + $(configure) + +build: build-stamp + +build-stamp: config.status + dh_testdir + $(MAKE) + touch $@ + +clean: clean-patched + +# Clean everything up, including everything auto-generated +# at build time that needs not to be kept around in the Debian diff +clean-patched: + dh_testdir + dh_testroot + if test -f Makefile ; then $(MAKE) clean distclean ; fi + rm -f build-stamp + rm -f config.status config.sub config.guess config.log + rm -f aclocal.m4 configure Makefile.in Makefile INSTALL + rm -f etc/default/vyatta + rm -rf config + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + $(MAKE) DESTDIR=$(PKGDIR) install + + install -D --mode=0644 debian/lintian $(PKGDIR)/usr/share/lintian/overrides/$(PACKAGE) + install -D --mode=0644 debian/linda $(PKGDIR)/usr/share/linda/overrides/$(PACKAGE) + +# Build architecture-independent files here. +binary-indep: build install + dh_testdir + dh_testroot + dh_installchangelogs ChangeLog + dh_installdocs + dh_install + dh_installdebconf + dh_link + dh_strip + dh_compress + dh_fixperms + dh_installdeb + dh_gencontrol + dh_md5sums + dh_builddeb + +# Build architecture-dependent files here. +binary-arch: build install +# This is an architecture independent package +# so; we have nothing to do by default. + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install diff --git a/scripts/firewall/vyatta-show-firewall.pl b/scripts/firewall/vyatta-show-firewall.pl new file mode 100755 index 0000000..241a03a --- /dev/null +++ b/scripts/firewall/vyatta-show-firewall.pl @@ -0,0 +1,90 @@ +#!/usr/bin/perl + +use lib "/opt/vyatta/share/perl5/"; +use VyattaConfig; +use VyattaIpTablesRule; +use VyattaIpTablesAddressFilter; + +exit 1 if ($#ARGV < 1); +my $chain_name = $ARGV[0]; +my $xsl_file = $ARGV[1]; +my $rule_num = $ARGV[2]; # rule number to match (optional) + +sub numerically { $a <=> $b; } + +sub show_chain { + my $chain = shift; + my $fh = shift; + + open(STATS, "iptables -L $chain -vn |") or exit 1; + my @stats = (); + while (<STATS>) { + if (!/^\s*(\d+[KMG]?)\s+(\d+[KMG]?)\s/) { + next; + } + push @stats, ($1, $2); + } + close STATS; + + print $fh "<opcommand name='firewallrules'><format type='row'>\n"; + my $config = new VyattaConfig; + $config->setLevel("firewall name $chain rule"); + my @rules = sort numerically $config->listOrigNodes(); + foreach (@rules) { + # just take the stats from the 1st iptables rule and remove unneeded stats + # (if this rule corresponds to multiple iptables rules). note that + # depending on how our rule is translated into multiple iptables rules, + # this may actually need to be the sum of all corresponding iptables stats + # instead of just taking the first pair. + my $pkts = shift @stats; + my $bytes = shift @stats; + my $rule = new VyattaIpTablesRule; + $rule->setupOrig("firewall name $chain rule $_"); + my $ipt_rules = $rule->get_num_ipt_rules(); + splice(@stats, 0, (($ipt_rules - 1) * 2)); + + if (defined($rule_num) && $rule_num != $_) { + next; + } + print $fh " <row>\n"; + print $fh " <rule_number>$_</rule_number>\n"; + print $fh " <pkts>$pkts</pkts>\n"; + print $fh " <bytes>$bytes</bytes>\n"; + $rule->outputXml($fh); + print $fh " </row>\n"; + } + if (!defined($rule_num)) { + # dummy rule + print $fh " <row>\n"; + print $fh " <rule_number>1025</rule_number>\n"; + my $pkts = shift @stats; + my $bytes = shift @stats; + print $fh " <pkts>$pkts</pkts>\n"; + print $fh " <bytes>$bytes</bytes>\n"; + my $rule = new VyattaIpTablesRule; + $rule->setupDummy(); + $rule->outputXml($fh); + print $fh " </row>\n"; + } + print $fh "</format></opcommand>\n"; +} + +if ($chain_name eq "-all") { + my $config = new VyattaConfig; + $config->setLevel("firewall name"); + my @chains = $config->listOrigNodes(); + foreach (@chains) { + print "Firewall \"$_\":\n"; + open(RENDER, "| /opt/vyatta/libexec/xorp/render_xml $xsl_file") or exit 1; + show_chain($_, *RENDER{IO}); + close RENDER; + print "-" x 80 . "\n"; + } +} else { + open(RENDER, "| /opt/vyatta/libexec/xorp/render_xml $xsl_file") or exit 1; + show_chain($chain_name, *RENDER{IO}); + close RENDER; +} + +exit 0; + diff --git a/src/xsl/show_firewall.xsl b/src/xsl/show_firewall.xsl new file mode 100644 index 0000000..d40f024 --- /dev/null +++ b/src/xsl/show_firewall.xsl @@ -0,0 +1,202 @@ +<?xml version="1.0"?> +<!DOCTYPE stylesheet [ +<!ENTITY newln " "> +]> + +<!-- /* + * Copyright 2006, Vyatta, Inc. + * + * GNU General Public License + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License, version 2, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA + * + * Module: show_firewall.xsl + * + * Author: Mike Horn + * Date: 2006 + * + */ --> + +<!--XSL Template for formatting the "show firewall <name>" command--> + +<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> + +<xsl:variable name="pad6" select="' '"/> +<xsl:variable name="pad6_len" select="string-length($pad6)"/> +<xsl:variable name="pad7" select="' '"/> +<xsl:variable name="pad7_len" select="string-length($pad7)"/> +<xsl:variable name="pad8" select="' '"/> +<xsl:variable name="pad8_len" select="string-length($pad8)"/> +<xsl:variable name="pad20" select="' '"/> +<xsl:variable name="pad20_len" select="string-length($pad20)"/> + +<xsl:comment> FORMAT HEADER LINES </xsl:comment> + +<xsl:template match="opcommand"> +<xsl:text>&newln;</xsl:text> +<xsl:text>&newln;</xsl:text> +<xsl:text>State Codes: E - Established, I - Invalid, N - New, R - Related&newln;</xsl:text> +<xsl:text>&newln;</xsl:text> +<xsl:text>rule action source destination proto state</xsl:text> +<xsl:text>&newln;</xsl:text> +<xsl:text>---- ------ ------ ----------- ----- ----- </xsl:text> +<xsl:text>&newln;</xsl:text> + +<xsl:for-each select="format/row"> + +<xsl:value-of select="rule_number"/> +<xsl:value-of select="substring($pad6,1,$pad6_len - string-length(rule_number))"/> + +<xsl:value-of select="action"/> +<xsl:value-of select="substring($pad8,1,$pad8_len - string-length(action))"/> + + <xsl:choose> + <xsl:when test="src_addr!='' and src_addr!='0.0.0.0'"> + <xsl:value-of select="src_addr"/> + <xsl:value-of select="substring($pad20,1,$pad20_len - string-length(src_addr))"/> + </xsl:when> + + <xsl:when test="src_net!='' and src_addr!='0.0.0.0/0'"> + <xsl:value-of select="src_net"/> + <xsl:value-of select="substring($pad20,1,$pad20_len - string-length(src_net))"/> + </xsl:when> + + <xsl:when test="src_addr_start!='' and src_addr_start!='0.0.0.0'"> + <xsl:text>Range (use detail) </xsl:text> + </xsl:when> + + <xsl:otherwise> + <xsl:text>0.0.0.0/0</xsl:text> + <xsl:value-of select="substring($pad20,1,$pad20_len - 9)"/> + </xsl:otherwise> + </xsl:choose> + + <xsl:choose> + <xsl:when test="dst_addr!='' and dst_addr!='0.0.0.0'"> + <xsl:value-of select="dst_addr"/> + <xsl:value-of select="substring($pad20,1,$pad20_len - string-length(dst_addr))"/> + </xsl:when> + + <xsl:when test="dst_net!='' and dst_addr!='0.0.0.0/0'"> + <xsl:value-of select="dst_net"/> + <xsl:value-of select="substring($pad20,1,$pad20_len - string-length(dst_net))"/> + </xsl:when> + + <xsl:when test="dst_addr_start!='' and dst_addr_start!='0.0.0.0'"> + <xsl:text>Range (use detail) </xsl:text> + </xsl:when> + + <xsl:otherwise> + <xsl:text>0.0.0.0/0</xsl:text> + <xsl:value-of select="substring($pad20,1,$pad20_len - 9)"/> + </xsl:otherwise> + </xsl:choose> + +<xsl:value-of select="protocol"/> +<xsl:value-of select="substring($pad7,1,$pad7_len - string-length(protocol))"/> + + <xsl:choose> + <xsl:when test="contains(state, 'established%2C')"> + <xsl:text>E,</xsl:text> + </xsl:when> + <xsl:when test="contains(state, 'established')"> + <xsl:text>E</xsl:text> + </xsl:when> + </xsl:choose> + <xsl:choose> + <xsl:when test="contains(state, 'new%2C')"> + <xsl:text>N,</xsl:text> + </xsl:when> + <xsl:when test="contains(state, 'new')"> + <xsl:text>N</xsl:text> + </xsl:when> + </xsl:choose> + <xsl:choose> + <xsl:when test="contains(state, 'related%2C')"> + <xsl:text>R,</xsl:text> + </xsl:when> + <xsl:when test="contains(state, 'related')"> + <xsl:text>R</xsl:text> + </xsl:when> + </xsl:choose> + <xsl:choose> + <xsl:when test="contains(state, 'invalid%2C')"> + <xsl:text>I,</xsl:text> + </xsl:when> + <xsl:when test="contains(state, 'invalid')"> + <xsl:text>I</xsl:text> + </xsl:when> + </xsl:choose> + <xsl:choose> + <xsl:when test="state=''"> + <xsl:text>any</xsl:text> + </xsl:when> + </xsl:choose> + + <xsl:text>&newln;</xsl:text> + + <xsl:if test="src_port_num!='' or src_port_name!='' or src_port_start!=''"> + <xsl:value-of select="$pad6"/> + <xsl:value-of select="$pad8"/> + <xsl:text>src ports: </xsl:text> + <xsl:if test="src_port_num!=''"> + <xsl:value-of select="src_port_num"/> + <xsl:if test="src_port_name!='' or src_port_start!=''"> + <xsl:text>,</xsl:text> + </xsl:if> + </xsl:if> + <xsl:if test="src_port_name!=''"> + <xsl:value-of select="src_port_name"/> + <xsl:if test="src_port_start!=''"> + <xsl:text>,</xsl:text> + </xsl:if> + </xsl:if> + <xsl:if test="src_port_start!=''"> + <xsl:value-of select="src_port_start"/> + <xsl:text>-</xsl:text> + <xsl:value-of select="src_port_stop"/> + </xsl:if> + <xsl:text>&newln;</xsl:text> + </xsl:if> + + <xsl:if test="dst_port_num!='' or dst_port_name!='' or dst_port_start!=''"> + <xsl:value-of select="$pad6"/> + <xsl:value-of select="$pad8"/> + <xsl:value-of select="$pad20"/> + <xsl:text>dst ports: </xsl:text> + <xsl:if test="dst_port_num!=''"> + <xsl:value-of select="dst_port_num"/> + <xsl:if test="dst_port_name!='' or dst_port_start!=''"> + <xsl:text>,</xsl:text> + </xsl:if> + </xsl:if> + <xsl:if test="dst_port_name!=''"> + <xsl:value-of select="dst_port_name"/> + <xsl:if test="dst_port_start!=''"> + <xsl:text>,</xsl:text> + </xsl:if> + </xsl:if> + <xsl:if test="dst_port_start!=''"> + <xsl:value-of select="dst_port_start"/> + <xsl:text>-</xsl:text> + <xsl:value-of select="dst_port_stop"/> + </xsl:if> + <xsl:text>&newln;</xsl:text> + </xsl:if> + +</xsl:for-each> +</xsl:template> + +</xsl:stylesheet> diff --git a/src/xsl/show_firewall_detail.xsl b/src/xsl/show_firewall_detail.xsl new file mode 100644 index 0000000..6e970cb --- /dev/null +++ b/src/xsl/show_firewall_detail.xsl @@ -0,0 +1,236 @@ +<?xml version="1.0"?> +<!DOCTYPE stylesheet [ +<!ENTITY newln " "> +]> + +<!-- /* + * Copyright 2006, Vyatta, Inc. + * + * GNU General Public License + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License, version 2, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA + * + * Module: show_firewall_detail.xsl + * + * Author: Mike Horn + * Date: 2006 + * + */ --> + +<!--XSL Template for formatting the "show firewall <name> detail" command--> + +<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> + +<xsl:variable name="pad10" select="' '"/> +<xsl:variable name="pad10_len" select="string-length($pad10)"/> +<xsl:variable name="pad20" select="' '"/> +<xsl:variable name="pad20_len" select="string-length($pad20)"/> +<xsl:variable name="pad22" select="' '"/> +<xsl:variable name="pad22_len" select="string-length($pad22)"/> +<xsl:variable name="pad34" select="' '"/> +<xsl:variable name="pad34_len" select="string-length($pad34)"/> + +<xsl:template match="opcommand"> + +<xsl:text>&newln;</xsl:text> +<xsl:text>&newln;</xsl:text> + +<xsl:for-each select="format/row"> + +<xsl:text>Rule: </xsl:text> +<xsl:value-of select="rule_number"/> +<xsl:text>&newln;</xsl:text> + +<xsl:text>Packets: </xsl:text> +<xsl:value-of select="pkts"/> +<xsl:value-of select="substring($pad10,1,$pad10_len - string-length(pkts))"/> + +<xsl:text>Bytes: </xsl:text> +<xsl:value-of select="bytes"/> +<xsl:text>&newln;</xsl:text> + +<xsl:text>Action: </xsl:text> +<xsl:value-of select="action"/> +<xsl:text>&newln;</xsl:text> + +<xsl:text>Protocol: </xsl:text> +<xsl:value-of select="protocol"/> +<xsl:text>&newln;</xsl:text> + +<xsl:text>State: </xsl:text> + <xsl:choose> + <xsl:when test="contains(state, 'established%2C')"> + <xsl:text>E,</xsl:text> + </xsl:when> + <xsl:when test="contains(state, 'established')"> + <xsl:text>E</xsl:text> + </xsl:when> + </xsl:choose> + <xsl:choose> + <xsl:when test="contains(state, 'new%2C')"> + <xsl:text>N,</xsl:text> + </xsl:when> + <xsl:when test="contains(state, 'new')"> + <xsl:text>N</xsl:text> + </xsl:when> + </xsl:choose> + <xsl:choose> + <xsl:when test="contains(state, 'related%2C')"> + <xsl:text>R,</xsl:text> + </xsl:when> + <xsl:when test="contains(state, 'related')"> + <xsl:text>R</xsl:text> + </xsl:when> + </xsl:choose> + <xsl:choose> + <xsl:when test="contains(state, 'invalid%2C')"> + <xsl:text>I,</xsl:text> + </xsl:when> + <xsl:when test="contains(state, 'invalid')"> + <xsl:text>I</xsl:text> + </xsl:when> + </xsl:choose> + <xsl:choose> + <xsl:when test="state=''"> + <xsl:text>any</xsl:text> + </xsl:when> + </xsl:choose> +<xsl:text>&newln;</xsl:text> + +<xsl:text>Source</xsl:text> +<xsl:text>&newln;</xsl:text> +<xsl:text> Address: </xsl:text> + <xsl:choose> + <xsl:when test="src_addr!='' and src_addr!='0.0.0.0'"> + <xsl:value-of select="src_addr"/> + </xsl:when> + + <xsl:when test="src_net!='' and src_addr!='0.0.0.0/0'"> + <xsl:value-of select="src_net"/> + </xsl:when> + + <xsl:when test="src_addr_start!='' and src_addr_start!='0.0.0.0'"> + <xsl:value-of select="src_addr_start"/> + <xsl:text> - </xsl:text> + <xsl:value-of select="src_addr_stop"/> + </xsl:when> + + <xsl:otherwise> + <xsl:text>0.0.0.0/0</xsl:text> + </xsl:otherwise> + </xsl:choose> +<xsl:text>&newln;</xsl:text> +<xsl:text> Ports: </xsl:text> + + <xsl:choose> + <xsl:when test="src_port_num!='0'"> + <xsl:value-of select="src_port_num"/> + </xsl:when> + + <xsl:when test="src_port_start!='0'"> + <xsl:value-of select="src_port_start"/> + <xsl:text>:</xsl:text> + <xsl:value-of select="src_port_stop"/> + </xsl:when> + + <xsl:when test="src_port_name!=''"> + <xsl:value-of select="src_port_name"/> + </xsl:when> + + <xsl:otherwise> + <xsl:text>all</xsl:text> + </xsl:otherwise> + </xsl:choose> + +<xsl:text>&newln;</xsl:text> +<xsl:text>Destination</xsl:text> +<xsl:text>&newln;</xsl:text> +<xsl:text> Address: </xsl:text> + <xsl:choose> + <xsl:when test="dst_addr!='' and dst_addr!='0.0.0.0'"> + <xsl:value-of select="dst_addr"/> + </xsl:when> + + <xsl:when test="dst_net!='' and dst_addr!='0.0.0.0/0'"> + <xsl:value-of select="dst_net"/> + </xsl:when> + + <xsl:when test="dst_addr_start!='' and dst_addr_start!='0.0.0.0'"> + <xsl:value-of select="dst_addr_start"/> + <xsl:text> - </xsl:text> + <xsl:value-of select="dst_addr_stop"/> + </xsl:when> + + <xsl:otherwise> + <xsl:text>0.0.0.0/0</xsl:text> + </xsl:otherwise> + </xsl:choose> +<xsl:text>&newln;</xsl:text> +<xsl:text> Ports: </xsl:text> + + <xsl:choose> + <xsl:when test="dst_port_num!='0'"> + <xsl:value-of select="dst_port_num"/> + </xsl:when> + + <xsl:when test="dst_port_start!='0'"> + <xsl:value-of select="dst_port_start"/> + <xsl:text>:</xsl:text> + <xsl:value-of select="dst_port_stop"/> + </xsl:when> + + <xsl:when test="dst_port_name!=''"> + <xsl:value-of select="dst_port_name"/> + </xsl:when> + + <xsl:otherwise> + <xsl:text>all</xsl:text> + </xsl:otherwise> + </xsl:choose> + +<xsl:text>&newln;</xsl:text> + +<xsl:text>ICMP Code: </xsl:text> + <xsl:if test="icmp_code=''"> + <xsl:text>-</xsl:text> + </xsl:if> + <xsl:if test="icmp_code!=''"> + <xsl:value-of select="icmp_code"/> + </xsl:if> + +<xsl:text>&newln;</xsl:text> + +<xsl:text>ICMP Type: </xsl:text> + <xsl:if test="icmp_type=''"> + <xsl:text>-</xsl:text> + </xsl:if> + <xsl:if test="icmp_type!=''"> + <xsl:value-of select="icmp_type"/> + </xsl:if> + +<xsl:text>&newln;</xsl:text> +<xsl:text>Logging: </xsl:text> +<xsl:value-of select="log"/> + +<xsl:text>&newln;</xsl:text> + <xsl:if test="rule_number!='1025'"> + <xsl:text>------------------------</xsl:text> + <xsl:text>&newln;</xsl:text> + </xsl:if> + +</xsl:for-each> +</xsl:template> + +</xsl:stylesheet> diff --git a/src/xsl/show_firewall_statistics.xsl b/src/xsl/show_firewall_statistics.xsl new file mode 100644 index 0000000..3c91dbe --- /dev/null +++ b/src/xsl/show_firewall_statistics.xsl @@ -0,0 +1,108 @@ +<?xml version="1.0"?> +<!DOCTYPE stylesheet [ +<!ENTITY newln " "> +]> + +<!-- /* + * Copyright 2006, Vyatta, Inc. + * + * GNU General Public License + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License, version 2, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA + * + * Module: show_firewall_statistics.xsl + * + * Author: Mike Horn + * Date: 2006 + * + */ --> + +<!--XSL Template for formatting the "show firewall <name> statistics" command--> + +<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> + +<xsl:variable name="pad6" select="' '"/> +<xsl:variable name="pad6_len" select="string-length($pad6)"/> +<xsl:variable name="pad8" select="' '"/> +<xsl:variable name="pad8_len" select="string-length($pad8)"/> +<xsl:variable name="pad10" select="' '"/> +<xsl:variable name="pad10_len" select="string-length($pad10)"/> +<xsl:variable name="pad20" select="' '"/> +<xsl:variable name="pad20_len" select="string-length($pad20)"/> + +<xsl:template match="opcommand"> +<xsl:text>&newln;</xsl:text> +<xsl:text>&newln;</xsl:text> +<xsl:text>rule packets bytes action source destination</xsl:text> +<xsl:text>&newln;</xsl:text> +<xsl:text>---- ------- ----- ------ ------ -----------</xsl:text> +<xsl:text>&newln;</xsl:text> + +<xsl:for-each select="format/row"> + + <xsl:value-of select="rule_number"/> + <xsl:value-of select="substring($pad6,1,$pad6_len - string-length(rule_number))"/> + + <xsl:value-of select="pkts"/> + <xsl:value-of select="substring($pad10,1,$pad10_len - string-length(pkts))"/> + + <xsl:value-of select="bytes"/> + <xsl:value-of select="substring($pad10,1,$pad10_len - string-length(bytes))"/> + + <xsl:value-of select="action"/> + <xsl:value-of select="substring($pad8,1,$pad8_len - string-length(action))"/> + + <xsl:choose> + <xsl:when test="src_addr!='' and src_addr!='0.0.0.0'"> + <xsl:value-of select="src_addr"/> + <xsl:value-of select="substring($pad20,1,$pad20_len - string-length(src_addr))"/> + </xsl:when> + <xsl:when test="src_net!='' and src_addr!='0.0.0.0/0'"> + <xsl:value-of select="src_net"/> + <xsl:value-of select="substring($pad20,1,$pad20_len - string-length(src_net))"/> + </xsl:when> + <xsl:when test="src_addr_start!='' and src_addr_start!='0.0.0.0'"> + <xsl:text>Range (use detail) </xsl:text> + </xsl:when> + <xsl:otherwise> + <xsl:text>0.0.0.0/0</xsl:text> + <xsl:value-of select="substring($pad20,1,$pad20_len - 9)"/> + </xsl:otherwise> + </xsl:choose> + + <xsl:choose> + <xsl:when test="dst_addr!='' and dst_addr!='0.0.0.0'"> + <xsl:value-of select="dst_addr"/> + <xsl:value-of select="substring($pad20,1,$pad20_len - string-length(dst_addr))"/> + </xsl:when> + <xsl:when test="dst_net!='' and dst_addr!='0.0.0.0/0'"> + <xsl:value-of select="dst_net"/> + <xsl:value-of select="substring($pad20,1,$pad20_len - string-length(dst_net))"/> + </xsl:when> + <xsl:when test="dst_addr_start!='' and dst_addr_start!='0.0.0.0'"> + <xsl:text>Range (use detail) </xsl:text> + </xsl:when> + <xsl:otherwise> + <xsl:text>0.0.0.0/0</xsl:text> + <xsl:value-of select="substring($pad20,1,$pad20_len - 9)"/> + </xsl:otherwise> + </xsl:choose> + +<xsl:text>&newln;</xsl:text> + +</xsl:for-each> +</xsl:template> + +</xsl:stylesheet> diff --git a/src/xsl/show_firewall_statistics_brief.xsl b/src/xsl/show_firewall_statistics_brief.xsl new file mode 100644 index 0000000..fb03dc1 --- /dev/null +++ b/src/xsl/show_firewall_statistics_brief.xsl @@ -0,0 +1,110 @@ +<?xml version="1.0"?> +<!DOCTYPE stylesheet [ +<!ENTITY newln " "> +]> + +<!-- /* + * Copyright 2006, Vyatta, Inc. + * + * GNU General Public License + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License, version 2, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA + * + * Module: show_firewall_statistics_brief.xsl + * + * Author: Mike Horn + * Date: 2006 + * + */ --> + +<!--XSL Template for formatting "show firewall <name> statistics brief"--> + +<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> + +<xsl:variable name="pad6" select="' '"/> +<xsl:variable name="pad6_len" select="string-length($pad6)"/> +<xsl:variable name="pad7" select="' '"/> +<xsl:variable name="pad7_len" select="string-length($pad7)"/> +<xsl:variable name="pad8" select="' '"/> +<xsl:variable name="pad8_len" select="string-length($pad8)"/> +<xsl:variable name="pad10" select="' '"/> +<xsl:variable name="pad10_len" select="string-length($pad10)"/> +<xsl:variable name="pad20" select="' '"/> +<xsl:variable name="pad20_len" select="string-length($pad20)"/> + +<xsl:comment> FORMAT HEADER LINES </xsl:comment> + +<xsl:template match="opcommand"> +<xsl:text>&newln;</xsl:text> +<xsl:text>&newln;</xsl:text> +<xsl:text>State Codes: E - Established, I - Invalid, N - New, R - Related&newln;</xsl:text> +<xsl:text>&newln;</xsl:text> +<xsl:text>rule packets bytes action source destination</xsl:text> +<xsl:text>&newln;</xsl:text> +<xsl:text>---- ------- ----- ------ ------ -----------</xsl:text> +<xsl:text>&newln;</xsl:text> + +<xsl:for-each select="format/row"> + +<xsl:value-of select="rule_number"/> +<xsl:value-of select="substring($pad6,1,$pad6_len - string-length(rule_number))"/> + +<xsl:value-of select="pkts"/> +<xsl:value-of select="substring($pad10,1,$pad10_len - string-length(pkts))"/> + +<xsl:value-of select="bytes"/> +<xsl:value-of select="substring($pad10,1,$pad10_len - string-length(pkts))"/> + +<xsl:value-of select="action"/> +<xsl:value-of select="substring($pad8,1,$pad8_len - string-length(action))"/> + + <xsl:choose> + <xsl:when test="src_addr!='0.0.0.0'"> + <xsl:value-of select="src_addr"/> + <xsl:value-of select="substring($pad20,1,$pad20_len - string-length(src_addr))"/> + </xsl:when> + + <xsl:when test="src_addr_start!='0.0.0.0'"> + <xsl:text>Range (use detail) </xsl:text> + </xsl:when> + + <xsl:when test="src_addr='0.0.0.0'"> + <xsl:value-of select="src_net"/> + <xsl:value-of select="substring($pad20,1,$pad20_len - string-length(src_net))"/> + </xsl:when> + </xsl:choose> + + <xsl:choose> + <xsl:when test="dst_addr!='0.0.0.0'"> + <xsl:value-of select="dst_addr"/> + <xsl:value-of select="substring($pad20,1,$pad20_len - string-length(dst_addr))"/> + </xsl:when> + + <xsl:when test="dst_addr_start!='0.0.0.0'"> + <xsl:text>Range (use detail) </xsl:text> + </xsl:when> + + <xsl:when test="dst_addr='0.0.0.0'"> + <xsl:value-of select="dst_net"/> + <xsl:value-of select="substring($pad20,1,$pad20_len - string-length(dst_net))"/> + </xsl:when> + </xsl:choose> + + <xsl:text>&newln;</xsl:text> + +</xsl:for-each> +</xsl:template> + +</xsl:stylesheet> diff --git a/templates/clear/firewall/name/node.tag/counters/node.def b/templates/clear/firewall/name/node.tag/counters/node.def new file mode 100644 index 0000000..7db183a --- /dev/null +++ b/templates/clear/firewall/name/node.tag/counters/node.def @@ -0,0 +1,3 @@ +help: Clear firewall counters +run: iptables -Z $4 + diff --git a/templates/show/firewall/node.def b/templates/show/firewall/node.def new file mode 100644 index 0000000..84d9b08 --- /dev/null +++ b/templates/show/firewall/node.def @@ -0,0 +1,3 @@ +help: Show firewall information +run: ${vyatta_sbindir}/vyatta-show-firewall.pl --all /opt/vyatta/xsl/show_firewall.xsl + diff --git a/templates/show/firewall/node.tag/detail/node.def b/templates/show/firewall/node.tag/detail/node.def new file mode 100644 index 0000000..bb41ddb --- /dev/null +++ b/templates/show/firewall/node.tag/detail/node.def @@ -0,0 +1,3 @@ +help: Show firewall rules (detail output) +run: ${vyatta_sbindir}/vyatta-show-firewall.pl $3 /opt/vyatta/xsl/show_firewall_tail.xsl + diff --git a/templates/show/firewall/node.tag/detail/rule/node.tag/node.def b/templates/show/firewall/node.tag/detail/rule/node.tag/node.def new file mode 100644 index 0000000..70f91b3 --- /dev/null +++ b/templates/show/firewall/node.tag/detail/rule/node.tag/node.def @@ -0,0 +1,3 @@ +help: Show firewall rules (detail output) +run: ${vyatta_sbindir}/vyatta-show-firewall.pl $3 /opt/vyatta/xsl/show_firewall_tail.xsl $6 + diff --git a/templates/show/firewall/node.tag/node.def b/templates/show/firewall/node.tag/node.def new file mode 100644 index 0000000..6465754 --- /dev/null +++ b/templates/show/firewall/node.tag/node.def @@ -0,0 +1,3 @@ +help: Show firewall rules (summary output) +run: ${vyatta_sbindir}/vyatta-show-firewall.pl $3 /opt/vyatta/xsl/show_firewall.xsl + diff --git a/templates/show/firewall/node.tag/rule/node.tag/node.def b/templates/show/firewall/node.tag/rule/node.tag/node.def new file mode 100644 index 0000000..f862b10 --- /dev/null +++ b/templates/show/firewall/node.tag/rule/node.tag/node.def @@ -0,0 +1,3 @@ +help: Show firewall rules (summary output) +run: ${vyatta_sbindir}/vyatta-show-firewall.pl $3 /opt/vyatta/xsl/show_firewall.xsl $5 + diff --git a/templates/show/firewall/node.tag/statistics/node.def b/templates/show/firewall/node.tag/statistics/node.def new file mode 100644 index 0000000..2d160a5 --- /dev/null +++ b/templates/show/firewall/node.tag/statistics/node.def @@ -0,0 +1,3 @@ +help: Show firewall counter information +run: ${vyatta_sbindir}/vyatta-show-firewall.pl $3 /opt/vyatta/xsl/show_firewall_statistics.xsl + |