diff options
| author | Mohit Mehta <mohit.mehta@vyatta.com> | 2009-08-07 18:48:39 -0700 |
|---|---|---|
| committer | Mohit Mehta <mohit.mehta@vyatta.com> | 2009-08-07 18:48:39 -0700 |
| commit | 80a123411314371e325bda2c37d63884aab6892d (patch) | |
| tree | 21d2370a2efce4254990717c4b759c09adbe23aa | |
| parent | 597348b919276e8c75469dce652a491991df98ca (diff) | |
| download | vyatta-op-firewall-80a123411314371e325bda2c37d63884aab6892d.tar.gz vyatta-op-firewall-80a123411314371e325bda2c37d63884aab6892d.zip | |
* Fix 'show firewall' and 'show firewall detail' commands
for firewall rulesets when protocol is tcp_udp
still need to fix 'show statistics' command
| -rwxr-xr-x | scripts/firewall/vyatta-show-firewall.pl | 46 | ||||
| -rw-r--r-- | src/xsl/show_firewall.xsl | 10 |
2 files changed, 47 insertions, 9 deletions
diff --git a/scripts/firewall/vyatta-show-firewall.pl b/scripts/firewall/vyatta-show-firewall.pl index 7a87790..da8f309 100755 --- a/scripts/firewall/vyatta-show-firewall.pl +++ b/scripts/firewall/vyatta-show-firewall.pl @@ -27,7 +27,7 @@ if (defined($rule_num) && (!($rule_num =~ /^\d+$/) || ($rule_num > $max_rule))) } sub numerically { $a <=> $b; } -my $format1 = "%-5s %-8s %-6s %-8s %-50s"; +my $format1 = "%-5s %-8s %-9s %-8s %-50s"; my $format2 = " %-78s"; ### all interfaces firewall nodes @@ -242,9 +242,10 @@ sub print_detail_rule { my ($iptables_cmd, $table, $chain, $rule, $tree) = @_; my $string=""; my $mul_lines=""; + my $udp_string = undef; # check from CLI if we have a condition set that creates more than 1 iptable rule - # currenly LOG, RECENT in a CLI rule result in more than 1 iptable rule + # currenly LOG, RECENT, protocol tcp_udp in a CLI rule result in more than 1 iptable rule my $cli_rule = new Vyatta::IpTables::Rule; $cli_rule->setupOrig("firewall $tree $chain rule $rule"); if (defined $cli_rule->{_log} && "$cli_rule->{_log}" eq "enable") { @@ -257,7 +258,19 @@ sub print_detail_rule { my $line_num = $lines[0] + 1; $string=`sudo /sbin/$iptables_cmd -t $table -L $chain $line_num -xv | awk '/$chain-$rule / {print \$0}'`; - } elsif (defined($cli_rule->{_recent_time}) || defined($cli_rule->{_recent_cnt})) { + + if (defined $cli_rule->{_protocol} && $cli_rule->{_protocol} eq 'tcp_udp') { + # we need the udp rule as well + if (defined($cli_rule->{_recent_time}) || defined($cli_rule->{_recent_cnt})) { + $line_num = $line_num + 3; + } else { + $line_num = $line_num + 2; + } + $udp_string = `sudo /sbin/$iptables_cmd -t $table -L $chain $line_num -xv | + awk '/$chain-$rule / {print \$0}'`; + } + } elsif ( (defined($cli_rule->{_recent_time}) || defined($cli_rule->{_recent_cnt})) || + (defined $cli_rule->{_protocol} && $cli_rule->{_protocol} eq 'tcp_udp') ) { # recent enabled but not log so actual rule in iptables is first rule # now get line-num for 1st rule and use that to list actual rule @@ -267,6 +280,17 @@ sub print_detail_rule { my $line_num = $lines[0]; $string=`sudo /sbin/$iptables_cmd -t $table -L $chain $line_num -xv | awk '/$chain-$rule / {print \$0}'`; + + # we need the udp rule as well + if (defined($cli_rule->{_recent_time}) || defined($cli_rule->{_recent_cnt})) { + $line_num = $line_num + 2; + $udp_string=`sudo /sbin/$iptables_cmd -t $table -L $chain $line_num -xv | + awk '/$chain-$rule / {print \$0}'`; + } else { + $line_num = $line_num + 1; + $udp_string=`sudo /sbin/$iptables_cmd -t $table -L $chain $line_num -xv | + awk '/$chain-$rule / {print \$0}'`; + } } else { # there's a one-to-one relation between our CLI rule and iptable rule @@ -281,7 +305,21 @@ sub print_detail_rule { @string_words = split (/\s+/, $string, 14); @string_words=splice(@string_words, 1, 13); @string_words_part1=splice(@string_words, 0, 4); # packets, bytes, target, proto - $string_words_part1[2]=$target_hash{$string_words_part1[2]}; + + if (defined $cli_rule->{_protocol} && $cli_rule->{_protocol} eq 'tcp_udp') { + $string_words_part1[3] = 'tcp_udp'; + + # get udp rule packets, bytes + my @udp_string_words=split(/\s+/, $udp_string, 14); + @udp_string_words=splice(@udp_string_words, 1, 13); + @udp_string_words=splice(@udp_string_words, 0, 4); # packets, bytes, target, proto + $string_words_part1[0] += $udp_string_words[0]; + $string_words_part1[1] += $udp_string_words[1]; + } + + $string_words_part1[2]=$cli_rule->{_action} if defined $cli_rule->{_action}; + $string_words_part1[2]='drop' if $rule == $max_rule; + if ($iptables_cmd =~ /6/) { @string_words_part2=splice(@string_words, 2, 2);# source, destination } else { diff --git a/src/xsl/show_firewall.xsl b/src/xsl/show_firewall.xsl index 273c88f..236fd2f 100644 --- a/src/xsl/show_firewall.xsl +++ b/src/xsl/show_firewall.xsl @@ -35,8 +35,8 @@ <xsl:variable name="pad6" select="' '"/> <xsl:variable name="pad6_len" select="string-length($pad6)"/> -<xsl:variable name="pad7" select="' '"/> -<xsl:variable name="pad7_len" select="string-length($pad7)"/> +<xsl:variable name="pad10" select="' '"/> +<xsl:variable name="pad10_len" select="string-length($pad10)"/> <xsl:variable name="pad8" select="' '"/> <xsl:variable name="pad8_len" select="string-length($pad8)"/> <xsl:variable name="pad20" select="' '"/> @@ -48,9 +48,9 @@ <xsl:text>&newln;</xsl:text> <xsl:text>(State Codes: E - Established, I - Invalid, N - New, R - Related)&newln;</xsl:text> <xsl:text>&newln;</xsl:text> -<xsl:text>rule action source destination proto state</xsl:text> +<xsl:text>rule action source destination proto state</xsl:text> <xsl:text>&newln;</xsl:text> -<xsl:text>---- ------ ------ ----------- ----- ----- </xsl:text> +<xsl:text>---- ------ ------ ----------- ----- ----- </xsl:text> <xsl:text>&newln;</xsl:text> <xsl:for-each select="format/row"> @@ -104,7 +104,7 @@ </xsl:choose> <xsl:value-of select="protocol"/> -<xsl:value-of select="substring($pad7,1,$pad7_len - string-length(protocol))"/> +<xsl:value-of select="substring($pad10,1,$pad10_len - string-length(protocol))"/> <xsl:choose> <xsl:when test="contains(state, 'established%2C')"> |