diff options
| author | John Southworth <john.southworth@vyatta.com> | 2012-02-14 19:17:01 -0800 |
|---|---|---|
| committer | John Southworth <john.southworth@vyatta.com> | 2012-02-14 19:17:01 -0800 |
| commit | 0e456968b145490c5192df76865f73805e9a044e (patch) | |
| tree | 8ff7950f01267cc5ba2c98153385109d21b0b51c | |
| parent | 3f964050da4bb2bf23d55064a9150f64f98914ad (diff) | |
| download | vyatta-op-firewall-0e456968b145490c5192df76865f73805e9a044e.tar.gz vyatta-op-firewall-0e456968b145490c5192df76865f73805e9a044e.zip | |
Bugfix 7778: Add 'show firewall summary' command and setup summary info for webgui dashboard
| -rw-r--r-- | Makefile.am | 6 | ||||
| -rwxr-xr-x | lib/Vyatta/FirewallOpMode/Summary.pm | 161 | ||||
| -rwxr-xr-x | scripts/firewall/vyatta-show-firewall-summary.pl | 164 | ||||
| -rw-r--r-- | templates/show/firewall/summary/node.def | 2 |
4 files changed, 333 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am index beb3482..38c6b47 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,9 +1,15 @@ opdir = $(datadir)/vyatta-op/templates +bin_sudo_usersdir = $(bindir)/sudo-users +share_perl5dir = /opt/vyatta/share/perl5/Vyatta/FirewallOpMode/ xsldir = @XSLDIR@ xsl_DATA = +share_perl5_DATA = lib/Vyatta/FirewallOpMode/Summary.pm + +bin_sudo_users_SCRIPTS = scripts/firewall/vyatta-show-firewall-summary.pl + bin_SCRIPTS = bin_SCRIPTS += scripts/firewall/vyatta-show-firewall.pl bin_SCRIPTS += scripts/firewall/vyatta-clear-firewall diff --git a/lib/Vyatta/FirewallOpMode/Summary.pm b/lib/Vyatta/FirewallOpMode/Summary.pm new file mode 100755 index 0000000..5ceaf56 --- /dev/null +++ b/lib/Vyatta/FirewallOpMode/Summary.pm @@ -0,0 +1,161 @@ +#!/usr/bin/perl +package Vyatta::FirewallOpMode::Summary; + +use lib "/opt/vyatta/share/perl5/"; +use Vyatta::Config; +use Vyatta::IpTables::Rule; +use Vyatta::IpTables::IpSet; +use Vyatta::IpTables::AddressFilter; +use Vyatta::Zone; +use Data::Dumper; + +use warnings; +use strict; + +sub show_interfaces_zones { + my ($chain, $tree) = @_; + my $outhash = {}; + my $cfg = new Vyatta::Config; + my @int_strs = (); + my @zone_strs = (); + my $content_str = ""; + for (Vyatta::Interface::get_all_cfg_interfaces(1)) { + my ($iname, $ipath) = ($_->{name}, $_->{path}); + for my $dir ($cfg->listOrigNodes("$ipath firewall")) { + my $ichain = $cfg->returnOrigValue("$ipath firewall $dir $tree"); + if (defined($ichain) and $ichain eq $chain) { + $dir =~ y/a-z/A-Z/; + push @int_strs, "($iname,$dir)"; + } + } + } + $outhash->{'interfaces'} = \@int_strs; + + # check if chain used to filter traffic between zones + my $used_in_zonefw=0; + my @all_zones = Vyatta::Zone::get_all_zones("listOrigNodes"); + foreach my $zone (sort(@all_zones)) { + my @from_zones = Vyatta::Zone::get_from_zones("listOrigNodes", $zone); + my @from_zones_using_this_chain=(); + foreach my $from_zone (sort(@from_zones)) { + my $fw_ruleset=Vyatta::Zone::get_firewall_ruleset("returnOrigValue", + $zone, $from_zone, $tree); + if (defined $fw_ruleset && $fw_ruleset eq $chain) { + push (@from_zones_using_this_chain, $from_zone); + if ($used_in_zonefw == 0) { + $used_in_zonefw++; + } + } + } + if (scalar(@from_zones_using_this_chain) > 0) { + my $single_or_multiple_zone = 'zone'; + if (scalar(@from_zones_using_this_chain) > 1) { + $single_or_multiple_zone = 'zones'; + } + my $string_fromzones=join(', ', sort(@from_zones_using_this_chain)); + push @zone_strs, "zone [$zone] from $single_or_multiple_zone [$string_fromzones]"; + } + } + $outhash->{'zones'} = \@zone_strs; + + # check if content-inspection is using this ruleset + my $custom_filter = 0; + my $config = new Vyatta::Config; + $config->setLevel("content-inspection traffic-filter"); + my $custom_traffic_filter = $config->returnOrigValue('custom'); + if ((defined $custom_traffic_filter) && ($custom_traffic_filter eq $chain)) { + $custom_filter = 1; + $content_str = "Active on all incoming and forwarded traffic for content-inspection"; + } + $outhash->{'content-inspection'} = $content_str; + return $outhash; +} + +# mapping from config node to printable string describing it. +my %description_hash = ( 'name' => 'IPv4', + 'ipv6-name' => 'IPv6', + 'modify' => 'IPv4 Modify', + 'ipv6-modify' => 'IPv6 Modify'); + +sub show_tree { + my ($tree, $config, ) = @_; + my $tree_hash = {}; + my $description = $description_hash{$tree}; + $config->setLevel("firewall $tree"); + my @chains = $config->listOrigNodes(); + my $chain_cnt=0; + foreach (sort @chains) { + $chain_cnt++; + $tree_hash->{$_}->{references} = show_interfaces_zones($_, $tree); + $tree_hash->{$_}->{description} = $config->returnOrigValue("$_ description"); + } + return $tree_hash; +} + +sub show_state_policy { + my $outhash = {}; + my $state_format = "%-15s %-8s %-8s"; + my @fw_states = ('invalid', 'established', 'related'); + my $fw_state_output = ""; + my $fw_state_set = "false"; + foreach my $state (@fw_states) { + my $config = new Vyatta::Config; + $config->setLevel("firewall state-policy $state"); + my ($action, $log_enabled) = (undef, undef); + $log_enabled = $config->existsOrig("log enable"); + $action = $config->returnOrigValue("action"); + if (defined $action) { + $fw_state_set = "true"; + last; + } + + } + + if ($fw_state_set eq "true") { + foreach my $state (@fw_states) { + my $config = new Vyatta::Config; + $config->setLevel("firewall state-policy $state"); + my ($action, $log_enabled) = (undef, undef); + $log_enabled = $config->existsOrig("log enable"); + $action = $config->returnOrigValue("action"); + if (defined $action) { + $outhash->{$state}={ 'action' => $action, 'log' => defined($log_enabled) ? 'enabled' : 'disabled' }; + } + } + } + return $outhash; +} + +# Print all rule sets in all four trees +sub get_firewall_summary { + my $config = new Vyatta::Config; + my $hash = {}; + foreach my $tree (reverse(sort(keys %description_hash))) { + $hash->{$tree} = show_tree($tree, $config); + $hash->{global} = show_state_policy(); + } + return $hash; +} + +sub get_group_summary{ + my @lines = `ipset -L`; + my $sets = {}; + foreach my $line (@lines) { + if ($line =~ /^Name:\s+(\S+)$/ ) { + my $set = $1; + my $group = new Vyatta::IpTables::IpSet($set); + next if ! $group->exists(); + my $desc = $group->get_description(); + $desc = '' if ! defined($desc); + my @fw_refs = $group->get_firewall_references(); + push @fw_refs, 'none' if scalar(@fw_refs) == 0; + my $type = $group->get_type(); + $sets->{$type}->{$set} = { + 'description' => $desc, + 'references' => \@fw_refs + }; + } + } + return $sets; +} + diff --git a/scripts/firewall/vyatta-show-firewall-summary.pl b/scripts/firewall/vyatta-show-firewall-summary.pl new file mode 100755 index 0000000..fc0b5c9 --- /dev/null +++ b/scripts/firewall/vyatta-show-firewall-summary.pl @@ -0,0 +1,164 @@ +#!/usr/bin/env perl +use lib '/opt/vyatta/share/perl5/'; +use Vyatta::FirewallOpMode::Summary; +use Data::Dumper; + +my %description_hash = ( 'name' => 'IPv4', + 'ipv6-name' => 'IPv6', + 'modify' => 'IPv4 Modify', + 'ipv6-modify' => 'IPv6 Modify'); + +my %gr_desc_hash = ( 'network' => 'Network', + 'address' => 'Address', + 'port' => 'Port'); + +sub print_global_fw_header { + print "\n" . "-" x 24 . "\n"; + print "Firewall Global Settings\n"; + print "-" x 24 . "\n"; +} + +sub print_fw_ruleset_header { + print "\n" . "-" x 29 . "\n"; + print "Firewall Rulesets\n"; + print "-" x 29 . "\n"; +} + +sub print_fw_group_header { + print "\n" . "-" x 29 . "\n"; + print "Firewall Groups\n"; + print "-" x 29 . "\n"; +} + + +my $hash = Vyatta::FirewallOpMode::Summary::get_firewall_summary(); +if (defined $hash->{'global'}){ + print_global_fw_header; + my $state_format = " %-15s %-8s %-8s\n"; + print "\nFirewall state-policy for all IPv4 and Ipv6 traffic\n\n"; + printf($state_format, 'state', 'action', 'log'); + printf($state_format, '-----', '------', '---'); + foreach my $state (keys(%{$hash->{'global'}})){ + printf $state_format, $state, + $hash->{'global'}->{$state}->{action}, + $hash->{'global'}->{$state}->{log}; + } +} +print_fw_ruleset_header; +my $format = " %-26s%-15s%-s\n"; +for my $tree (keys(%{$hash})){ + next if ($tree eq 'global'); + print "\n$description_hash{$tree} name:\n\n"; + printf $format, 'Rule-set name', 'Description', 'References'; + printf $format, '-------------', '-----------', '----------'; + for my $chain (keys(%{$hash->{$tree}})){ + my $description = $hash->{$tree}->{$chain}->{description}; + my @intfs = @{$hash->{$tree}->{$chain}->{references}->{interfaces}}; + my @zones = @{$hash->{$tree}->{$chain}->{references}->{zones}}; + my $ci = $hash->{$tree}->{$chain}->{references}->{'content-inspection'}; + if (length($description) > 15){ + printf $format, $chain, $description, ''; + $description = ''; + $chain = ''; + } + if (scalar(@intfs) > 0){ + my $intf_str = ''; + my $numintfs = 0; + foreach my $intf (@intfs){ + $numintfs++; + if ((length($intf_str) + length("$intf, ")) > 38) { + printf $format, $chain, $description, $intf_str; + ($chain, $description, $intf_str) = ('', '', ''); + } + if ($numintfs < scalar(@intfs)){ + $intf_str .= "$intf, "; + } else { + if (scalar(@zones) > 0){ + $intf_str .= "$intf,"; + } else { + $intf_str .= "$intf"; + } + } + } + printf $format, $chain, $description, $intf_str ; + if (scalar(@zones) > 0){ + my $zone_str = ''; + my $numzones = 0; + foreach my $zone (@zones){ + $numzones++; + if ($numzones < scalar(@zones)){ + $zone_str .= "$zone, "; + } else { + $zone_str .= "$zone"; + } + } + if (length($zone_str) > 38){ + foreach my $zone (@zones){ + printf $format, '', '', $zone; + } + } else { + printf $format, '', '', $zone_str; + } + } + } elsif (scalar(@zones) > 0){ + my $zone_str = ''; + my $numzones = 0; + foreach my $zone (@zones){ + $numzones++; + if ($numzones < scalar(@zones)){ + $zone_str .= "$zone, "; + } else { + $zone_str .= "$zone"; + } + } + if (length($zone_str) > 38){ + my $fzone = pop @zones; + printf $format, $chain, $description, "$fzone,"; + my $numzones = 0; + foreach my $zone (@zones){ + $numzones++; + if ($numzones < scalar(@zones)){ + printf $format, '', '', "$zone,"; + } else { + printf $format, '', '', "$zone"; + } + } + } else { + printf $format, $chain, $description, "$zone_str"; + } + } + } + print "\n"; +} +my $gr_hash = Vyatta::FirewallOpMode::Summary::get_group_summary(); +print_fw_group_header; +foreach my $type (keys(%{$gr_hash})){ + print "\n$gr_desc_hash{$type} Groups:\n\n"; + printf $format, 'Group name', 'Description', 'References'; + printf $format, '----------', '-----------', '----------'; + foreach my $group (keys(%{$gr_hash->{$type}})){ + my $description = $gr_hash->{$type}->{$group}->{'description'}; + my @refs = @{$gr_hash->{$type}->{$group}->{'references'}}; + my $numrefs = 0; + if (scalar(@refs) > 0) { + my $fref = pop @refs; + $fref = "$fref," if (scalar(@refs) > 0); + if (length($description) > 15) { + printf $format, $group, $description, ''; + printf $format, '', '', $fref; + } else { + printf $format, $group, $description, $fref; + } + foreach my $ref (@refs){ + $numrefs++; + if ($numrefs < scalar(@refs)) { + printf $format, '', '', "$ref, "; + } else { + printf $format, '', '', $ref; + } + } + } + } + print "\n"; +} +#print Dumper $gr_hash; diff --git a/templates/show/firewall/summary/node.def b/templates/show/firewall/summary/node.def new file mode 100644 index 0000000..47bd133 --- /dev/null +++ b/templates/show/firewall/summary/node.def @@ -0,0 +1,2 @@ +help: Show summary of firewall application +run: sudo ${vyatta_bindir}/sudo-users/vyatta-show-firewall-summary.pl |