diff options
author | Mohit Mehta <mohit.mehta@vyatta.com> | 2009-08-07 18:48:39 -0700 |
---|---|---|
committer | Mohit Mehta <mohit.mehta@vyatta.com> | 2009-08-07 18:48:39 -0700 |
commit | 80a123411314371e325bda2c37d63884aab6892d (patch) | |
tree | 21d2370a2efce4254990717c4b759c09adbe23aa /scripts/firewall/vyatta-show-firewall.pl | |
parent | 597348b919276e8c75469dce652a491991df98ca (diff) | |
download | vyatta-op-firewall-80a123411314371e325bda2c37d63884aab6892d.tar.gz vyatta-op-firewall-80a123411314371e325bda2c37d63884aab6892d.zip |
* Fix 'show firewall' and 'show firewall detail' commands
for firewall rulesets when protocol is tcp_udp
still need to fix 'show statistics' command
Diffstat (limited to 'scripts/firewall/vyatta-show-firewall.pl')
-rwxr-xr-x | scripts/firewall/vyatta-show-firewall.pl | 46 |
1 files changed, 42 insertions, 4 deletions
diff --git a/scripts/firewall/vyatta-show-firewall.pl b/scripts/firewall/vyatta-show-firewall.pl index 7a87790..da8f309 100755 --- a/scripts/firewall/vyatta-show-firewall.pl +++ b/scripts/firewall/vyatta-show-firewall.pl @@ -27,7 +27,7 @@ if (defined($rule_num) && (!($rule_num =~ /^\d+$/) || ($rule_num > $max_rule))) } sub numerically { $a <=> $b; } -my $format1 = "%-5s %-8s %-6s %-8s %-50s"; +my $format1 = "%-5s %-8s %-9s %-8s %-50s"; my $format2 = " %-78s"; ### all interfaces firewall nodes @@ -242,9 +242,10 @@ sub print_detail_rule { my ($iptables_cmd, $table, $chain, $rule, $tree) = @_; my $string=""; my $mul_lines=""; + my $udp_string = undef; # check from CLI if we have a condition set that creates more than 1 iptable rule - # currenly LOG, RECENT in a CLI rule result in more than 1 iptable rule + # currenly LOG, RECENT, protocol tcp_udp in a CLI rule result in more than 1 iptable rule my $cli_rule = new Vyatta::IpTables::Rule; $cli_rule->setupOrig("firewall $tree $chain rule $rule"); if (defined $cli_rule->{_log} && "$cli_rule->{_log}" eq "enable") { @@ -257,7 +258,19 @@ sub print_detail_rule { my $line_num = $lines[0] + 1; $string=`sudo /sbin/$iptables_cmd -t $table -L $chain $line_num -xv | awk '/$chain-$rule / {print \$0}'`; - } elsif (defined($cli_rule->{_recent_time}) || defined($cli_rule->{_recent_cnt})) { + + if (defined $cli_rule->{_protocol} && $cli_rule->{_protocol} eq 'tcp_udp') { + # we need the udp rule as well + if (defined($cli_rule->{_recent_time}) || defined($cli_rule->{_recent_cnt})) { + $line_num = $line_num + 3; + } else { + $line_num = $line_num + 2; + } + $udp_string = `sudo /sbin/$iptables_cmd -t $table -L $chain $line_num -xv | + awk '/$chain-$rule / {print \$0}'`; + } + } elsif ( (defined($cli_rule->{_recent_time}) || defined($cli_rule->{_recent_cnt})) || + (defined $cli_rule->{_protocol} && $cli_rule->{_protocol} eq 'tcp_udp') ) { # recent enabled but not log so actual rule in iptables is first rule # now get line-num for 1st rule and use that to list actual rule @@ -267,6 +280,17 @@ sub print_detail_rule { my $line_num = $lines[0]; $string=`sudo /sbin/$iptables_cmd -t $table -L $chain $line_num -xv | awk '/$chain-$rule / {print \$0}'`; + + # we need the udp rule as well + if (defined($cli_rule->{_recent_time}) || defined($cli_rule->{_recent_cnt})) { + $line_num = $line_num + 2; + $udp_string=`sudo /sbin/$iptables_cmd -t $table -L $chain $line_num -xv | + awk '/$chain-$rule / {print \$0}'`; + } else { + $line_num = $line_num + 1; + $udp_string=`sudo /sbin/$iptables_cmd -t $table -L $chain $line_num -xv | + awk '/$chain-$rule / {print \$0}'`; + } } else { # there's a one-to-one relation between our CLI rule and iptable rule @@ -281,7 +305,21 @@ sub print_detail_rule { @string_words = split (/\s+/, $string, 14); @string_words=splice(@string_words, 1, 13); @string_words_part1=splice(@string_words, 0, 4); # packets, bytes, target, proto - $string_words_part1[2]=$target_hash{$string_words_part1[2]}; + + if (defined $cli_rule->{_protocol} && $cli_rule->{_protocol} eq 'tcp_udp') { + $string_words_part1[3] = 'tcp_udp'; + + # get udp rule packets, bytes + my @udp_string_words=split(/\s+/, $udp_string, 14); + @udp_string_words=splice(@udp_string_words, 1, 13); + @udp_string_words=splice(@udp_string_words, 0, 4); # packets, bytes, target, proto + $string_words_part1[0] += $udp_string_words[0]; + $string_words_part1[1] += $udp_string_words[1]; + } + + $string_words_part1[2]=$cli_rule->{_action} if defined $cli_rule->{_action}; + $string_words_part1[2]='drop' if $rule == $max_rule; + if ($iptables_cmd =~ /6/) { @string_words_part2=splice(@string_words, 2, 2);# source, destination } else { |