From 543de3ad1e144d0ab8f31a47bee8b21bb1fae264 Mon Sep 17 00:00:00 2001
From: Bob Gilligan <gilligan@sydney.vyatta.com>
Date: Fri, 14 Dec 2007 18:26:36 -0800
Subject: Initial commit of operational mode templates and scripts for the
 firewall subsystem.

---
 scripts/firewall/vyatta-show-firewall.pl | 90 ++++++++++++++++++++++++++++++++
 1 file changed, 90 insertions(+)
 create mode 100755 scripts/firewall/vyatta-show-firewall.pl

(limited to 'scripts')

diff --git a/scripts/firewall/vyatta-show-firewall.pl b/scripts/firewall/vyatta-show-firewall.pl
new file mode 100755
index 0000000..241a03a
--- /dev/null
+++ b/scripts/firewall/vyatta-show-firewall.pl
@@ -0,0 +1,90 @@
+#!/usr/bin/perl
+
+use lib "/opt/vyatta/share/perl5/";
+use VyattaConfig;
+use VyattaIpTablesRule;
+use VyattaIpTablesAddressFilter;
+
+exit 1 if ($#ARGV < 1);
+my $chain_name = $ARGV[0];
+my $xsl_file = $ARGV[1];
+my $rule_num = $ARGV[2];    # rule number to match (optional)
+
+sub numerically { $a <=> $b; }
+
+sub show_chain {
+  my $chain = shift;
+  my $fh = shift;
+
+  open(STATS, "iptables -L $chain -vn |") or exit 1;
+  my @stats = ();
+  while (<STATS>) {
+    if (!/^\s*(\d+[KMG]?)\s+(\d+[KMG]?)\s/) {
+      next;
+    }
+    push @stats, ($1, $2);
+  }
+  close STATS;
+
+  print $fh "<opcommand name='firewallrules'><format type='row'>\n";
+  my $config = new VyattaConfig;
+  $config->setLevel("firewall name $chain rule");
+  my @rules = sort numerically $config->listOrigNodes();
+  foreach (@rules) {
+    # just take the stats from the 1st iptables rule and remove unneeded stats
+    # (if this rule corresponds to multiple iptables rules). note that
+    # depending on how our rule is translated into multiple iptables rules,
+    # this may actually need to be the sum of all corresponding iptables stats
+    # instead of just taking the first pair.
+    my $pkts = shift @stats;
+    my $bytes = shift @stats;
+    my $rule = new VyattaIpTablesRule;
+    $rule->setupOrig("firewall name $chain rule $_");
+    my $ipt_rules = $rule->get_num_ipt_rules();
+    splice(@stats, 0, (($ipt_rules - 1) * 2));
+
+    if (defined($rule_num) && $rule_num != $_) {
+      next;
+    }
+    print $fh "  <row>\n";
+    print $fh "    <rule_number>$_</rule_number>\n";
+    print $fh "    <pkts>$pkts</pkts>\n";
+    print $fh "    <bytes>$bytes</bytes>\n";
+    $rule->outputXml($fh);
+    print $fh "  </row>\n";
+  }
+  if (!defined($rule_num)) {
+    # dummy rule
+    print $fh "  <row>\n";
+    print $fh "    <rule_number>1025</rule_number>\n";
+    my $pkts = shift @stats;
+    my $bytes = shift @stats;
+    print $fh "    <pkts>$pkts</pkts>\n";
+    print $fh "    <bytes>$bytes</bytes>\n";
+    my $rule = new VyattaIpTablesRule;
+    $rule->setupDummy();
+    $rule->outputXml($fh);
+    print $fh "  </row>\n";
+  }
+  print $fh "</format></opcommand>\n";
+}
+
+if ($chain_name eq "-all") {
+  my $config = new VyattaConfig;
+  $config->setLevel("firewall name");
+  my @chains = $config->listOrigNodes();
+  foreach (@chains) {
+    print "Firewall \"$_\":\n";
+    open(RENDER, "| /opt/vyatta/libexec/xorp/render_xml $xsl_file") or exit 1;
+    show_chain($_, *RENDER{IO});
+    close RENDER;
+    print "-" x 80 . "\n";
+  }
+} else {
+  open(RENDER, "| /opt/vyatta/libexec/xorp/render_xml $xsl_file") or exit 1;
+  show_chain($chain_name, *RENDER{IO});
+  close RENDER;
+}
+
+exit 0;
+
-- 
cgit v1.2.3