summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNicolas Fort <nicolasfort1988@gmail.com>2023-09-04 19:04:57 +0000
committerNicolas Fort <nicolasfort1988@gmail.com>2023-09-04 19:04:57 +0000
commitac65673bd7b5d856246b0b73e6aeeea3c46297bc (patch)
tree4e8305145681ee75eca183d432fee444e3f7d1ba
parent3b51c8af61d845e4d870e75e4fb9f1662a23c017 (diff)
downloadvyos-1x-ac65673bd7b5d856246b0b73e6aeeea3c46297bc.tar.gz
vyos-1x-ac65673bd7b5d856246b0b73e6aeeea3c46297bc.zip
T5496: Change src and|or destination wildcard for any, which still makes it easy to read, and we get uniform output for both families, and will look the same when working with inet family in the future. Fix output of geo-ip matchers. Fix output for default-action rules: display N/A for counters in base chains, since they are not available.Change from N/A to N/D for empty groups, and for groups which found no reference in config
-rwxr-xr-xsrc/op_mode/firewall.py43
1 files changed, 32 insertions, 11 deletions
diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py
index 9afc40647..23b4b8459 100755
--- a/src/op_mode/firewall.py
+++ b/src/op_mode/firewall.py
@@ -130,10 +130,12 @@ def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_
source_addr = dict_search_args(rule_conf, 'source', 'fqdn')
if not source_addr:
source_addr = dict_search_args(rule_conf, 'source', 'geoip', 'country_code')
- if source_addr and 'inverse_match' in dict_search_args(rule_conf, 'source', 'geoip'):
- source_addr = '!' + str(source_addr)
+ if source_addr:
+ source_addr = str(source_addr)[1:-1].replace('\'','')
+ if 'inverse_match' in dict_search_args(rule_conf, 'source', 'geoip'):
+ source_addr = 'NOT ' + str(source_addr)
if not source_addr:
- source_addr = '::/0' if ipv6 else '0.0.0.0/0'
+ source_addr = 'any'
# Get destination
dest_addr = dict_search_args(rule_conf, 'destination', 'address')
@@ -147,10 +149,12 @@ def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_
dest_addr = dict_search_args(rule_conf, 'destination', 'fqdn')
if not dest_addr:
dest_addr = dict_search_args(rule_conf, 'destination', 'geoip', 'country_code')
- if dest_addr and 'inverse_match' in dict_search_args(rule_conf, 'destination', 'geoip'):
- dest_addr = '!' + str(dest_addr)
+ if dest_addr:
+ dest_addr = str(dest_addr)[1:-1].replace('\'','')
+ if 'inverse_match' in dict_search_args(rule_conf, 'destination', 'geoip'):
+ dest_addr = 'NOT ' + str(dest_addr)
if not dest_addr:
- dest_addr = '::/0' if ipv6 else '0.0.0.0/0'
+ dest_addr = 'any'
# Get inbound interface
iiface = dict_search_args(rule_conf, 'inbound_interface', 'interface_name')
@@ -181,7 +185,22 @@ def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_
row.append(oiface)
rows.append(row)
- if 'default_action' in prior_conf and not single_rule_id:
+
+ if hook in ['input', 'forward', 'output']:
+ row = ['default']
+ row.append('N/A')
+ row.append('N/A')
+ if 'default_action' in prior_conf:
+ row.append(prior_conf['default_action'])
+ else:
+ row.append('accept')
+ row.append('any')
+ row.append('any')
+ row.append('any')
+ row.append('any')
+ rows.append(row)
+
+ elif 'default_action' in prior_conf and not single_rule_id:
row = ['default']
if 'default-action' in details:
rule_details = details['default-action']
@@ -191,8 +210,10 @@ def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_
row.append('0')
row.append('0')
row.append(prior_conf['default_action'])
- row.append('0.0.0.0/0') # Source
- row.append('0.0.0.0/0') # Dest
+ row.append('any') # Source
+ row.append('any') # Dest
+ row.append('any') # inbound-interface
+ row.append('any') # outbound-interface
rows.append(row)
if rows:
@@ -315,7 +336,7 @@ def show_firewall_group(name=None):
continue
references = find_references(group_type, group_name)
- row = [group_name, group_type, '\n'.join(references) or 'N/A']
+ row = [group_name, group_type, '\n'.join(references) or 'N/D']
if 'address' in group_conf:
row.append("\n".join(sorted(group_conf['address'])))
elif 'network' in group_conf:
@@ -327,7 +348,7 @@ def show_firewall_group(name=None):
elif 'interface' in group_conf:
row.append("\n".join(sorted(group_conf['interface'])))
else:
- row.append('N/A')
+ row.append('N/D')
rows.append(row)
if rows: