summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNicolas Fort <nicolasfort1988@gmail.com>2023-08-29 18:55:01 +0000
committerNicolas Fort <nicolasfort1988@gmail.com>2023-08-29 18:55:01 +0000
commit61d3cbd51591c65c70aa1c99656fd289fd30a860 (patch)
treefbe0f12ba536e0f5ab3462b3d61a3409bee7f2bb
parentcbedb76b3fd9b0ec52893b05994635b9a748bf23 (diff)
downloadvyos-1x-61d3cbd51591c65c70aa1c99656fd289fd30a860.tar.gz
vyos-1x-61d3cbd51591c65c70aa1c99656fd289fd30a860.zip
T5496: firewall op-mode: add fix for firewall statics. Include groups correct reference in source/destination column
-rwxr-xr-xsrc/op_mode/firewall.py28
1 files changed, 24 insertions, 4 deletions
diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py
index d61fc4292..ffa78abf9 100755
--- a/src/op_mode/firewall.py
+++ b/src/op_mode/firewall.py
@@ -38,12 +38,13 @@ def get_config_firewall(conf, hook=None, priority=None, ipv6=False):
def get_nftables_details(hook, priority, ipv6=False):
suffix = '6' if ipv6 else ''
+ aux = 'IPV6_' if ipv6 else ''
name_prefix = 'NAME6_' if ipv6 else 'NAME_'
if hook == 'name' or hook == 'ipv6-name':
command = f'sudo nft list chain ip{suffix} vyos_filter {name_prefix}{priority}'
else:
up_hook = hook.upper()
- command = f'sudo nft list chain ip{suffix} vyos_filter VYOS_{up_hook}_{priority}'
+ command = f'sudo nft list chain ip{suffix} vyos_filter VYOS_{aux}{up_hook}_{priority}'
try:
results = cmd(command)
@@ -106,7 +107,7 @@ def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_
ip_str = 'IPv6' if ipv6 else 'IPv4'
print(f'\n---------------------------------\n{ip_str} Firewall "{hook} {prior}"\n')
- details = get_nftables_details(prior, ipv6)
+ details = get_nftables_details(hook, prior, ipv6)
rows = []
if 'rule' in prior_conf:
@@ -117,8 +118,27 @@ def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_
if 'disable' in rule_conf:
continue
- source_addr = dict_search_args(rule_conf, 'source', 'address') or '0.0.0.0/0'
- dest_addr = dict_search_args(rule_conf, 'destination', 'address') or '0.0.0.0/0'
+ # Get source
+ source_addr = dict_search_args(rule_conf, 'source', 'address')
+ if not source_addr:
+ source_addr = dict_search_args(rule_conf, 'source', 'group', 'address_group')
+ if not source_addr:
+ source_addr = dict_search_args(rule_conf, 'source', 'group', 'network_group')
+ if not source_addr:
+ source_addr = dict_search_args(rule_conf, 'source', 'group', 'domain_group')
+ if not source_addr:
+ source_addr = '0.0.0.0/0'
+
+ # Get destination
+ dest_addr = dict_search_args(rule_conf, 'destination', 'address')
+ if not dest_addr:
+ dest_addr = dict_search_args(rule_conf, 'destination', 'group', 'address_group')
+ if not dest_addr:
+ dest_addr = dict_search_args(rule_conf, 'destination', 'group', 'network_group')
+ if not dest_addr:
+ dest_addr = dict_search_args(rule_conf, 'destination', 'group', 'domain_group')
+ if not dest_addr:
+ dest_addr = '0.0.0.0/0'
row = [rule_id]
if rule_id in details: