T5496: add fqdn and geo-ip matchers in op-mode command <show firewall statics>

author: Nicolas Fort <nicolasfort1988@gmail.com> 2023-08-30 22:18:47 +0000
committer: Nicolas Fort <nicolasfort1988@gmail.com> 2023-08-30 22:18:47 +0000
commit: 3b51c8af61d845e4d870e75e4fb9f1662a23c017 (patch)
tree: 03935d1269d43754fd8e28b2d7778d748c10c881
parent: af737cf57e53a08a53ec2037ee476ee9098d8216 (diff)
download: vyos-1x-3b51c8af61d845e4d870e75e4fb9f1662a23c017.tar.gz
vyos-1x-3b51c8af61d845e4d870e75e4fb9f1662a23c017.zip
1 files changed, 14 insertions, 2 deletions
diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py
index 581710b31..9afc40647 100755
--- a/src/op_mode/firewall.py
+++ b/src/op_mode/firewall.py
@@ -127,7 +127,13 @@ def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_
                     if not source_addr:
                         source_addr = dict_search_args(rule_conf, 'source', 'group', 'domain_group')
                         if not source_addr:
-                            source_addr = '::/0' if ipv6 else '0.0.0.0/0'
+                            source_addr = dict_search_args(rule_conf, 'source', 'fqdn')
+                            if not source_addr:
+                                source_addr = dict_search_args(rule_conf, 'source', 'geoip', 'country_code')
+                                if source_addr and 'inverse_match' in dict_search_args(rule_conf, 'source', 'geoip'):
+                                    source_addr = '!' + str(source_addr)
+                                if not source_addr:
+                                    source_addr = '::/0' if ipv6 else '0.0.0.0/0'
 
             # Get destination
             dest_addr = dict_search_args(rule_conf, 'destination', 'address')
@@ -138,7 +144,13 @@ def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_
                     if not dest_addr:
                         dest_addr = dict_search_args(rule_conf, 'destination', 'group', 'domain_group')
                         if not dest_addr:
-                            dest_addr = '::/0' if ipv6 else '0.0.0.0/0'
+                            dest_addr = dict_search_args(rule_conf, 'destination', 'fqdn')
+                            if not dest_addr:
+                                dest_addr = dict_search_args(rule_conf, 'destination', 'geoip', 'country_code')
+                                if dest_addr and 'inverse_match' in dict_search_args(rule_conf, 'destination', 'geoip'):
+                                    dest_addr = '!' + str(dest_addr)
+                                if not dest_addr:
+                                    dest_addr = '::/0' if ipv6 else '0.0.0.0/0'
 
             # Get inbound interface
             iiface = dict_search_args(rule_conf, 'inbound_interface', 'interface_name')
author	Nicolas Fort <nicolasfort1988@gmail.com>	2023-08-30 22:18:47 +0000
committer	Nicolas Fort <nicolasfort1988@gmail.com>	2023-08-30 22:18:47 +0000
commit	3b51c8af61d845e4d870e75e4fb9f1662a23c017 (patch)
tree	03935d1269d43754fd8e28b2d7778d748c10c881
parent	af737cf57e53a08a53ec2037ee476ee9098d8216 (diff)
download	vyos-1x-3b51c8af61d845e4d870e75e4fb9f1662a23c017.tar.gz vyos-1x-3b51c8af61d845e4d870e75e4fb9f1662a23c017.zip