diff options
| author | Viacheslav Hletenko <v.gletenko@vyos.io> | 2022-02-08 08:38:12 +0000 |
|---|---|---|
| committer | Viacheslav Hletenko <v.gletenko@vyos.io> | 2022-02-08 08:38:12 +0000 |
| commit | 4ddfe9b7e72e4f1e1fc8e70c5239bf09644e6d9b (patch) | |
| tree | da5ee5898cf44f18768312cb031595a785669cbc /src/etc | |
| parent | d96bab4e6da517f07133667834cd6f8bcfb5160f (diff) | |
| download | vyos-1x-4ddfe9b7e72e4f1e1fc8e70c5239bf09644e6d9b.tar.gz vyos-1x-4ddfe9b7e72e4f1e1fc8e70c5239bf09644e6d9b.zip | |
monitoring: T3872: Add input filter for firewall InfluxDB2
Input filter for firewall allows to get bytes/counters from
nftables in format, required for InfluxDB2
Diffstat (limited to 'src/etc')
| -rwxr-xr-x | src/etc/telegraf/custom_scripts/show_firewall_input_filter.py | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/src/etc/telegraf/custom_scripts/show_firewall_input_filter.py b/src/etc/telegraf/custom_scripts/show_firewall_input_filter.py new file mode 100755 index 000000000..bf4bfd05d --- /dev/null +++ b/src/etc/telegraf/custom_scripts/show_firewall_input_filter.py @@ -0,0 +1,73 @@ +#!/usr/bin/env python3 + +import json +import re +import time + +from vyos.util import cmd + + +def get_nft_filter_chains(): + """ + Get list of nft chains for table filter + """ + nft = cmd('/usr/sbin/nft --json list table ip filter') + nft = json.loads(nft) + chain_list = [] + + for output in nft['nftables']: + if 'chain' in output: + chain = output['chain']['name'] + chain_list.append(chain) + + return chain_list + + +def get_nftables_details(name): + """ + Get dict, counters packets and bytes for chain + """ + command = f'/usr/sbin/nft list chain ip filter {name}' + try: + results = cmd(command) + except: + return {} + + # Trick to remove 'NAME_' from chain name in the comment + # It was added to any chain T4218 + # counter packets 0 bytes 0 return comment "FOO default-action accept" + comment_name = name.replace("NAME_", "") + out = {} + for line in results.split('\n'): + comment_search = re.search(rf'{comment_name}[\- ](\d+|default-action)', line) + if not comment_search: + continue + + rule = {} + rule_id = comment_search[1] + counter_search = re.search(r'counter packets (\d+) bytes (\d+)', line) + if counter_search: + rule['packets'] = counter_search[1] + rule['bytes'] = counter_search[2] + + rule['conditions'] = re.sub(r'(\b(counter packets \d+ bytes \d+|drop|reject|return|log)\b|comment "[\w\-]+")', '', line).strip() + out[rule_id] = rule + return out + + +def get_nft_telegraf(name): + """ + Get data for telegraf in influxDB format + """ + for rule, rule_config in get_nftables_details(name).items(): + print(f'nftables,table=filter,chain={name},' + f'ruleid={rule} ' + f'pkts={rule_config["packets"]}i,' + f'bytes={rule_config["bytes"]}i ' + f'{str(int(time.time()))}000000000') + + +chains = get_nft_filter_chains() + +for chain in chains: + get_nft_telegraf(chain) |