diff options
-rw-r--r-- | op-mode-definitions/firewall.xml.in | 241 | ||||
-rwxr-xr-x | src/op_mode/firewall.py | 57 |
2 files changed, 281 insertions, 17 deletions
diff --git a/op-mode-definitions/firewall.xml.in b/op-mode-definitions/firewall.xml.in index 50d52d6ca..6a254ee11 100644 --- a/op-mode-definitions/firewall.xml.in +++ b/op-mode-definitions/firewall.xml.in @@ -19,14 +19,36 @@ <path>firewall group ipv6-network-group</path> </completionHelp> </properties> + <children> + <leafNode name="detail"> + <properties> + <help>Show list view of firewall groups</help> + <completionHelp> + <path>firewall group detail</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_group --name $4 --detail $5</command> + </leafNode> + </children> <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_group --name $4</command> </tagNode> - <leafNode name="group"> + <node name="group"> <properties> <help>Show firewall group</help> </properties> + <children> + <leafNode name="detail"> + <properties> + <help>Show list view of firewall group</help> + <completionHelp> + <path>firewall group detail</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_group --detail $4</command> + </leafNode> + </children> <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_group</command> - </leafNode> + </node> <node name="bridge"> <properties> <help>Show bridge firewall</help> @@ -42,6 +64,15 @@ <help>Show bridge forward filter firewall ruleset</help> </properties> <children> + <leafNode name="detail"> + <properties> + <help>Show list view of bridge forward filter firewall rules</help> + <completionHelp> + <path>firewall bridge forward filter detail</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + </leafNode> <tagNode name="rule"> <properties> <help>Show summary of bridge forward filter firewall rules</help> @@ -49,6 +80,17 @@ <path>firewall bridge forward filter rule</path> </completionHelp> </properties> + <children> + <leafNode name="detail"> + <properties> + <help>Show list view of specific bridge forward filter firewall rule</help> + <completionHelp> + <path>firewall bridge forward filter detail</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + </leafNode> + </children> <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> @@ -64,6 +106,15 @@ </completionHelp> </properties> <children> + <leafNode name="detail"> + <properties> + <help>Show list view of bridge custom firewall chains</help> + <completionHelp> + <path>firewall bridge name detail</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + </leafNode> <tagNode name="rule"> <properties> <help>Show summary of bridge custom firewall ruleset</help> @@ -71,6 +122,17 @@ <path>firewall bridge name ${COMP_WORDS[5]} rule</path> </completionHelp> </properties> + <children> + <leafNode name="detail"> + <properties> + <help>Show list view of bridge custom firewall rules</help> + <completionHelp> + <path>firewall bridge name ${COMP_WORDS[5]} rule detail</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + </leafNode> + </children> <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> @@ -94,6 +156,15 @@ <help>Show IPv6 forward filter firewall ruleset</help> </properties> <children> + <leafNode name="detail"> + <properties> + <help>Show list view of IPv6 forward filter firewall ruleset</help> + <completionHelp> + <path>firewall ipv6 forward filter detail</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + </leafNode> <tagNode name="rule"> <properties> <help>Show summary of IPv6 forward filter firewall rules</help> @@ -101,6 +172,17 @@ <path>firewall ipv6 forward filter rule</path> </completionHelp> </properties> + <children> + <leafNode name="detail"> + <properties> + <help>Show list view of IPv6 forward filter firewall rules</help> + <completionHelp> + <path>firewall ipv6 forward filter rule detail</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + </leafNode> + </children> <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> @@ -118,6 +200,15 @@ <help>Show IPv6 forward input firewall ruleset</help> </properties> <children> + <leafNode name="detail"> + <properties> + <help>Show list view of IPv6 input firewall ruleset</help> + <completionHelp> + <path>firewall ipv6 input filter detail</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + </leafNode> <tagNode name="rule"> <properties> <help>Show summary of IPv6 input filter firewall rules</help> @@ -125,6 +216,17 @@ <path>firewall ipv6 input filter rule</path> </completionHelp> </properties> + <children> + <leafNode name="detail"> + <properties> + <help>Show list view of IPv6 input filter firewall rules</help> + <completionHelp> + <path>firewall ipv6 input filter rule detail</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + </leafNode> + </children> <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> @@ -142,6 +244,15 @@ <help>Show IPv6 output filter firewall ruleset</help> </properties> <children> + <leafNode name="detail"> + <properties> + <help>Show list view of IPv6 output input firewall ruleset</help> + <completionHelp> + <path>firewall ipv6 output filter detail</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + </leafNode> <tagNode name="rule"> <properties> <help>Show summary of IPv6 output filter firewall rules</help> @@ -149,6 +260,17 @@ <path>firewall ipv6 output filter rule</path> </completionHelp> </properties> + <children> + <leafNode name="detail"> + <properties> + <help>Show list view of IPv6 output filter firewall rules</help> + <completionHelp> + <path>firewall ipv6 output filter rule detail</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + </leafNode> + </children> <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> @@ -164,6 +286,15 @@ </completionHelp> </properties> <children> + <leafNode name="detail"> + <properties> + <help>Show list view of IPv6 custom firewall chains</help> + <completionHelp> + <path>firewall ipv6 name detail</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + </leafNode> <tagNode name="rule"> <properties> <help>Show summary of IPv6 custom firewall ruleset</help> @@ -171,6 +302,17 @@ <path>firewall ipv6 name ${COMP_WORDS[5]} rule</path> </completionHelp> </properties> + <children> + <leafNode name="detail"> + <properties> + <help>Show list view of IPv6 custom firewall rules</help> + <completionHelp> + <path>firewall ipv6 name ${COMP_WORDS[5]} rule detail</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + </leafNode> + </children> <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> @@ -194,6 +336,15 @@ <help>Show IPv4 forward filter firewall ruleset</help> </properties> <children> + <leafNode name="detail"> + <properties> + <help>Show list view of IPv4 forward filter firewall ruleset</help> + <completionHelp> + <path>firewall ipv4 forward filter detail</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + </leafNode> <tagNode name="rule"> <properties> <help>Show summary of IPv4 forward filter firewall rules</help> @@ -201,6 +352,17 @@ <path>firewall ipv4 forward filter rule</path> </completionHelp> </properties> + <children> + <leafNode name="detail"> + <properties> + <help>Show list view of IPv4 forward filter firewall rules</help> + <completionHelp> + <path>firewall ipv4 forward filter rule detail</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + </leafNode> + </children> <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> @@ -218,6 +380,15 @@ <help>Show IPv4 forward input firewall ruleset</help> </properties> <children> + <leafNode name="detail"> + <properties> + <help>Show list view of IPv4 input filter firewall ruleset</help> + <completionHelp> + <path>firewall ipv4 input filter detail</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + </leafNode> <tagNode name="rule"> <properties> <help>Show summary of IPv4 input filter firewall rules</help> @@ -225,6 +396,17 @@ <path>firewall ipv4 input filter rule</path> </completionHelp> </properties> + <children> + <leafNode name="detail"> + <properties> + <help>Show list view of IPv4 input filter firewall rules</help> + <completionHelp> + <path>firewall ipv4 input filter rule detail</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + </leafNode> + </children> <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> @@ -242,6 +424,15 @@ <help>Show IPv4 output filter firewall ruleset</help> </properties> <children> + <leafNode name="detail"> + <properties> + <help>Show list view of IPv4 output filter firewall ruleset</help> + <completionHelp> + <path>firewall ipv4 input output detail</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + </leafNode> <tagNode name="rule"> <properties> <help>Show summary of IPv4 output filter firewall rules</help> @@ -249,6 +440,17 @@ <path>firewall ipv4 output filter rule</path> </completionHelp> </properties> + <children> + <leafNode name="detail"> + <properties> + <help>Show list view of IPv4 output filter firewall rules</help> + <completionHelp> + <path>firewall ipv4 input output rule detail</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + </leafNode> + </children> <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> @@ -264,6 +466,15 @@ </completionHelp> </properties> <children> + <leafNode name="detail"> + <properties> + <help>Show list view of IPv4 custom firewall chains</help> + <completionHelp> + <path>firewall ipv4 name detail</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command> + </leafNode> <tagNode name="rule"> <properties> <help>Show summary of IPv4 custom firewall ruleset</help> @@ -271,6 +482,17 @@ <path>firewall ipv4 name ${COMP_WORDS[5]} rule</path> </completionHelp> </properties> + <children> + <leafNode name="detail"> + <properties> + <help>Show list view of IPv4 custom firewall ruleset</help> + <completionHelp> + <path>firewall ipv4 name ${COMP_WORDS[5]} rule detail</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command> + </leafNode> + </children> <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command> </tagNode> </children> @@ -279,12 +501,23 @@ </children> <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_family --family $3</command> </node> - <leafNode name="statistics"> + <node name="statistics"> <properties> <help>Show statistics of firewall application</help> </properties> + <children> + <leafNode name="detail"> + <properties> + <help>Show list view of firewall statistics</help> + <completionHelp> + <path>firewall statistics detail</path> + </completionHelp> + </properties> + <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_statistics --detail $4</command> + </leafNode> + </children> <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_statistics</command> - </leafNode> + </node> <leafNode name="summary"> <properties> <help>Show summary of firewall application</help> diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py index cae8ace8c..25554b781 100755 --- a/src/op_mode/firewall.py +++ b/src/op_mode/firewall.py @@ -18,6 +18,7 @@ import argparse import ipaddress import re import tabulate +import textwrap from vyos.config import Config from vyos.utils.process import cmd @@ -88,6 +89,14 @@ def get_nftables_details(family, hook, priority): out[rule_id] = rule return out +def output_firewall_vertical(rules, headers): + for rule in rules: + adjusted_rule = rule + [""] * (len(headers) - len(rule)) # account for different header length, like default-action + transformed_rule = [[header, textwrap.fill(adjusted_rule[i].replace('\n', ' '), 65)] for i, header in enumerate(headers)] # create key-pair list from headers and rules lists; wrap at 100 char + + print(tabulate.tabulate(transformed_rule, tablefmt="presto")) + print() + def output_firewall_name(family, hook, priority, firewall_conf, single_rule_id=None): print(f'\n---------------------------------\n{family} Firewall "{hook} {priority}"\n') @@ -102,7 +111,7 @@ def output_firewall_name(family, hook, priority, firewall_conf, single_rule_id=N if 'disable' in rule_conf: continue - row = [rule_id, rule_conf['action'], rule_conf['protocol'] if 'protocol' in rule_conf else 'all'] + row = [rule_id, textwrap.fill(rule_conf.get('description') or '', 50), rule_conf['action'], rule_conf['protocol'] if 'protocol' in rule_conf else 'all'] if rule_id in details: rule_details = details[rule_id] row.append(rule_details.get('packets', 0)) @@ -114,7 +123,7 @@ def output_firewall_name(family, hook, priority, firewall_conf, single_rule_id=N def_action = firewall_conf['default_action'] if 'default_action' in firewall_conf else 'accept' else: def_action = firewall_conf['default_action'] if 'default_action' in firewall_conf else 'drop' - row = ['default', def_action, 'all'] + row = ['default', '', def_action, 'all'] rule_details = details['default-action'] row.append(rule_details.get('packets', 0)) row.append(rule_details.get('bytes', 0)) @@ -122,8 +131,17 @@ def output_firewall_name(family, hook, priority, firewall_conf, single_rule_id=N rows.append(row) if rows: - header = ['Rule', 'Action', 'Protocol', 'Packets', 'Bytes', 'Conditions'] - print(tabulate.tabulate(rows, header) + '\n') + if args.rule: + rows.pop() + + if args.detail: + header = ['Rule', 'Description', 'Action', 'Protocol', 'Packets', 'Bytes', 'Conditions'] + output_firewall_vertical(rows, header) + else: + header = ['Rule', 'Action', 'Protocol', 'Packets', 'Bytes', 'Conditions'] + for i in rows: + rows[rows.index(i)].pop(1) + print(tabulate.tabulate(rows, header) + '\n') def output_firewall_name_statistics(family, hook, prior, prior_conf, single_rule_id=None): print(f'\n---------------------------------\n{family} Firewall "{hook} {prior}"\n') @@ -191,7 +209,7 @@ def output_firewall_name_statistics(family, hook, prior, prior_conf, single_rule if not oiface: oiface = 'any' - row = [rule_id] + row = [rule_id, textwrap.fill(rule_conf.get('description') or '', 50)] if rule_id in details: rule_details = details[rule_id] row.append(rule_details.get('packets', 0)) @@ -208,7 +226,7 @@ def output_firewall_name_statistics(family, hook, prior, prior_conf, single_rule if hook in ['input', 'forward', 'output']: - row = ['default'] + row = ['default', ''] rule_details = details['default-action'] row.append(rule_details.get('packets', 0)) row.append(rule_details.get('bytes', 0)) @@ -223,7 +241,7 @@ def output_firewall_name_statistics(family, hook, prior, prior_conf, single_rule rows.append(row) elif 'default_action' in prior_conf and not single_rule_id: - row = ['default'] + row = ['default', ''] if 'default-action' in details: rule_details = details['default-action'] row.append(rule_details.get('packets', 0)) @@ -239,8 +257,14 @@ def output_firewall_name_statistics(family, hook, prior, prior_conf, single_rule rows.append(row) if rows: - header = ['Rule', 'Packets', 'Bytes', 'Action', 'Source', 'Destination', 'Inbound-Interface', 'Outbound-interface'] - print(tabulate.tabulate(rows, header) + '\n') + if args.detail: + header = ['Rule', 'Description', 'Packets', 'Bytes', 'Action', 'Source', 'Destination', 'Inbound-Interface', 'Outbound-interface'] + output_firewall_vertical(rows, header) + else: + header = ['Rule', 'Packets', 'Bytes', 'Action', 'Source', 'Destination', 'Inbound-Interface', 'Outbound-interface'] + for i in rows: + rows[rows.index(i)].pop(1) + print(tabulate.tabulate(rows, header) + '\n') def show_firewall(): print('Rulesets Information') @@ -428,7 +452,6 @@ def show_firewall_group(name=None): return out - header = ['Name', 'Type', 'References', 'Members'] rows = [] for group_type, group_type_conf in firewall['group'].items(): @@ -440,7 +463,7 @@ def show_firewall_group(name=None): continue references = find_references(group_type, group_name) - row = [group_name, group_type, '\n'.join(references) or 'N/D'] + row = [group_name, textwrap.fill(group_conf.get('description') or '', 50), group_type, '\n'.join(references) or 'N/D'] if 'address' in group_conf: row.append("\n".join(sorted(group_conf['address']))) elif 'network' in group_conf: @@ -460,13 +483,20 @@ def show_firewall_group(name=None): if dynamic_type in firewall['group']['dynamic_group']: for dynamic_name, dynamic_conf in firewall['group']['dynamic_group'][dynamic_type].items(): references = find_references(dynamic_type, dynamic_name) - row = [dynamic_name, dynamic_type + '(dynamic)', '\n'.join(references) or 'N/D'] + row = [dynamic_name, textwrap.fill(dynamic_conf.get('description') or '', 50), dynamic_type + '(dynamic)', '\n'.join(references) or 'N/D'] row.append('N/D') rows.append(row) if rows: print('Firewall Groups\n') - print(tabulate.tabulate(rows, header)) + if args.detail: + header = ['Name', 'Description','Type', 'References', 'Members'] + output_firewall_vertical(rows, header) + else: + header = ['Name', 'Type', 'References', 'Members'] + for i in rows: + rows[rows.index(i)].pop(1) + print(tabulate.tabulate(rows, header)) def show_summary(): print('Ruleset Summary') @@ -538,6 +568,7 @@ if __name__ == '__main__': parser.add_argument('--priority', help='Firewall priority', required=False, action='store', nargs='?', default='') parser.add_argument('--rule', help='Firewall Rule ID', required=False) parser.add_argument('--ipv6', help='IPv6 toggle', action='store_true') + parser.add_argument('--detail', help='Firewall view select', required=False) args = parser.parse_args() |