4 files changed, 34 insertions, 39 deletions

diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py
index 0aea17b3a..950feb625 100755
--- a/src/op_mode/firewall.py
+++ b/src/op_mode/firewall.py
@@ -24,43 +24,33 @@ from vyos.config import Config
 from vyos.util import cmd
 from vyos.util import dict_search_args
 
-def get_firewall_interfaces(conf, firewall, name=None, ipv6=False):
-    interfaces = conf.get_config_dict(['interfaces'], key_mangling=('-', '_'),
-                                      get_first_key=True, no_tag_node_value_mangle=True)
-
+def get_firewall_interfaces(firewall, name=None, ipv6=False):
     directions = ['in', 'out', 'local']
 
-    def parse_if(ifname, if_conf):
-        if 'firewall' in if_conf:
+    if 'interface' in firewall:
+        for ifname, if_conf in firewall['interface'].items():
             for direction in directions:
-                if direction in if_conf['firewall']:
-                    fw_conf = if_conf['firewall'][direction]
-                    name_str = f'({ifname},{direction})'
-
-                    if 'name' in fw_conf:
-                        fw_name = fw_conf['name']
+                if direction not in if_conf:
+                    continue
 
-                        if not name:
-                            firewall['name'][fw_name]['interface'].append(name_str)
-                        elif not ipv6 and name == fw_name:
-                            firewall['interface'].append(name_str)
+                fw_conf = if_conf[direction]
+                name_str = f'({ifname},{direction})'
 
-                    if 'ipv6_name' in fw_conf:
-                        fw_name = fw_conf['ipv6_name']
+                if 'name' in fw_conf:
+                    fw_name = fw_conf['name']
 
-                        if not name:
-                            firewall['ipv6_name'][fw_name]['interface'].append(name_str)
-                        elif ipv6 and name == fw_name:
-                            firewall['interface'].append(name_str)
+                    if not name:
+                        firewall['name'][fw_name]['interface'].append(name_str)
+                    elif not ipv6 and name == fw_name:
+                        firewall['interface'].append(name_str)
 
-        for iftype in ['vif', 'vif_s', 'vif_c']:
-            if iftype in if_conf:
-                for vifname, vif_conf in if_conf[iftype].items():
-                    parse_if(f'{ifname}.{vifname}', vif_conf)
+                if 'ipv6_name' in fw_conf:
+                    fw_name = fw_conf['ipv6_name']
 
-    for iftype, iftype_conf in interfaces.items():
-        for ifname, if_conf in iftype_conf.items():
-            parse_if(ifname, if_conf)
+                    if not name:
+                        firewall['ipv6_name'][fw_name]['interface'].append(name_str)
+                    elif ipv6 and name == fw_name:
+                        firewall['interface'].append(name_str)
 
     return firewall
 
@@ -83,13 +73,13 @@ def get_config_firewall(conf, name=None, ipv6=False, interfaces=True):
                 for fw_name, name_conf in firewall['ipv6_name'].items():
                     name_conf['interface'] = []
 
-        get_firewall_interfaces(conf, firewall, name, ipv6)
+        get_firewall_interfaces(firewall, name, ipv6)
     return firewall
 
 def get_nftables_details(name, ipv6=False):
     suffix = '6' if ipv6 else ''
     name_prefix = 'NAME6_' if ipv6 else 'NAME_'
-    command = f'sudo nft list chain ip{suffix} filter {name_prefix}{name}'
+    command = f'sudo nft list chain ip{suffix} vyos_filter {name_prefix}{name}'
     try:
         results = cmd(command)
     except:
diff --git a/src/op_mode/ikev2_profile_generator.py b/src/op_mode/ikev2_profile_generator.py
index 21561d16f..a22f04c45 100755
--- a/src/op_mode/ikev2_profile_generator.py
+++ b/src/op_mode/ikev2_profile_generator.py
@@ -119,7 +119,7 @@ config_base = ipsec_base +  ['remote-access', 'connection']
 pki_base = ['pki']
 conf = ConfigTreeQuery()
 if not conf.exists(config_base):
-    exit('IPSec remote-access is not configured!')
+    exit('IPsec remote-access is not configured!')
 
 profile_name = 'VyOS IKEv2 Profile'
 if args.profile:
@@ -131,7 +131,7 @@ if args.name:
 
 conn_base = config_base + [args.connection]
 if not conf.exists(conn_base):
-     exit(f'IPSec remote-access connection "{args.connection}" does not exist!')
+     exit(f'IPsec remote-access connection "{args.connection}" does not exist!')
 
 data = conf.get_config_dict(conn_base, key_mangling=('-', '_'),
                             get_first_key=True, no_tag_node_value_mangle=True)
@@ -178,7 +178,7 @@ for _, proposal in ike_proposal.items():
             proposal['hash'] in set(vyos2client_integrity) and
             proposal['dh_group'] in set(supported_dh_groups)):
 
-            # We 're-code' from the VyOS IPSec proposals to the Apple naming scheme
+            # We 're-code' from the VyOS IPsec proposals to the Apple naming scheme
             proposal['encryption'] = vyos2client_cipher[ proposal['encryption'] ]
             proposal['hash'] = vyos2client_integrity[ proposal['hash'] ]
 
@@ -191,7 +191,7 @@ count = 1
 for _, proposal in esp_proposals.items():
     if {'encryption', 'hash'} <= set(proposal):
         if proposal['encryption'] in set(vyos2client_cipher) and proposal['hash'] in set(vyos2client_integrity):
-            # We 're-code' from the VyOS IPSec proposals to the Apple naming scheme
+            # We 're-code' from the VyOS IPsec proposals to the Apple naming scheme
             proposal['encryption'] = vyos2client_cipher[ proposal['encryption'] ]
             proposal['hash'] = vyos2client_integrity[ proposal['hash'] ]
 
diff --git a/src/op_mode/nat.py b/src/op_mode/nat.py
index a0496dedb..845dbbb2c 100755
--- a/src/op_mode/nat.py
+++ b/src/op_mode/nat.py
@@ -109,7 +109,7 @@ def _get_formatted_output_rules(data, direction, family):
                 if jmespath.search('rule.expr[*].match.left.meta', rule) else 'any'
         for index, match in enumerate(jmespath.search('rule.expr[*].match', rule)):
             if 'payload' in match['left']:
-                if 'prefix' in match['right'] or 'set' in match['right']:
+                if isinstance(match['right'], dict) and ('prefix' in match['right'] or 'set' in match['right']):
                     # Merge dict src/dst l3_l4 parameters
                     my_dict = {**match['left']['payload'], **match['right']}
                     my_dict['op'] = match['op']
@@ -136,10 +136,15 @@ def _get_formatted_output_rules(data, direction, family):
                             dport = my_dict.get('set')
                             dport = ','.join(map(str, dport))
                 else:
-                    if jmespath.search('left.payload.field', match) == 'saddr':
+                    field = jmespath.search('left.payload.field', match)
+                    if field == 'saddr':
                         saddr = match.get('right')
-                    if jmespath.search('left.payload.field', match) == 'daddr':
+                    elif field == 'daddr':
                         daddr = match.get('right')
+                    elif field == 'sport':
+                        sport = match.get('right')
+                    elif field == 'dport':
+                        dport = match.get('right')
             else:
                 saddr = '::/0' if family == 'inet6' else '0.0.0.0/0'
                 daddr = '::/0' if family == 'inet6' else '0.0.0.0/0'
diff --git a/src/op_mode/vpn_ike_sa.py b/src/op_mode/vpn_ike_sa.py
index 00f34564a..4b44c5c15 100755
--- a/src/op_mode/vpn_ike_sa.py
+++ b/src/op_mode/vpn_ike_sa.py
@@ -71,7 +71,7 @@ if __name__ == '__main__':
     args = parser.parse_args()
 
     if not process_named_running('charon'):
-        print("IPSec Process NOT Running")
+        print("IPsec Process NOT Running")
         sys.exit(0)
 
     ike_sa(args.peer, args.nat)