From 3b51c8af61d845e4d870e75e4fb9f1662a23c017 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Wed, 30 Aug 2023 22:18:47 +0000 Subject: T5496: add fqdn and geo-ip matchers in op-mode command --- src/op_mode/firewall.py | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py index 581710b31..9afc40647 100755 --- a/src/op_mode/firewall.py +++ b/src/op_mode/firewall.py @@ -127,7 +127,13 @@ def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_ if not source_addr: source_addr = dict_search_args(rule_conf, 'source', 'group', 'domain_group') if not source_addr: - source_addr = '::/0' if ipv6 else '0.0.0.0/0' + source_addr = dict_search_args(rule_conf, 'source', 'fqdn') + if not source_addr: + source_addr = dict_search_args(rule_conf, 'source', 'geoip', 'country_code') + if source_addr and 'inverse_match' in dict_search_args(rule_conf, 'source', 'geoip'): + source_addr = '!' + str(source_addr) + if not source_addr: + source_addr = '::/0' if ipv6 else '0.0.0.0/0' # Get destination dest_addr = dict_search_args(rule_conf, 'destination', 'address') @@ -138,7 +144,13 @@ def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_ if not dest_addr: dest_addr = dict_search_args(rule_conf, 'destination', 'group', 'domain_group') if not dest_addr: - dest_addr = '::/0' if ipv6 else '0.0.0.0/0' + dest_addr = dict_search_args(rule_conf, 'destination', 'fqdn') + if not dest_addr: + dest_addr = dict_search_args(rule_conf, 'destination', 'geoip', 'country_code') + if dest_addr and 'inverse_match' in dict_search_args(rule_conf, 'destination', 'geoip'): + dest_addr = '!' + str(dest_addr) + if not dest_addr: + dest_addr = '::/0' if ipv6 else '0.0.0.0/0' # Get inbound interface iiface = dict_search_args(rule_conf, 'inbound_interface', 'interface_name') -- cgit v1.2.3