From 484d5ab1fce46c70ec70cf09099e13d31b094f6e Mon Sep 17 00:00:00 2001 From: l0crian1 Date: Mon, 1 Apr 2024 11:14:54 -0400 Subject: modified: op-mode-definitions/firewall.xml.in - Added show firewall detail paths modified: src/op_mode/firewall.py - Added Description as a header to normal "show firewall" commands - Added 'detail' view which shows the output in a list key-pair format Description column was added for these commands and their subsections: show firewall statistics show firewall groups show firewall Detail view was added for these commands: show firewall bridge forward filter detail show firewall bridge forward filter rule detail show firewall bridge name detail show firewall bridge name rule detail show firewall ipv4 forward filter detail show firewall ipv4 forward filter rule detail show firewall ipv4 input filter detail show firewall ipv4 input filter rule detail show firewall ipv4 output filter detail show firewall ipv4 output filter rule detail show firewall ipv4 name detail show firewall ipv4 name rule detail show firewall ipv6 forward filter detail show firewall ipv6 forward filter rule detail show firewall ipv6 input filter detail show firewall ipv6 input filter rule detail show firewall ipv6 output filter detail show firewall ipv6 output filter rule detail show firewall ipv6 name detail show firewall ipv6 name rule detail show firewall group detail show firewall group detail (cherry picked from commit 025438ccacc654274efbd3bea8b13fcc73ae08b6) --- op-mode-definitions/firewall.xml.in | 241 +++++++++++++++++++++++++++++++++++- src/op_mode/firewall.py | 38 ++++-- 2 files changed, 267 insertions(+), 12 deletions(-) diff --git a/op-mode-definitions/firewall.xml.in b/op-mode-definitions/firewall.xml.in index 50d52d6ca..6a254ee11 100644 --- a/op-mode-definitions/firewall.xml.in +++ b/op-mode-definitions/firewall.xml.in @@ -19,14 +19,36 @@ firewall group ipv6-network-group + + + + Show list view of firewall groups + + firewall group detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show_group --name $4 --detail $5 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show_group --name $4 - + Show firewall group + + + + Show list view of firewall group + + firewall group detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show_group --detail $4 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show_group - + Show bridge firewall @@ -42,6 +64,15 @@ Show bridge forward filter firewall ruleset + + + Show list view of bridge forward filter firewall rules + + firewall bridge forward filter detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6 + Show summary of bridge forward filter firewall rules @@ -49,6 +80,17 @@ firewall bridge forward filter rule + + + + Show list view of specific bridge forward filter firewall rule + + firewall bridge forward filter detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 @@ -64,6 +106,15 @@ + + + Show list view of bridge custom firewall chains + + firewall bridge name detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6 + Show summary of bridge custom firewall ruleset @@ -71,6 +122,17 @@ firewall bridge name ${COMP_WORDS[5]} rule + + + + Show list view of bridge custom firewall rules + + firewall bridge name ${COMP_WORDS[5]} rule detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 @@ -94,6 +156,15 @@ Show IPv6 forward filter firewall ruleset + + + Show list view of IPv6 forward filter firewall ruleset + + firewall ipv6 forward filter detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6 + Show summary of IPv6 forward filter firewall rules @@ -101,6 +172,17 @@ firewall ipv6 forward filter rule + + + + Show list view of IPv6 forward filter firewall rules + + firewall ipv6 forward filter rule detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 @@ -118,6 +200,15 @@ Show IPv6 forward input firewall ruleset + + + Show list view of IPv6 input firewall ruleset + + firewall ipv6 input filter detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6 + Show summary of IPv6 input filter firewall rules @@ -125,6 +216,17 @@ firewall ipv6 input filter rule + + + + Show list view of IPv6 input filter firewall rules + + firewall ipv6 input filter rule detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 @@ -142,6 +244,15 @@ Show IPv6 output filter firewall ruleset + + + Show list view of IPv6 output input firewall ruleset + + firewall ipv6 output filter detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6 + Show summary of IPv6 output filter firewall rules @@ -149,6 +260,17 @@ firewall ipv6 output filter rule + + + + Show list view of IPv6 output filter firewall rules + + firewall ipv6 output filter rule detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 @@ -164,6 +286,15 @@ + + + Show list view of IPv6 custom firewall chains + + firewall ipv6 name detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6 + Show summary of IPv6 custom firewall ruleset @@ -171,6 +302,17 @@ firewall ipv6 name ${COMP_WORDS[5]} rule + + + + Show list view of IPv6 custom firewall rules + + firewall ipv6 name ${COMP_WORDS[5]} rule detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 @@ -194,6 +336,15 @@ Show IPv4 forward filter firewall ruleset + + + Show list view of IPv4 forward filter firewall ruleset + + firewall ipv4 forward filter detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6 + Show summary of IPv4 forward filter firewall rules @@ -201,6 +352,17 @@ firewall ipv4 forward filter rule + + + + Show list view of IPv4 forward filter firewall rules + + firewall ipv4 forward filter rule detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 @@ -218,6 +380,15 @@ Show IPv4 forward input firewall ruleset + + + Show list view of IPv4 input filter firewall ruleset + + firewall ipv4 input filter detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6 + Show summary of IPv4 input filter firewall rules @@ -225,6 +396,17 @@ firewall ipv4 input filter rule + + + + Show list view of IPv4 input filter firewall rules + + firewall ipv4 input filter rule detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 @@ -242,6 +424,15 @@ Show IPv4 output filter firewall ruleset + + + Show list view of IPv4 output filter firewall ruleset + + firewall ipv4 input output detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6 + Show summary of IPv4 output filter firewall rules @@ -249,6 +440,17 @@ firewall ipv4 output filter rule + + + + Show list view of IPv4 output filter firewall rules + + firewall ipv4 input output rule detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 @@ -264,6 +466,15 @@ + + + Show list view of IPv4 custom firewall chains + + firewall ipv4 name detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6 + Show summary of IPv4 custom firewall ruleset @@ -271,6 +482,17 @@ firewall ipv4 name ${COMP_WORDS[5]} rule + + + + Show list view of IPv4 custom firewall ruleset + + firewall ipv4 name ${COMP_WORDS[5]} rule detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 @@ -279,12 +501,23 @@ sudo ${vyos_op_scripts_dir}/firewall.py --action show_family --family $3 - + Show statistics of firewall application + + + + Show list view of firewall statistics + + firewall statistics detail + + + sudo ${vyos_op_scripts_dir}/firewall.py --action show_statistics --detail $4 + + sudo ${vyos_op_scripts_dir}/firewall.py --action show_statistics - + Show summary of firewall application diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py index d9a50d1b2..b7c3d87c2 100755 --- a/src/op_mode/firewall.py +++ b/src/op_mode/firewall.py @@ -18,6 +18,7 @@ import argparse import ipaddress import re import tabulate +import textwrap from vyos.config import Config from vyos.utils.process import cmd @@ -88,6 +89,17 @@ def get_nftables_details(family, hook, priority): out[rule_id] = rule return out +def output_firewall_vertical(rules, headers): + if args.rule: + rules.pop() + + for rule in rules: + adjusted_rule = rule + [""] * (len(headers) - len(rule)) # account for different header length, like default-action + transformed_rule = [[header, textwrap.fill(adjusted_rule[i].replace('\n', ' '), 100)] for i, header in enumerate(headers)] # create key-pair list from headers and rules lists; wrap at 100 char + + print(tabulate.tabulate(transformed_rule, tablefmt="presto")) + print() + def output_firewall_name(family, hook, priority, firewall_conf, single_rule_id=None): print(f'\n---------------------------------\n{family} Firewall "{hook} {priority}"\n') @@ -102,7 +114,7 @@ def output_firewall_name(family, hook, priority, firewall_conf, single_rule_id=N if 'disable' in rule_conf: continue - row = [rule_id, rule_conf.get('description', ''), rule_conf['action'], rule_conf['protocol'] if 'protocol' in rule_conf else 'all'] + row = [rule_id, textwrap.fill(rule_conf.get('description') or '', 50), rule_conf['action'], rule_conf['protocol'] if 'protocol' in rule_conf else 'all'] if rule_id in details: rule_details = details[rule_id] row.append(rule_details.get('packets', 0)) @@ -123,7 +135,10 @@ def output_firewall_name(family, hook, priority, firewall_conf, single_rule_id=N if rows: header = ['Rule', 'Description', 'Action', 'Protocol', 'Packets', 'Bytes', 'Conditions'] - print(tabulate.tabulate(rows, header) + '\n') + if args.detail: + output_firewall_vertical(rows, header) + else: + print(tabulate.tabulate(rows, header) + '\n') def output_firewall_name_statistics(family, hook, prior, prior_conf, single_rule_id=None): print(f'\n---------------------------------\n{family} Firewall "{hook} {prior}"\n') @@ -191,7 +206,7 @@ def output_firewall_name_statistics(family, hook, prior, prior_conf, single_rule if not oiface: oiface = 'any' - row = [rule_id, rule_conf.get('description', '')] + row = [rule_id, textwrap.fill(rule_conf.get('description') or '', 50)] if rule_id in details: rule_details = details[rule_id] row.append(rule_details.get('packets', 0)) @@ -240,7 +255,10 @@ def output_firewall_name_statistics(family, hook, prior, prior_conf, single_rule if rows: header = ['Rule', 'Description', 'Packets', 'Bytes', 'Action', 'Source', 'Destination', 'Inbound-Interface', 'Outbound-interface'] - print(tabulate.tabulate(rows, header) + '\n') + if args.detail: + output_firewall_vertical(rows, header) + else: + print(tabulate.tabulate(rows, header) + '\n') def show_firewall(): print('Rulesets Information') @@ -428,7 +446,7 @@ def show_firewall_group(name=None): return out - header = ['Name', 'Type', 'References', 'Members'] + header = ['Name', 'Description','Type', 'References', 'Members'] rows = [] for group_type, group_type_conf in firewall['group'].items(): @@ -440,7 +458,7 @@ def show_firewall_group(name=None): continue references = find_references(group_type, group_name) - row = [group_name, group_type, '\n'.join(references) or 'N/D'] + row = [group_name, textwrap.fill(group_conf.get('description') or '', 50), group_type, '\n'.join(references) or 'N/D'] if 'address' in group_conf: row.append("\n".join(sorted(group_conf['address']))) elif 'network' in group_conf: @@ -460,13 +478,16 @@ def show_firewall_group(name=None): if dynamic_type in firewall['group']['dynamic_group']: for dynamic_name, dynamic_conf in firewall['group']['dynamic_group'][dynamic_type].items(): references = find_references(dynamic_type, dynamic_name) - row = [dynamic_name, dynamic_type + '(dynamic)', '\n'.join(references) or 'N/D'] + row = [dynamic_name, textwrap.fill(dynamic_conf.get('description') or '', 50), dynamic_type + '(dynamic)', '\n'.join(references) or 'N/D'] row.append('N/D') rows.append(row) if rows: print('Firewall Groups\n') - print(tabulate.tabulate(rows, header)) + if args.detail: + output_firewall_vertical(rows, header) + else: + print(tabulate.tabulate(rows, header)) def show_summary(): print('Ruleset Summary') @@ -538,6 +559,7 @@ if __name__ == '__main__': parser.add_argument('--priority', help='Firewall priority', required=False, action='store', nargs='?', default='') parser.add_argument('--rule', help='Firewall Rule ID', required=False) parser.add_argument('--ipv6', help='IPv6 toggle', action='store_true') + parser.add_argument('--detail', help='Firewall view select', required=False) args = parser.parse_args() -- cgit v1.2.3