From 38511df4b376f8ec5eee9af55df92f96cab0a0cf Mon Sep 17 00:00:00 2001
From: Nicolas Fort <nicolasfort1988@gmail.com>
Date: Wed, 18 Sep 2024 14:07:24 +0000
Subject: T6723: firewall: extend op-mode commands <show firewall ..> and a
<show log firewall ..> in order to match all chains/priorities
---
op-mode-definitions/firewall.xml.in | 220 ++++++++++++++++++++++++++++++++++++
op-mode-definitions/show-log.xml.in | 125 ++++++++++++++++++++
2 files changed, 345 insertions(+)
mode change 100644 => 100755 op-mode-definitions/firewall.xml.in
mode change 100644 => 100755 op-mode-definitions/show-log.xml.in
diff --git a/op-mode-definitions/firewall.xml.in b/op-mode-definitions/firewall.xml.in
old mode 100644
new mode 100755
index b6ce5bae2..82e6c8668
--- a/op-mode-definitions/firewall.xml.in
+++ b/op-mode-definitions/firewall.xml.in
@@ -98,6 +98,138 @@
</node>
</children>
</node>
+ <node name="input">
+ <properties>
+ <help>Show bridge input firewall ruleset</help>
+ </properties>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Show bridge input filter firewall ruleset</help>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of bridge input filter firewall rules</help>
+ <completionHelp>
+ <path>firewall bridge input filter detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command>
+ </leafNode>
+ <tagNode name="rule">
+ <properties>
+ <help>Show summary of bridge input filter firewall rules</help>
+ <completionHelp>
+ <path>firewall bridge input filter rule</path>
+ </completionHelp>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of specific bridge input filter firewall rule</help>
+ <completionHelp>
+ <path>firewall bridge input filter detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command>
+ </leafNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
+ </tagNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
+ </node>
+ </children>
+ </node>
+ <node name="output">
+ <properties>
+ <help>Show bridge output firewall ruleset</help>
+ </properties>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Show bridge output filter firewall ruleset</help>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of bridge output filter firewall rules</help>
+ <completionHelp>
+ <path>firewall bridge output filter detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command>
+ </leafNode>
+ <tagNode name="rule">
+ <properties>
+ <help>Show summary of bridge output filter firewall rules</help>
+ <completionHelp>
+ <path>firewall bridge output filter rule</path>
+ </completionHelp>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of specific bridge output filter firewall rule</help>
+ <completionHelp>
+ <path>firewall bridge output filter detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command>
+ </leafNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
+ </tagNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
+ </node>
+ </children>
+ </node>
+ <node name="prerouting">
+ <properties>
+ <help>Show bridge prerouting firewall ruleset</help>
+ </properties>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Show bridge prerouting filter firewall ruleset</help>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of bridge prerouting filter firewall rules</help>
+ <completionHelp>
+ <path>firewall bridge prerouting filter detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command>
+ </leafNode>
+ <tagNode name="rule">
+ <properties>
+ <help>Show summary of bridge prerouting filter firewall rules</help>
+ <completionHelp>
+ <path>firewall bridge prerouting filter rule</path>
+ </completionHelp>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of specific bridge prerouting filter firewall rule</help>
+ <completionHelp>
+ <path>firewall bridge prerouting filter detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command>
+ </leafNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
+ </tagNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
+ </node>
+ </children>
+ </node>
<tagNode name="name">
<properties>
<help>Show bridge custom firewall chains</help>
@@ -278,6 +410,50 @@
</node>
</children>
</node>
+ <node name="prerouting">
+ <properties>
+ <help>Show IPv6 prerouting firewall ruleset</help>
+ </properties>
+ <children>
+ <node name="raw">
+ <properties>
+ <help>Show IPv6 prerouting raw firewall ruleset</help>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of IPv6 prerouting raw firewall ruleset</help>
+ <completionHelp>
+ <path>firewall ipv6 prerouting raw detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command>
+ </leafNode>
+ <tagNode name="rule">
+ <properties>
+ <help>Show summary of IPv6 prerouting raw firewall rules</help>
+ <completionHelp>
+ <path>firewall ipv6 prerouting raw rule</path>
+ </completionHelp>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of IPv6 prerouting raw firewall rules</help>
+ <completionHelp>
+ <path>firewall ipv6 prerouting raw rule detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command>
+ </leafNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
+ </tagNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
+ </node>
+ </children>
+ </node>
<tagNode name="name">
<properties>
<help>Show IPv6 custom firewall chains</help>
@@ -458,6 +634,50 @@
</node>
</children>
</node>
+ <node name="prerouting">
+ <properties>
+ <help>Show IPv4 prerouting firewall ruleset</help>
+ </properties>
+ <children>
+ <node name="raw">
+ <properties>
+ <help>Show IPv4 prerouting raw firewall ruleset</help>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of IPv4 prerouting raw firewall ruleset</help>
+ <completionHelp>
+ <path>firewall ipv4 prerouting raw detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command>
+ </leafNode>
+ <tagNode name="rule">
+ <properties>
+ <help>Show summary of IPv4 prerouting raw firewall rules</help>
+ <completionHelp>
+ <path>firewall ipv4 prerouting raw rule</path>
+ </completionHelp>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of IPv4 prerouting raw firewall rules</help>
+ <completionHelp>
+ <path>firewall ipv4 prerouting raw rule detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command>
+ </leafNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
+ </tagNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
+ </node>
+ </children>
+ </node>
<tagNode name="name">
<properties>
<help>Show IPv4 custom firewall chains</help>
diff --git a/op-mode-definitions/show-log.xml.in b/op-mode-definitions/show-log.xml.in
old mode 100644
new mode 100755
index f0fad63d2..c2504686d
--- a/op-mode-definitions/show-log.xml.in
+++ b/op-mode-definitions/show-log.xml.in
@@ -172,6 +172,81 @@
</node>
</children>
</node>
+ <node name="input">
+ <properties>
+ <help>Show Bridge input firewall log</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep bri-INP</command>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Show Bridge firewall input filter</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep bri-INP-filter</command>
+ <children>
+ <tagNode name="rule">
+ <properties>
+ <help>Show log for a rule in the specified firewall</help>
+ <completionHelp>
+ <path>firewall bridge input filter rule</path>
+ </completionHelp>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | egrep "\[bri-INP-filter-$8-[ADRJC]\]"</command>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ <node name="output">
+ <properties>
+ <help>Show Bridge output firewall log</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep bri-OUT</command>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Show Bridge firewall output filter</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep bri-OUT-filter</command>
+ <children>
+ <tagNode name="rule">
+ <properties>
+ <help>Show log for a rule in the specified firewall</help>
+ <completionHelp>
+ <path>firewall bridge output filter rule</path>
+ </completionHelp>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | egrep "\[bri-OUT-filter-$8-[ADRJC]\]"</command>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ <node name="prerouting">
+ <properties>
+ <help>Show Bridge prerouting firewall log</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep bri-PRE</command>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Show Bridge firewall prerouting filter</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep bri-PRE-filter</command>
+ <children>
+ <tagNode name="rule">
+ <properties>
+ <help>Show log for a rule in the specified firewall</help>
+ <completionHelp>
+ <path>firewall bridge prerouting filter rule</path>
+ </completionHelp>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | egrep "\[bri-PRE-filter-$8-[ADRJC]\]"</command>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
<tagNode name="name">
<properties>
<help>Show custom Bridge firewall log</help>
@@ -295,6 +370,31 @@
</node>
</children>
</node>
+ <node name="prerouting">
+ <properties>
+ <help>Show firewall IPv4 prerouting log</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep ipv4-PRE</command>
+ <children>
+ <node name="raw">
+ <properties>
+ <help>Show firewall IPv4 prerouting raw log</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep ipv4-PRE-raw</command>
+ <children>
+ <tagNode name="rule">
+ <properties>
+ <help>Show log for a rule in the specified firewall</help>
+ <completionHelp>
+ <path>firewall ipv4 prerouting raw rule</path>
+ </completionHelp>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | egrep "\[ipv4-PRE-raw-$8-[ADRJC]\]"</command>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
</children>
</node>
<node name="ipv6">
@@ -398,6 +498,31 @@
</node>
</children>
</node>
+ <node name="prerouting">
+ <properties>
+ <help>Show firewall IPv6 prerouting log</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep ipv6-PRE</command>
+ <children>
+ <node name="raw">
+ <properties>
+ <help>Show firewall IPv6 prerouting raw log</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep ipv6-PRE-raw</command>
+ <children>
+ <tagNode name="rule">
+ <properties>
+ <help>Show log for a rule in the specified firewall</help>
+ <completionHelp>
+ <path>firewall ipv6 prerouting raw rule</path>
+ </completionHelp>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | egrep "\[ipv6-PRE-raw-$8-[ADRJC]\]"</command>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
</children>
</node>
</children>
--
cgit v1.2.3