From 3b51c8af61d845e4d870e75e4fb9f1662a23c017 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Wed, 30 Aug 2023 22:18:47 +0000 Subject: T5496: add fqdn and geo-ip matchers in op-mode command --- src/op_mode/firewall.py | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py index 581710b31..9afc40647 100755 --- a/src/op_mode/firewall.py +++ b/src/op_mode/firewall.py @@ -127,7 +127,13 @@ def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_ if not source_addr: source_addr = dict_search_args(rule_conf, 'source', 'group', 'domain_group') if not source_addr: - source_addr = '::/0' if ipv6 else '0.0.0.0/0' + source_addr = dict_search_args(rule_conf, 'source', 'fqdn') + if not source_addr: + source_addr = dict_search_args(rule_conf, 'source', 'geoip', 'country_code') + if source_addr and 'inverse_match' in dict_search_args(rule_conf, 'source', 'geoip'): + source_addr = '!' + str(source_addr) + if not source_addr: + source_addr = '::/0' if ipv6 else '0.0.0.0/0' # Get destination dest_addr = dict_search_args(rule_conf, 'destination', 'address') @@ -138,7 +144,13 @@ def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_ if not dest_addr: dest_addr = dict_search_args(rule_conf, 'destination', 'group', 'domain_group') if not dest_addr: - dest_addr = '::/0' if ipv6 else '0.0.0.0/0' + dest_addr = dict_search_args(rule_conf, 'destination', 'fqdn') + if not dest_addr: + dest_addr = dict_search_args(rule_conf, 'destination', 'geoip', 'country_code') + if dest_addr and 'inverse_match' in dict_search_args(rule_conf, 'destination', 'geoip'): + dest_addr = '!' + str(dest_addr) + if not dest_addr: + dest_addr = '::/0' if ipv6 else '0.0.0.0/0' # Get inbound interface iiface = dict_search_args(rule_conf, 'inbound_interface', 'interface_name') -- cgit v1.2.3 From ac65673bd7b5d856246b0b73e6aeeea3c46297bc Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Mon, 4 Sep 2023 19:04:57 +0000 Subject: T5496: Change src and|or destination wildcard for any, which still makes it easy to read, and we get uniform output for both families, and will look the same when working with inet family in the future. Fix output of geo-ip matchers. Fix output for default-action rules: display N/A for counters in base chains, since they are not available.Change from N/A to N/D for empty groups, and for groups which found no reference in config --- src/op_mode/firewall.py | 43 ++++++++++++++++++++++++++++++++----------- 1 file changed, 32 insertions(+), 11 deletions(-) (limited to 'src') diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py index 9afc40647..23b4b8459 100755 --- a/src/op_mode/firewall.py +++ b/src/op_mode/firewall.py @@ -130,10 +130,12 @@ def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_ source_addr = dict_search_args(rule_conf, 'source', 'fqdn') if not source_addr: source_addr = dict_search_args(rule_conf, 'source', 'geoip', 'country_code') - if source_addr and 'inverse_match' in dict_search_args(rule_conf, 'source', 'geoip'): - source_addr = '!' + str(source_addr) + if source_addr: + source_addr = str(source_addr)[1:-1].replace('\'','') + if 'inverse_match' in dict_search_args(rule_conf, 'source', 'geoip'): + source_addr = 'NOT ' + str(source_addr) if not source_addr: - source_addr = '::/0' if ipv6 else '0.0.0.0/0' + source_addr = 'any' # Get destination dest_addr = dict_search_args(rule_conf, 'destination', 'address') @@ -147,10 +149,12 @@ def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_ dest_addr = dict_search_args(rule_conf, 'destination', 'fqdn') if not dest_addr: dest_addr = dict_search_args(rule_conf, 'destination', 'geoip', 'country_code') - if dest_addr and 'inverse_match' in dict_search_args(rule_conf, 'destination', 'geoip'): - dest_addr = '!' + str(dest_addr) + if dest_addr: + dest_addr = str(dest_addr)[1:-1].replace('\'','') + if 'inverse_match' in dict_search_args(rule_conf, 'destination', 'geoip'): + dest_addr = 'NOT ' + str(dest_addr) if not dest_addr: - dest_addr = '::/0' if ipv6 else '0.0.0.0/0' + dest_addr = 'any' # Get inbound interface iiface = dict_search_args(rule_conf, 'inbound_interface', 'interface_name') @@ -181,7 +185,22 @@ def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_ row.append(oiface) rows.append(row) - if 'default_action' in prior_conf and not single_rule_id: + + if hook in ['input', 'forward', 'output']: + row = ['default'] + row.append('N/A') + row.append('N/A') + if 'default_action' in prior_conf: + row.append(prior_conf['default_action']) + else: + row.append('accept') + row.append('any') + row.append('any') + row.append('any') + row.append('any') + rows.append(row) + + elif 'default_action' in prior_conf and not single_rule_id: row = ['default'] if 'default-action' in details: rule_details = details['default-action'] @@ -191,8 +210,10 @@ def output_firewall_name_statistics(hook, prior, prior_conf, ipv6=False, single_ row.append('0') row.append('0') row.append(prior_conf['default_action']) - row.append('0.0.0.0/0') # Source - row.append('0.0.0.0/0') # Dest + row.append('any') # Source + row.append('any') # Dest + row.append('any') # inbound-interface + row.append('any') # outbound-interface rows.append(row) if rows: @@ -315,7 +336,7 @@ def show_firewall_group(name=None): continue references = find_references(group_type, group_name) - row = [group_name, group_type, '\n'.join(references) or 'N/A'] + row = [group_name, group_type, '\n'.join(references) or 'N/D'] if 'address' in group_conf: row.append("\n".join(sorted(group_conf['address']))) elif 'network' in group_conf: @@ -327,7 +348,7 @@ def show_firewall_group(name=None): elif 'interface' in group_conf: row.append("\n".join(sorted(group_conf['interface']))) else: - row.append('N/A') + row.append('N/D') rows.append(row) if rows: -- cgit v1.2.3