Skip to content

Commit

Permalink
T6488: firewall: extend op-mode command to show global state-policy c…
Browse files Browse the repository at this point in the history 
…ounters.
  • Loading branch information
@nicolas-fort
nicolas-fort committed Jun 19, 2024
1 parent 14dd6e5 commit 80f935c
Showing 1 changed file with 75 additions and 4 deletions.
79 changes: 75 additions & 4 deletions src/op_mode/firewall.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,36 @@ def get_nftables_details(family, hook, priority):
out[rule_id] = rule
return out

def get_nftables_state_details(family):
if family == 'ipv6':
suffix = 'ip6'
name_suffix = 'POLICY6'
elif family == 'ipv4':
suffix = 'ip'
name_suffix = 'POLICY'
else:
# no state policy for bridge
return {}

command = f'sudo nft list chain {suffix} vyos_filter VYOS_STATE_{name_suffix}'
try:
results = cmd(command)
except:
return {}

out = {}
for line in results.split('\n'):
rule = {}
for state in ['established', 'related', 'invalid']:
if state in line:
counter_search = re.search(r'counter packets (\d+) bytes (\d+)', line)
if counter_search:
rule['packets'] = counter_search[1]
rule['bytes'] = counter_search[2]
rule['conditions'] = re.sub(r'(\b(counter packets \d+ bytes \d+|drop|reject|return|log)\b|comment "[\w\-]+")', '', line).strip()
out[state] = rule
return out

def get_nftables_group_members(family, table, name):
prefix = 'ip6' if family == 'ipv6' else 'ip'
out = []
Expand Down Expand Up @@ -172,6 +202,34 @@ def output_firewall_name(family, hook, priority, firewall_conf, single_rule_id=N
rows[rows.index(i)].pop(1)
print(tabulate.tabulate(rows, header) + '\n')

def output_firewall_state_policy(family):
if family == 'bridge':
return {}
print(f'\n---------------------------------\n{family} State Policy\n')

details = get_nftables_state_details(family)
rows = []

for state, state_conf in details.items():
row = [state, state_conf['conditions']]
row.append(state_conf.get('packets', 0))
row.append(state_conf.get('bytes', 0))
row.append(state_conf.get('conditions'))
rows.append(row)

if rows:
if args.rule:
rows.pop()

if args.detail:
header = ['State', 'Conditions', 'Packets', 'Bytes']
output_firewall_vertical(rows, header)
else:
header = ['State', 'Packets', 'Bytes', 'Conditions']
for i in rows:
rows[rows.index(i)].pop(1)
print(tabulate.tabulate(rows, header) + '\n')

def output_firewall_name_statistics(family, hook, prior, prior_conf, single_rule_id=None):
print(f'\n---------------------------------\n{family} Firewall "{hook} {prior}"\n')

Expand Down Expand Up @@ -305,6 +363,10 @@ def show_firewall():
return

for family in ['ipv4', 'ipv6', 'bridge']:
if 'global_options' in firewall:
if 'state_policy' in firewall['global_options']:
output_firewall_state_policy(family)

if family in firewall:
for hook, hook_conf in firewall[family].items():
for prior, prior_conf in firewall[family][hook].items():
Expand All @@ -316,12 +378,17 @@ def show_firewall_family(family):
conf = Config()
firewall = get_config_node(conf)

if not firewall or family not in firewall:
if not firewall:
return

for hook, hook_conf in firewall[family].items():
for prior, prior_conf in firewall[family][hook].items():
output_firewall_name(family, hook, prior, prior_conf)
if 'global_options' in firewall:
if 'state_policy' in firewall['global_options']:
output_firewall_state_policy(family)

if family in firewall:
for hook, hook_conf in firewall[family].items():
for prior, prior_conf in firewall[family][hook].items():
output_firewall_name(family, hook, prior, prior_conf)

def show_firewall_name(family, hook, priority):
print('Ruleset Information')
Expand Down Expand Up @@ -622,6 +689,10 @@ def show_statistics():
return

for family in ['ipv4', 'ipv6', 'bridge']:
if 'global_options' in firewall:
if 'state_policy' in firewall['global_options']:
output_firewall_state_policy(family)

if family in firewall:
for hook, hook_conf in firewall[family].items():
for prior, prior_conf in firewall[family][hook].items():
Expand Down

0 comments on commit 80f935c

Please sign in to comment.