Add Firewall Rule Description to "show firewall" commands
Closed, ResolvedPublicFEATURE REQUEST
Actions

Assigned To

Authored By

	L0crian
	Mar 30 2024, 3:39 PM

Description

I think it would be useful to have the configured description as a column when looking at "show firewall" commands, particularly with the "show firewall statistics" command as it doesn't indicate any details of the rule. Output would be like this:

show firewall:

Rulesets Information

---------------------------------
ipv4 Firewall "forward filter"

Rule     Description                               Action    Protocol      Packets    Bytes  Conditions
-------  ----------------------------------------  --------  ----------  ---------  -------  ------------------------------------------------------------------------------
5        Allow return traffic from inside network  offload   all              4121   259306  ct state { established, related }  flow add @VYOS_FLOWTABLE_FLOW1
10                                                 accept    all              4121   259306  ct state { established, related }  accept
15       Drop Invalid State                        drop      all                 0        0  ct state invalid
20       Bogons                                    drop      all                 0        0  ip daddr @N_BOGONS oifname "eth0.4040"  prefix "[ipv4-FWD-filter-20-D]"
25       Allow Ping                                accept    icmp                0        0  meta l4proto icmp oifname "eth0.4040"  prefix "[ipv4-FWD-filter-25-A]"  accept
35       Allow iPerf                               accept    tcp_udp             0        0  meta l4proto { tcp, udp } th dport 5201 oifname "eth0.4040"  accept
40       Allow access to GNS3                      accept    tcp                 0        0  meta l4proto tcp ip daddr 10.0.95.24 oifname "eth0.4040"  accept
45       Traffic from Gaming PC                    accept    all                 0        0  ip saddr 10.0.201.0/24 iifname "eth0.201"  accept
50       Stealthwatch SMC                          accept    tcp                 0        0  ip daddr 10.0.95.205 tcp dport 443  accept
55       Stealthwatch Flow Collector               accept    udp              1310  1096956  ip daddr 10.0.95.206 udp dport 2055  accept
60       Allow all from Inside                     accept    all               754    40144  iifname @I_Inbound_Interfaces  accept
10001    jump to jump_test                         jump      all                 0        0  ip saddr 10.1.2.3  jump NAME_jump_test
default                                            drop      all                 0        0

---------------------------------
ipv4 Firewall "name jump_test"

Rule     Description    Action    Protocol      Packets    Bytes  Conditions
-------  -------------  --------  ----------  ---------  -------  ------------
10       jump test      drop      all                 0        0
default                 drop      all                 0        0

---------------------------------
ipv6 Firewall "forward filter"

Rule     Description    Action    Protocol      Packets    Bytes  Conditions
-------  -------------  --------  ----------  ---------  -------  ------------
10       TEST           accept    all                 0        0  accept
default                 accept    all                 0        0

---------------------------------
bridge Firewall "forward filter"

Rule     Description    Action    Protocol      Packets    Bytes  Conditions
-------  -------------  --------  ----------  ---------  -------  ------------
10                      accept    all                 0        0  accept
default                 accept    all                 0        0

show firewall statistics:

Rulesets Statistics

---------------------------------
ipv4 Firewall "forward filter"

Rule     Description                                 Packets    Bytes  Action    Source         Destination    Inbound-Interface    Outbound-interface
-------  ----------------------------------------  ---------  -------  --------  -------------  -------------  -------------------  --------------------
5        Allow return traffic from inside network       3822   240492  offload   any            any            any                  any
10                                                      3822   240492  accept    any            any            any                  any
15       Drop Invalid State                                0        0  drop      any            any            any                  any
20       Bogons                                            0        0  drop      any            BOGONS         any                  eth0.4040
25       Allow Ping                                        0        0  accept    any            any            any                  eth0.4040
35       Allow iPerf                                       0        0  accept    any            any            any                  eth0.4040
40       Allow access to GNS3                              0        0  accept    any            10.0.95.24     any                  eth0.4040
45       Traffic from Gaming PC                            0        0  accept    10.0.201.0/24  any            eth0.201             any
50       Stealthwatch SMC                                  0        0  accept    any            10.0.95.205    any                  any
55       Stealthwatch Flow Collector                    1212  1015732  accept    any            10.0.95.206    any                  any
60       Allow all from Inside                           696    37056  accept    any            any            Inbound_Interfaces   any
10001    jump to jump_test                                 0        0  jump      10.1.2.3       any            any                  any
default                                                    0        0  drop      any            any            any                  any

---------------------------------
ipv4 Firewall "name jump_test"

Rule     Description      Packets    Bytes  Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  -------------  ---------  -------  --------  --------  -------------  -------------------  --------------------
10       jump test              0        0  drop      any       any            any                  any
default                         0        0  drop      any       any            any                  any

---------------------------------
ipv6 Firewall "forward filter"

Rule     Description      Packets    Bytes  Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  -------------  ---------  -------  --------  --------  -------------  -------------------  --------------------
10       TEST                   0        0  accept    any       any            any                  any
default                         0        0  accept    any       any            any                  any

---------------------------------
bridge Firewall "forward filter"

Rule     Description      Packets    Bytes  Action    Source    Destination    Inbound-Interface    Outbound-interface
-------  -------------  ---------  -------  --------  --------  -------------  -------------------  --------------------
10                              0        0  accept    any       any            any                  any
default                         0        0  accept    any       any            any                  any

Details

Difficulty level: Easy (less than an hour)
Version: -
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Perfectly compatible
Issue type: Improvement (missing useful functionality)

Event Timeline

L0crian claimed this task.Mar 30 2024, 3:39 PM

L0crian created this task.

L0crian changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).

Added PR:
https://github.com/vyos/vyos-1x/pull/3219

Since descriptions can be very long I assume there will be a linewrap at the end?

Would it be possible to add the method MySQL is using where you can have some terminator of the show command to get it in lines instead of columns (in MySQL case its the use of "\G" instead of ";")?

Like regular output is:

Rule     Description    Action    Protocol      Packets    Bytes  Conditions
-------  -------------  --------  ----------  ---------  -------  -----------------------------------------------------------------------
20       Bogons         drop      all                 0        0  ip daddr @N_BOGONS oifname "eth0.4040"  prefix "[ipv4-FWD-filter-20-D]"
default                 drop      all                 0        0

While with a "I want this in lines instead of columns" terminator the output would be something like this instead:

Rule:        20
Description: Bogons
Action:      drop
Protocol:    all
Packets:     0
Bytes:       0
Conditions:  ip daddr @N_BOGONS oifname "eth0.4040" prefix "[ipv4-FWD-filter-20-D]"

Rule:        default
Description: 
Action:      drop
Protocol:    all
Packets:     0
Bytes:       0
Conditions:

Since descriptions can be very long I assume there will be a linewrap at the end?

It does not currently wrap, though that is something I was hoping to get feedback on. If the desire is to wrap, after how many characters should it wrap? My immediate thoughts were 50. I set this to 30 just to show how it would look in general:

Rule     Description                  Action    Protocol      Packets    Bytes  Conditions
-------  ---------------------------  --------  ----------  ---------  -------  ------------------------------------------------------------------------------
5        Allow return traffic from    offload   all              3612   227256  ct state { established, related }  flow add @VYOS_FLOWTABLE_FLOW1
         inside network

The other output should be possible, I could do something like this:

def show_firewall_vertical(rules):
    headers = ["Rule", "Description", "Action", "Protocol", "Packets", "Bytes", "Conditions"]
    
    max_header_length = max(len(header) for header in headers)
    
    for rule in rules:
        for header, item in zip(headers, rule):
            formatted_header = header.ljust(max_header_length)
            print(f"{formatted_header}  : {item}")
        print()

def output_firewall_name(family, hook, priority, firewall_conf, single_rule_id=None):
    if rows:
        if <some arg is passed>:
            show_firewall_vertical(rows)
        else:
            header = ['Rule', 'Description', 'Action', 'Protocol', 'Packets', 'Bytes', 'Conditions']
            print(tabulate.tabulate(rows, header) + '\n')

This is the output when I run it:

root@R86S:/usr/libexec/vyos/op_mode# show firewall ipv4 forward filter rule 20
Rule Information

---------------------------------
ipv4 Firewall "forward filter"

Rule         : 20
Description  : Bogons
Action       : drop
Protocol     : all
Packets      : 0
Bytes        : 0
Conditions   : ip daddr @N_BOGONS oifname "eth0.4040"  prefix "[ipv4-FWD-filter-20-D]"

Rule         : default
Description  :
Action       : drop
Protocol     : all
Packets      : 0
Bytes        : 0

We'd need a useful switch in the op-definition structure to call it for passing the arg. Maybe something like "fieldview"? Definitely open to suggestions there.

I think the wrapping should be left for the output to select since you can either be in a regular serialconsole of 80x25 or some highresmode which brings more characters per line or even through SSH with a 4k monitor which will be plenty of lines.

pasik added a subscriber: pasik.Mar 30 2024, 5:24 PM

Viacheslav triaged this task as Wishlist priority.Mar 31 2024, 10:54 AM

c-po edited projects, added VyOS 1.4 Sagitta (1.4.0-epa3); removed VyOS 1.4 Sagitta (1.4.0).Sat, Apr 6, 9:56 AM

c-po moved this task from Need Triage to Finished on the VyOS 1.5 Circinus board.

c-po moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.0-epa3) board.

dmbaturin closed this task as Resolved.Sun, Apr 7, 6:08 AM

Add Firewall Rule Description to "show firewall" commandsClosed, ResolvedPublicFEATURE REQUESTActions

Description

Details

Event Timeline

Add Firewall Rule Description to "show firewall" commands
Closed, ResolvedPublicFEATURE REQUEST
Actions