Add description to "show firewall" commands

Feature requests
1

I think it would be useful to have the configured description as a column when looking at “show firewall” commands, particularly with the “show firewall statistics” command as it doesn’t indicate any details of the rule. Output would be like this:

show firewall:

Rule     Description                               Action    Protocol      Packets    Bytes  Conditions
-------  ----------------------------------------  --------  ----------  ---------  -------  ------------------------------------------------------------------------------
5        Allow return traffic from inside network  offload   all              5369   337834  ct state { established, related }  flow add @VYOS_FLOWTABLE_OT1

show firewall statistics:

Rule     Description                                 Packets    Bytes  Action    Source         Destination    Inbound-Interface    Outbound-interface
-------  ----------------------------------------  ---------  -------  --------  -------------  -------------  -------------------  --------------------
5        Allow return traffic from inside network       5421   341106  offload   any            any            any                  any

I created a task to track this:
https://vyos.dev/T6188

2

Since descriptions can be very long I assume there will be a linewrap at the end?

Would it be possible to add the method MySQL is using where you can have some terminator of the show command to get it in lines instead of columns (in MySQL case its the use of “\G” instead of “;”)?

Like regular output is:

Rule     Description    Action    Protocol      Packets    Bytes  Conditions
-------  -------------  --------  ----------  ---------  -------  -----------------------------------------------------------------------
20       Bogons         drop      all                 0        0  ip daddr @N_BOGONS oifname "eth0.4040"  prefix "[ipv4-FWD-filter-20-D]"
default                 drop      all                 0        0

While with a “I want this in lines instead of columns” terminator the output would be something like this instead:

Rule:        20
Description: Bogons
Action:      drop
Protocol:    all
Packets:     0
Bytes:       0
Conditions:  ip daddr @N_BOGONS oifname "eth0.4040" prefix "[ipv4-FWD-filter-20-D]"

Rule:        default
Description: 
Action:      drop
Protocol:    all
Packets:     0
Bytes:       0
Conditions:
3

Since descriptions can be very long I assume there will be a linewrap at the end?

It does not currently wrap, though that is something I was hoping to get feedback on. If the desire is to wrap, after how many characters should it wrap? My immediate thoughts were 50. I set this to 30 just to show how it would look in general:

Rule     Description                  Action    Protocol      Packets    Bytes  Conditions
-------  ---------------------------  --------  ----------  ---------  -------  ------------------------------------------------------------------------------
5        Allow return traffic from    offload   all              3612   227256  ct state { established, related }  flow add @VYOS_FLOWTABLE_FLOW1
         inside network

The other output should be possible, I could do something like this:

def show_firewall_vertical(rules):
    headers = ["Rule", "Description", "Action", "Protocol", "Packets", "Bytes", "Conditions"]
    
    max_header_length = max(len(header) for header in headers)
    
    for rule in rules:
        for header, item in zip(headers, rule):
            formatted_header = header.ljust(max_header_length)
            print(f"{formatted_header}  : {item}")
        print()

def output_firewall_name(family, hook, priority, firewall_conf, single_rule_id=None):
    if rows:
        if <some arg is passed>:
            show_firewall_vertical(rows)
        else:
            header = ['Rule', 'Description', 'Action', 'Protocol', 'Packets', 'Bytes', 'Conditions']
            print(tabulate.tabulate(rows, header) + '\n')

This is the output when I run it:

root@R86S:/usr/libexec/vyos/op_mode# show firewall ipv4 forward filter rule 20
Rule Information

---------------------------------
ipv4 Firewall "forward filter"

Rule         : 20
Description  : Bogons
Action       : drop
Protocol     : all
Packets      : 0
Bytes        : 0
Conditions   : ip daddr @N_BOGONS oifname "eth0.4040"  prefix "[ipv4-FWD-filter-20-D]"

Rule         : default
Description  :
Action       : drop
Protocol     : all
Packets      : 0
Bytes        : 0

We’d need a useful switch in the op-definition structure to call it for passing the arg. Maybe something like “fieldview”? Definitely open to suggestions there.

4

The horisontal wrapping can be tricky and should probably be left for the output to select on its own.

Like if you use a regular 80x25 console it will wrap at 80 chars, but the console can also be in highres mode where there will be more characters before end of line. Same if you login through SSH and perform the same “show firewall rules” from your 4k display :slight_smile:

While the vertical show I would prefer to have something like this:

Rule       : 20
Description: Bogons
Action     : drop
Protocol   : all
Packets    : 0
Bytes      : 0
Conditions : ip daddr @N_BOGONS oifname "eth0.4040"  prefix "[ipv4-FWD-filter-20-D]"

Rule       : default
Description:
Action     : drop
Protocol   : all
Packets    : 0
Bytes      : 0
Conditions :

I saved in my example 2 chars per line (compared to your example) as in moved “:” close to the title and then just a single whitespace to the right of it for the title with most charcters (and the others would be lined up to that).

I think the function name is good to have show_firewall() vs show_firewall_vertical() but I dont have any good idea of what the command itself should be in the op mode.

Like if it should be:

  1. show firewall
  2. show firewall mode horizontal
  3. show firewall mode vertical

The “horizontal” and “vertical” could be available through tab-completion. While “show firewall” should default to be the same as “show firewall mode horizontal”.

Personally I would prefer to have both “show firewall” and “show firewall mode horizontal” even if they for now output the same.

Instead of “mode” it could be “display” or so.

Reason of having “mode” (or whatever the name will be) is to also be able to select to see just a single rule such as “show firewall chain input rule 20 mode vertical”.

5

I like ‘display’ for the switch. It’ll also allow for additional views like a JSON view later if people want to add it.

The default view will be the table view, and the additional display formats can be called as options.

Usage example:
show firewall ipv4 forward filter - will display output in the familiar table view
show firewall ipv4 forward filter display list - will display the output in a key-field format

The wrapping I was talking about specifically was the column when it’s in the table view. The entire output will already wrap to the users session, but if I don’t limit the column width of the description, it’ll make the entire line wrap on itself and be very ugly and unreadable.

No wrapping in the column:

image
image777×152 4.41 KB

Wrapping the column at 50 characters:

Rule     Description                                        Action    Protocol      Packets    Bytes  Conditions
-------  -------------------------------------------------  --------  ----------  ---------  -------  -----------------------------------------
10       This is a test This is a test This is a test This  accept    all               553    34826  ct state { established, related }  accept
         is a test This is a test This is a test This is a
         test This is a test This is a test This is a test
         This is a test This is a test This is a test This
         is a test This is a test This is a test This is a
         test
6

@Apachez

I finished this change, feel free to take it for a test:

Based on comments in the PR, I went with ‘detail’ as the switch.

Description column was added for these commands and their subsections. Descriptions are wrapped at 50 characters for readability with long descriptions:

show firewall statistics
show firewall groups
show firewall <family>
Description Headers output 
vyos@vyos:~$ show firewall ipv4 forward filter
Ruleset Information

---------------------------------
ipv4 Firewall "forward filter"

Rule     Description    Action    Protocol      Packets    Bytes  Conditions
-------  -------------  --------  ----------  ---------  -------  ------------
10       TEST           accept    all                 0        0  accept
default                 accept    all                 0        0

vyos@vyos:~$ show firewall group
Firewall Groups

Name    Description    Type                         References    Members
------  -------------  ---------------------------  ------------  -----------------
TEST    TEST           address_group                N/D           1.1.1.1
TEST    TEST           domain_group                 N/D           www.google.com
TEST    TEST           address_group(dynamic)       N/D           N/D
TEST    TEST           ipv6_address_group(dynamic)  N/D           N/D
TEST    TEST           interface_group              N/D           eth0
TEST    TEST           ipv6_address_group           N/D           2001::1
TEST    TEST           ipv6_network_group           N/D           2001::1/128
TEST    TEST           mac_group                    N/D           aa:bb:cc:dd:ee:f0
TEST    TEST           network_group                N/D           1.1.1.1/32
TEST    TEST           port_group                   N/D           22

Detail view was added for these commands. Values are wrapped to 100 characters for readability:

show firewall bridge forward filter detail
show firewall bridge forward filter rule <rule#> detail
show firewall bridge name <chain> detail
show firewall bridge name <chain> rule <rule#> detail

show firewall ipv4 forward filter detail
show firewall ipv4 forward filter rule <rule#> detail
show firewall ipv4 input filter detail
show firewall ipv4 input filter rule <rule#> detail
show firewall ipv4 output filter detail
show firewall ipv4 output filter rule <rule#> detail
show firewall ipv4 name <chain> detail
show firewall ipv4 name <chain> rule <rule#> detail

show firewall ipv6 forward filter detail
show firewall ipv6 forward filter rule <rule#> detail
show firewall ipv6 input filter detail
show firewall ipv6 input filter rule <rule#> detail
show firewall ipv6 output filter detail
show firewall ipv6 output filter rule <rule#> detail
show firewall ipv6 name <chain> detail
show firewall ipv6 name <chain> rule <rule#> detail

show firewall group detail
show firewall group <group> detail
Detail output 
vyos@vyos:~$ show firewall ipv4 forward filter detail
Ruleset Information

---------------------------------
ipv4 Firewall "forward filter"

 Rule        | 10
 Description | TEST
 Action      | accept
 Protocol    | all
 Packets     | 0
 Bytes       | 0
 Conditions  | accept

 Rule        | default
 Description |
 Action      | accept
 Protocol    | all
 Packets     | 0
 Bytes       | 0
 Conditions  |

vyos@vyos:~$ show firewall ipv4 forward filter rule 10 detail
Rule Information

---------------------------------
ipv4 Firewall "forward filter"

 Rule        | 10
 Description | TEST
 Action      | accept
 Protocol    | all
 Packets     | 0
 Bytes       | 0
 Conditions  | accept
4 Likes
7

I like the idea of showing more details ,

root@R86S:/usr/libexec/vyos/op_mode# show firewall ipv4 forward filter rule 20
Rule Information

---------------------------------
ipv4 Firewall "forward filter"

Rule         : 20
Description  : Bogons
Action       : drop
Protocol     : all
Packets      : 0
Bytes        : 0
Conditions   : ip daddr @N_BOGONS oifname "eth0.4040"  prefix "[ipv4-FWD-filter-20-D]"

Rule         : default
Description  :
Action       : drop
Protocol     : all
Packets      : 0
Bytes        : 0

it should be useful with needs a clear output.

1 Like