feature request: group by in firewall interface

mdaitc · March 24, 2010, 2:26am

Hi,

a feature request:

/ip firewall print “group-by=interface”

to allow printing out rules grouped by the interface.

this would help to emulate some of hte behavior seen by other venders, such as Cisco Pix, where large rulesets might be accross multiple interfaces, and it would be nice to list all of the rules for particular interfaces (either direction in or out) together.

thanks,

mrz · March 24, 2010, 7:08am

It is already possible.

/ip firewall filter print where in-interface="ether1"

mdaitc · March 24, 2010, 11:59am

my thought was slightly different.

to print out all of the firewall rules, but to group the output by interface, rather than to only print out by interface

thanks,

eflanery · March 24, 2010, 9:48pm

how about:

:foreach INT in=[/int find] do={/ip fir fil pr where in-interface=[/int get $INT name]}

fewi · March 24, 2010, 10:00pm

Nice.

To filter out interfaces that don’t have rule associated:

:foreach INT in=[/int find] do={:local rules [/ip fir fil find in-interface=[/int get $INT name]]; :if ([:len $rules] > 0) do={/ip fir fil print where in-interface=[/int get $INT name]}}

dssmiktik · March 24, 2010, 10:52pm

I haven’t found a clean way of sorting firewall rules by a specific property, so I made a script to show me the output I want. Also, this works great if executed remotely as you can retrieve specific information for input into other systems.

Try this:

# Displays a sorted firewall list

/interface {
   :local ifacename
   :local property
   :local value
   :local findindex
   :local curline

   :foreach i in=[find] do={
      :set ifacename [get $i name]
      /ip firewall filter {
         :local ruledisabled
         :foreach f in=[print as-value where in-interface=[:tostr $ifacename]] do={
            :set curline ""
            :set ruledisabled ""
            :foreach item in=[:toarray $f] do={
               :set findindex [:find [:tostr $item] "="]
               :set property [:pick [:tostr $item] 0 $findindex]
               :set value [:pick [:tostr $item] ($findindex + 1) [:len [:tostr $item]]]

#            don't show IDs or comments (provides a cleaner output)
               :if ($property != ".id" && $property != "comment") do={
                  :set curline ($curline . " " . $property . "=" . $value)
               }

#            print as-value doesn't show disabled status; get rule's disabled status
               :if ($property = ".id") do={
                  :if ([get [:toid $value] disabled] = true) do={
                     :set ruledisabled "disabled=true" } else={
                        :set ruledisabled "disabled=false" }
               }
            }
            :put ($curline . " " . $ruledisabled)
         }
      }
   }
}