Hi,
a feature request:
/ip firewall print "group-by=interface"
to allow printing out rules grouped by the interface.
this would help to emulate some of hte behavior seen by other venders, such as Cisco Pix, where large rulesets might be accross multiple interfaces, and it would be nice to list all of the rules for particular interfaces (either direction in or out) together.
thanks,
Re: feature request: group by in firewall interface
It is already possible.
Code: Select all
/ip firewall filter print where in-interface="ether1"
Re: feature request: group by in firewall interface
my thought was slightly different.
to print out all of the firewall rules, but to group the output by interface, rather than to only print out by interface
thanks,
to print out all of the firewall rules, but to group the output by interface, rather than to only print out by interface
thanks,
Re: feature request: group by in firewall interface
how about:
Code: Select all
:foreach INT in=[/int find] do={/ip fir fil pr where in-interface=[/int get $INT name]}
Re: feature request: group by in firewall interface
Nice.
To filter out interfaces that don't have rule associated:
To filter out interfaces that don't have rule associated:
Code: Select all
:foreach INT in=[/int find] do={:local rules [/ip fir fil find in-interface=[/int get $INT name]]; :if ([:len $rules] > 0) do={/ip fir fil print where in-interface=[/int get $INT name]}}
Re: feature request: group by in firewall interface
I haven't found a clean way of sorting firewall rules by a specific property, so I made a script to show me the output I want. Also, this works great if executed remotely as you can retrieve specific information for input into other systems.
Try this:
Try this:
Code: Select all
# Displays a sorted firewall list
/interface {
:local ifacename
:local property
:local value
:local findindex
:local curline
:foreach i in=[find] do={
:set ifacename [get $i name]
/ip firewall filter {
:local ruledisabled
:foreach f in=[print as-value where in-interface=[:tostr $ifacename]] do={
:set curline ""
:set ruledisabled ""
:foreach item in=[:toarray $f] do={
:set findindex [:find [:tostr $item] "="]
:set property [:pick [:tostr $item] 0 $findindex]
:set value [:pick [:tostr $item] ($findindex + 1) [:len [:tostr $item]]]
# don't show IDs or comments (provides a cleaner output)
:if ($property != ".id" && $property != "comment") do={
:set curline ($curline . " " . $property . "=" . $value)
}
# print as-value doesn't show disabled status; get rule's disabled status
:if ($property = ".id") do={
:if ([get [:toid $value] disabled] = true) do={
:set ruledisabled "disabled=true" } else={
:set ruledisabled "disabled=false" }
}
}
:put ($curline . " " . $ruledisabled)
}
}
}
}