OPNsense Forum

English Forums => Development and Code Review => Topic started by: snocrash on March 11, 2021, 10:22:29 pm

Title: Rule numbers
Post by: snocrash on March 11, 2021, 10:22:29 pm

Hi All,

I have my Opnsense box feeding into Splunk via syslog, but was annoyed by the lack of rule labels outside of the webgui.  The script below will parse the /tmp/rules.debug file and pfctl output to generate a csv with rule number, rule action (pass/block), and the rule description.  Mapping this to the syslog filterlog output, you can see statistics by rule instead of just rule number.  The output file is located at /tmp/ruleslist.csv

Code: [Select]

#
#
rm /tmp/ruleslist.csv
#
#Create main rule list
#
input1=$(grep 'pass\|block' /tmp/rules.debug)
while IFS= read -r line || [[ -n $line ]]
do
    enabled=1
        if [ "${line:0:1}" = '#' ]
        then
          enabled=0
        fi
    action=$(echo $line | cut -d " " -f1)
        if [ $enabled -eq 0 ]
        then
          action=$(echo $line | cut -d " " -f2)
        fi
    ruleid=$(echo $line | perl -nle'print $& while m{label \K\"\K\w+}g')
    ruledesc=$(echo $line | perl -nle'print $& while m{(?<!^)\#\s(\:\s)?\K.*}g')
    echo "$enabled,$action,$ruleid,$ruledesc" >> /tmp/ruleslist.tmp
done <<< "$input1"

input2=$(pfctl -vvsr | grep @ )
echo "rulenum,ruleaction,ruledesc" >> /tmp/ruleslist.csv
while IFS= read -r line || [[ -n $line ]]
do
    rulenum2=$(echo $line | perl -nle'print $& while m{\@\K\d+}g')
    ruleid2=$(echo $line | perl -nle'print $& while m{label \K\"\K\w+}g')
        if [ "$ruleid2" != "" ]
        then
                ruleenabled2=$(grep -m 1 "$ruleid2" /tmp/ruleslist.tmp | cut -d "," -f1)
                ruleaction2=$(grep -m 1 "$ruleid2" /tmp/ruleslist.tmp | cut -d "," -f2)
                ruledesc2=$(grep -m 1 "$ruleid2" /tmp/ruleslist.tmp | cut -d "," -f4)
                echo $rulenum2","$ruleaction2","$ruledesc2 >> /tmp/ruleslist.csv
        fi
done <<< "$input2"
rm /tmp/ruleslist.tmp

Title: Re: Rule numbers
Post by: timmyc123 on April 04, 2021, 04:41:24 am

Do you know if the rule numbers are persistent? Mine seem to be changing.

Disappointed to see that tracker ID didn't make it over from pfSense.

Title: Re: Rule numbers
Post by: franco on April 19, 2021, 08:40:15 am

> Disappointed to see that tracker ID didn't make it over from pfSense.

And I'm disappointed to see that the tracker ID didn't make it over to FreeBSD. :D

There is a portable solution for this "problem" coming soon. Have a little faith.


Cheers,
Franco

Title: Re: Rule numbers
Post by: snocrash on April 23, 2021, 07:56:16 pm

I haven't had much time to tinker with it since setting it up, but I have noticed the numbers changing as well.  I updated the list and the data was more in line with what I expected, but I'm not sure if that invalidates the earlier logs.

Title: Re: Rule numbers
Post by: franco on April 23, 2021, 07:59:53 pm

As I said we added label support to the filterlog output which makes these correlations safe even after reload unless a rule was deleted...

https://github.com/opnsense/ports/commit/3f8ca0d08

... it's being targeted for 21.7 release or possibly sooner.


Cheers,
Franco