ufw

Bug #916961
Comment #14

Comment 14 for bug 916961

Revision history for this message

GeorgeAllen (glallen01) wrote on 2016-08-11:

#14

I know this is an old thread - but here is another example of how this could be useful:

if I had a device setup where `ufw status numbered` resulted in:
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] Anywhere ALLOW IN 10.10.0.0/16
[ 3] Anywhere ALLOW IN 172.16.20.2
[ 4] Anywhere ALLOW IN 172.16.20.3
[ 5] Anywhere ALLOW IN 172.16.20.4
[ 6] 22,4505,4506,7736/tcp ALLOW IN 172.16.30.2
[ 7] 22,4505,4506,7736/tcp ALLOW IN 172.16.30.3
[ 8] 22,4505,4506,7736/tcp ALLOW IN 172.16.30.4
[ 9] 443,7734/tcp ALLOW IN 172.16.20.0/24

And I wanted to change this, by changing all the 172.16 IPs to 192.168. Following the unix philosophy of compose-able text outputs, I should be able to do this through pipes.
If I were on a vyatta system, I could fairly simply do something like:

show config commands | grep firewall | grep '172\.16' > tmp;
cat tmp | sed "s/set/delete/" > update.sh
cat tmp | sed "s/172\.16/192.168/" >> update.sh
config
. ./update.sh
commit
save

This selects the firewall rules, selects the rules for these IPs, removes the old and adds the new.

To do the equivalent with UFW, I have to do the follwing to delete the exiting rules:
while [[ $(ufw status numbered | grep '172\.16') ]]; do
LINE=$( ufw status numbered | awk '/172\.16/{print substr($0,match($0,/\[/)+1,2) }' | head -n 1);
ufw delete ${LINE}
done

This is unfortunate - not just because of the complicated awk, but deleting by line number requires a new test subshell under while after each deletion, rather than one for-loop, because the rule line numbers change.

If `ufw show added` could either allow an option for line numbers, or if you could delete a rule by naming the rule it self (ie prepend delete to that line-output of show added) then you'd have a feasbile means of using sed/awk/grep to filter and update the rules in a scriptable fashion.

The reason I had to script this out with the grep/awk above, is because I'm about to updates several dozen machines in a very similar scenario - where virtual clones have been deployed in one training environment, and we redeployed in a slightly different one with different IP spaces.

Either way - build in unix commands should support ways to compose what you want with pipes, and there should be a way to change the output just a bit on ufw to make this possible. (for instance, get rid of the '[' ']' around line numbers for `ufw status numbered`

I know this is an old thread - but here is another example of how this could be useful:

if I had a device setup where `ufw status numbered` resulted in:
[ 1] 22/tcp                   ALLOW IN    Anywhere
[ 2] Anywhere                 ALLOW IN    10.10.0.0/16
[ 3] Anywhere                 ALLOW IN    172.16.20.2
[ 4] Anywhere                 ALLOW IN    172.16.20.3
[ 5] Anywhere                 ALLOW IN    172.16.20.4
[ 6] 22,4505,4506,7736/tcp    ALLOW IN    172.16.30.2
[ 7] 22,4505,4506,7736/tcp    ALLOW IN    172.16.30.3
[ 8] 22,4505,4506,7736/tcp    ALLOW IN    172.16.30.4
[ 9] 443,7734/tcp             ALLOW IN    172.16.20.0/24

show config commands | grep firewall | grep '172\.16' > tmp;
cat tmp | sed "s/set/delete/" > update.sh
cat tmp | sed "s/172\.16/192.168/" >> update.sh
config
. ./update.sh
commit
save

This selects the firewall rules, selects the rules for these IPs, removes the old and adds the new.

To do the equivalent with UFW, I have to do the follwing to delete the exiting rules:
while [[ $(ufw status numbered | grep '172\.16') ]]; do
  LINE=$( ufw status numbered | awk '/172\.16/{print substr($0,match($0,/\[/)+1,2) }' | head -n 1);
  ufw delete ${LINE}
done