add support for rule comments and LIMIT and REJECT actions

2025-07-13 01:20:24 +02:00 · 2021-04-21 16:55:14 -07:00
parent f638aca092
commit 74f623f8d6
5 changed files with 43 additions and 11 deletions
--- a/docs/parsers/ufw.md
+++ b/docs/parsers/ufw.md
@ -43,7 +43,8 @@ Schema:
          "from_transport":         string,     # null if from_service is set
          "from_start_port":        integer,    # null if from_service is set
          "from_end_port":          integer,    # null if from_service is set
-          "from_service":           string      # null if any above are set
+          "from_service":           string,     # null if any above are set
          "comment":                string      # null if no comment
        }
      ]
    }
@ -70,6 +71,7 @@ Examples:
          "to_service": null,
          "to_ip": "0.0.0.0",
          "to_ip_prefix": "0",
          "comment": null,
          "from_ip": "0.0.0.0",
          "from_ip_prefix": "0",
          "from_interface": "any",
@ -90,6 +92,7 @@ Examples:
          "to_service": null,
          "to_ip": "::",
          "to_ip_prefix": "0",
          "comment": null,
          "from_ip": "::",
          "from_ip_prefix": "0",
          "from_interface": "any",
@ -110,6 +113,7 @@ Examples:
          "to_end_port": null,
          "to_ip": "0.0.0.0",
          "to_ip_prefix": "0",
          "comment": null,
          "from_ip": "0.0.0.0",
          "from_ip_prefix": "0",
          "from_interface": "any",
@ -130,6 +134,7 @@ Examples:
          "to_start_port": 0,
          "to_end_port": 65535,
          "to_service": null,
          "comment": null,
          "from_ip": "::",
          "from_ip_prefix": "0",
          "from_interface": "any",
@ -150,6 +155,7 @@ Examples:
          "to_start_port": 0,
          "to_end_port": 65535,
          "to_service": null,
          "comment": null,
          "from_ip": "0.0.0.0",
          "from_ip_prefix": "0",
          "from_interface": "any",
@ -181,6 +187,7 @@ Examples:
          "to_service": null,
          "to_ip": "0.0.0.0",
          "to_ip_prefix": "0",
          "comment": null,
          "from_ip": "0.0.0.0",
          "from_ip_prefix": "0",
          "from_interface": "any",
@ -201,6 +208,7 @@ Examples:
          "to_service": null,
          "to_ip": "::",
          "to_ip_prefix": "0",
          "comment": null,
          "from_ip": "::",
          "from_ip_prefix": "0",
          "from_interface": "any",
@ -221,6 +229,7 @@ Examples:
          "to_end_port": null,
          "to_ip": "0.0.0.0",
          "to_ip_prefix": "0",
          "comment": null,
          "from_ip": "0.0.0.0",
          "from_ip_prefix": "0",
          "from_interface": "any",
@ -241,6 +250,7 @@ Examples:
          "to_start_port": "0",
          "to_end_port": "65535",
          "to_service": null,
          "comment": null,
          "from_ip": "::",
          "from_ip_prefix": "0",
          "from_interface": "any",
@ -261,6 +271,7 @@ Examples:
          "to_start_port": "0",
          "to_end_port": "65535",
          "to_service": null,
          "comment": null,
          "from_ip": "0.0.0.0",
          "from_ip_prefix": "0",
          "from_interface": "any",
--- a/jc/parsers/ufw.py
+++ b/jc/parsers/ufw.py
@ -40,7 +40,8 @@ Schema:
          "from_transport":         string,     # null if from_service is set
          "from_start_port":        integer,    # null if from_service is set
          "from_end_port":          integer,    # null if from_service is set
-          "from_service":           string      # null if any above are set
+          "from_service":           string,     # null if any above are set
          "comment":                string      # null if no comment
        }
      ]
    }
@ -67,6 +68,7 @@ Examples:
          "to_service": null,
          "to_ip": "0.0.0.0",
          "to_ip_prefix": "0",
          "comment": null,
          "from_ip": "0.0.0.0",
          "from_ip_prefix": "0",
          "from_interface": "any",
@ -87,6 +89,7 @@ Examples:
          "to_service": null,
          "to_ip": "::",
          "to_ip_prefix": "0",
          "comment": null,
          "from_ip": "::",
          "from_ip_prefix": "0",
          "from_interface": "any",
@ -107,6 +110,7 @@ Examples:
          "to_end_port": null,
          "to_ip": "0.0.0.0",
          "to_ip_prefix": "0",
          "comment": null,
          "from_ip": "0.0.0.0",
          "from_ip_prefix": "0",
          "from_interface": "any",
@ -127,6 +131,7 @@ Examples:
          "to_start_port": 0,
          "to_end_port": 65535,
          "to_service": null,
          "comment": null,
          "from_ip": "::",
          "from_ip_prefix": "0",
          "from_interface": "any",
@ -147,6 +152,7 @@ Examples:
          "to_start_port": 0,
          "to_end_port": 65535,
          "to_service": null,
          "comment": null,
          "from_ip": "0.0.0.0",
          "from_ip_prefix": "0",
          "from_interface": "any",
@ -178,6 +184,7 @@ Examples:
          "to_service": null,
          "to_ip": "0.0.0.0",
          "to_ip_prefix": "0",
          "comment": null,
          "from_ip": "0.0.0.0",
          "from_ip_prefix": "0",
          "from_interface": "any",
@ -198,6 +205,7 @@ Examples:
          "to_service": null,
          "to_ip": "::",
          "to_ip_prefix": "0",
          "comment": null,
          "from_ip": "::",
          "from_ip_prefix": "0",
          "from_interface": "any",
@ -218,6 +226,7 @@ Examples:
          "to_end_port": null,
          "to_ip": "0.0.0.0",
          "to_ip_prefix": "0",
          "comment": null,
          "from_ip": "0.0.0.0",
          "from_ip_prefix": "0",
          "from_interface": "any",
@ -238,6 +247,7 @@ Examples:
          "to_start_port": "0",
          "to_end_port": "65535",
          "to_service": null,
          "comment": null,
          "from_ip": "::",
          "from_ip_prefix": "0",
          "from_interface": "any",
@ -258,6 +268,7 @@ Examples:
          "to_start_port": "0",
          "to_end_port": "65535",
          "to_service": null,
          "comment": null,
          "from_ip": "0.0.0.0",
          "from_ip_prefix": "0",
          "from_interface": "any",
@ -329,6 +340,16 @@ def _parse_to_from(linedata, direction, rule_obj=None):
        else:
            rule_obj['index'] = None
    # pull out comments, if they exist
    if direction == 'from':
        RE_COMMENT = re.compile(r'#.+$')
        comment_match = re.search(RE_COMMENT, linedata)
        if comment_match:
            rule_obj['comment'] = comment_match.group(0).lstrip('#').strip()
            linedata = re.sub(RE_COMMENT, '', linedata)
        else:
            rule_obj['comment'] = None
    # pull (v6)
    RE_V6 = re.compile(r'\(v6\)')
    v6_match = re.search(RE_V6, linedata)
@ -481,7 +502,7 @@ def parse(data, raw=False, quiet=False):
                # Split on action. Left of Action is 'to', right of Action is 'from'
                rule_obj = {}
-                splitline = re.split(r'(ALLOW IN|ALLOW OUT|DENY IN|DENY OUT|ALLOW|DENY)', line)
+                splitline = re.split(r'(ALLOW IN|ALLOW OUT|ALLOW FWD|DENY IN|DENY OUT|DENY FWD|LIMIT IN|LIMIT OUT|LIMIT FWD|REJECT IN|REJECT OUT|REJECT FWD|ALLOW|DENY|LIMIT|REJECT)', line)
                to_line = splitline[0]
                action_line = splitline[1]
                action_list = action_line.split()
--- a/tests/fixtures/generic/ufw-numbered.json
+++ b/tests/fixtures/generic/ufw-numbered.json
--- a/tests/fixtures/generic/ufw.json
+++ b/tests/fixtures/generic/ufw.json
--- a/tests/fixtures/generic/ufw.out
+++ b/tests/fixtures/generic/ufw.out
@ -7,16 +7,16 @@ To                         Action      From
 --                         ------      ----
 22/tcp                     ALLOW IN    Anywhere
 22/tcp (v6)                ALLOW OUT    Anywhere (v6)
-443/tcp                    DENY    192.168.0.1
+443/tcp                    DENY    192.168.0.1       # nice comment
 443/udp                    DENY OUT    192.168.0.7 8080:8081
 22/tcp                     ALLOW   192.168.0.0/24
 22/udp                     ALLOW   192.168.0.0/24 8080:8081 on en0
-22/tcp (v6)                ALLOW IN    2405:204:7449:49fc:f09a:6f4a:bc93:1955/64 on en1
+22/tcp (v6)                ALLOW FWD    2405:204:7449:49fc:f09a:6f4a:bc93:1955/64 on en1 #commenting this rule
 80                         ALLOW IN    Anywhere
-8080 (v6)                  ALLOW IN    Anywhere (v6)
+8080 (v6)                  REJECT IN    Anywhere (v6)
-Apache Full                ALLOW IN    Anywhere
+Apache Full                ALLOW IN    Anywhere   # a comment
 Apache Full (v6)           ALLOW IN    Anywhere (v6)
 OpenSSH  (v6)              DENY IN        Anywhere (v6)
 10.10.10.10 8080 on enp34s0 ALLOW       127.0.0.1 8000
-50200:50300/tcp (v6)       ALLOW        Anywhere (v6)
+50200:50300/tcp (v6)       DENY FWD        Anywhere (v6)
-Anywhere (v6)              ALLOW IN      2405:204:7449:49fc:f09a:6f4a:bc93:1955
+Anywhere (v6)              LIMIT      2405:204:7449:49fc:f09a:6f4a:bc93:1955    # this is a comment