Firewall: Diagnostics: States Dump - refactor to MVC.

o improve filter, when an address or network is offered, match using ipaddress.ip_network().overlaps()
2026-03-14 00:24:40 +00:00 · 2021-06-21 14:38:15 +02:00 · 2021-06-21 14:38:15 +02:00 · 2e5bafbfa9
commit 2e5bafbfa9
parent a30e04e051
1 changed files with 19 additions and 0 deletions
--- a/src/opnsense/scripts/filter/list_states.py
+++ b/src/opnsense/scripts/filter/list_states.py
@ -33,6 +33,8 @@ import sys
 import os
 import ujson
 import argparse
+import ipaddress
+

 def fetch_rule_labels():
    result = dict()
@ -83,6 +85,11 @@ if __name__ == '__main__':
    parser.add_argument('--offset', help='offset results', default='')
    inputargs = parser.parse_args()

+    try:
+        filter_network = ipaddress.ip_network(inputargs.filter.strip())
+    except ValueError:
+        filter_network = None
+
    rule_labels = fetch_rule_labels()
    result = {'details': [], 'total_entries': 0}
    sp = subprocess.run(['/sbin/pfctl', '-vvs', 'state'], capture_output=True, text=True)
@ -114,6 +121,18 @@ if __name__ == '__main__':
            if inputargs.label != "" and record['label'].lower().find(inputargs.label) == -1:
                # label
                continue
+            elif filter_network is not None:
+                try:
+                    match = False
+                    for field in ['src_addr', 'dst_addr', 'nat_addr']:
+                        addr = ipaddress.ip_network(record[field])
+                        if field is not None and ipaddress.ip_network(filter_network).overlaps(addr):
+                            match = True
+                            break
+                    if not match:
+                        continue
+                except:
+                    continue
            elif inputargs.filter != "" and search_line.lower().find(inputargs.filter.lower()) == -1:
                # apply filter when provided
                continue