Cronache di Sarvegia

Months ago I wrote a post about how to extract information from iptables logs and get a summary of the packets being blocked.

These days I am playing with firewalls on Xen, and the physdev modules came into play. So, I needed a slight better output to keep into account the physical device the packet was coming from. In short, each single report line had to be like this:

source address > inward physical interface > inward interface > destination address:port:protocol > outward interface > outward physical interface

In my case, I could actually leave the last two out, since we are talking about filtered packets that are not going anywhere, but if you are logging, e.g., forwarded packets, then you are interested in those two fields, as well.

To get this result, I had to change the onliner from the original post slightly, this way:

perl -alne 'my %field ; foreach $token (@F) { next unless $token =~ /=/ ; my ($k,$v) = split(/=/,$token,2) ; $field{$k} = $v } ; print qq{ $field{SRC} > $field{PHYSIN} > $field{IN} > $field{DST}:$field{DPT}:$field{PROTO} > $field{OUT} > $field{PHYSOUT} }' ./selected.rule5.log | sort | uniq -c | sort -nr   

Notice I am not using the "if" at the beginning of the one-liner, since the parsed file only contains the lines I am interested in. And the print has changed, of course