IP packet filters attached to interfaces

From CT3

Jump to: navigation, search

The script displays inbound and outbound IP access lists attached to interfaces in a convenient tabular format.

Contents

Installation

  • Download the source file into flash:packetFilters.tcl.
  • Configure alias exec filters tclsh flash:packetFilters.tcl

Usage guidelines

Usage: filters [all] [verbose]

Command line parameters:

  • all: displays all interfaces. Without the all parameter, only the interfaces with inbound or outbound IP access lists are displayed.
  • verbose: displays the actual contents of each access-list.

Author

Ivan Pepelnjak, © 2007 NIL Data Communications

Sample printout

R2#filters
Interface Inbound Outbound
=========================================================
Serial1/0 101
Serial1/2 ICMP    101

R2#filters verbose

Serial1/0
====================
in: Extended IP access list 101
    10 permit ip any any (2012 matches)

Serial1/2
====================
in: Extended IP access list ICMP
    10 deny icmp any host 10.0.1.2 echo
    20 deny icmp any host 10.2.0.2 echo
    30 permit ip any any (637 matches)

out:Extended IP access list 101
    10 permit ip any any (2012 matches)

Source code

#
# Copyright (c) 2007 NIL Data Communications
# All rights reserved.
#
# by:       Ivan Pepelnjak, NIL Data Communications
# title:    Display packet filters applied to interfaces
# name:     packetFilters.tcl
# desc:     This script displays input and output IP packet filters applied to interfaces
#
# ios config:
#
#           * download the file into flash:packetFilters.tcl
#           * configure alias exec filters tclsh flash:packetFilters.tcl
#
#           invoke with filters
#

proc displayExec {result} {
  set first 0
  foreach line [split $result "\n"] {
    regsub {\s+$} $line "" line
    if {$line != "" || $first != 0} { puts $line; incr first; }
  }
}

proc printInterface {dataName} {
  upvar $dataName data
  global lineFormat
  global full
  global verbose
  if {! [array exists data]} { return }
  if {$data(INACL) == "" && $data(OUTACL) == "" && $full == 0 } { return; }
  if {$verbose == 0} {
    puts [format $lineFormat $data(IFNAME) $data(INACL) $data(OUTACL) ]; return; }
  puts ""
  puts $data(IFNAME)
  puts "===================="
  if {$data(INACL) != ""} {
    puts -nonewline "in: "; displayExec [exec "show ip access-list $data(INACL)"] }
  if {$data(OUTACL) != ""} {
    if {$data(INACL) != ""} { puts "" }
    puts -nonewline "out:"; displayExec [exec "show ip access-list $data(OUTACL)"] }
}

set verbose 0
set full    0

switch [lindex $argv 0] {
  all     { set full 1 }
  verbose { set verbose 1 }
  {}      { }
  default { puts {Syntax: tclsh packetFilters.tcl [all|verbose]}; return; }
}

set lineFormat "%-20s %15s %15s"
if { $verbose == 0 } {
  puts [format $lineFormat {Interface} {Inbound} {Outbound}]
  puts "========================================================="
} else { set full 0 }

set cmdtext [exec {show ip interface}]
foreach line [split $cmdtext "\n"] {
  if {[regexp -nocase {^(\S+)} $line ignore ifname]} {
    printInterface ifdata
    set ifdata(IFNAME) $ifname
    set ifdata(INACL)  ""
    set ifdata(OUTACL) ""
  } elseif {[regexp -nocase {Outgoing access list is (.*)} $line ignore acl]} {
    regsub {\s+$} $acl "" acl
    if { $acl == "not set" } { set acl "" }
    set ifdata(OUTACL) $acl
  } elseif {[regexp -nocase {Inbound  access list is (.*)} $line ignore acl]} {
    regsub {\s+$} $acl "" acl
    if { $acl == "not set" } { set acl "" }
    set ifdata(INACL) $acl
  }
}
if {[array exists ifdata]} { printInterface ifdata }
Personal tools

CT3

Main menu