base: add basic packet-information to output

superstes · superstes · commit 21f1b68c09bf · 2025-09-10T00:37:28.000+02:00
diff --git a/README.md b/README.md
@@ -31,20 +31,22 @@ ftf-cli --firewall-system 'linux_netfilter' \
         --src-ip 172.17.11.5 \
         --dst-ip 2.2.2.2
 
+> 🛈 SYSTEM: Processing packet: [172.17.11.5]:50000 =tcp=> [2.2.2.2]:443
 > 🛈 ROUTER: Packet inbound-interface: docker0
 > 🛈 ROUTER: Packet inbound-route: 172.17.0.0/16, scope link
-> 🛈 FIREWALL: Processing Chain: Table nat ip4 | Chain PREROUTING ip4 nat
+> 🛈 FIREWALL: Processing Chain: Table "nat" ip4 | Chain "PREROUTING" ip4 nat (1 rules)
 > 🛈 FIREWALL: > Chain PREROUTING | Rule 0 | Match => jump
-> 🛈 FIREWALL: > Chain PREROUTING | Sub-Chain: DOCKER
+> 🛈 FIREWALL: > Chain PREROUTING | Sub-Chain: DOCKER (2 rules)
 > 🛈 FIREWALL: > Chain DOCKER | Rule 0 | Match => return
 > 🛈 ROUTER: Packet outbound-interface: wan
-> 🛈 ROUTER: Packet outbound-route: 0.0.0.0/0, gw 10.255.255.254, metric 600, scope remote
-> 🛈 FIREWALL: Processing Chain: Table filter ip4 | Chain FORWARD ip4 filter
+> 🛈 ROUTER: Packet outbound-route: 0.0.0.0/0, gw 10.255.255.254, metric 600, scope global
+> 🛈 FIREWALL: Processing Chain: Table "filter" ip4 | Chain "FORWARD" ip4 filter (5 rules)
 > 🛈 FIREWALL: > Chain FORWARD | Rule 0 | Match => jump
-> 🛈 FIREWALL: > Chain FORWARD | Sub-Chain: DOCKER-USER
+> 🛈 FIREWALL: > Chain FORWARD | Sub-Chain: DOCKER-USER (1 rules)
 > 🛈 FIREWALL: > Chain DOCKER-USER | Rule 0 | Match => return
 > 🛈 FIREWALL: > Chain FORWARD | Rule 1 | Match => drop
-> ✖ FIREWALL: Packet blocked by rule: {'action': 'drop', 'seq': 1, 'raw': Rule: #101 "TEST DROP" | Matches: [proto_l3 == ip4 & ip_daddr == ['2.2.2.2/32']]}
+> ✖ FIREWALL: Packet blocked by rule: Seq 1, Action: drop, Rule: #101 "TEST IP4-DADDR DROP"
+>              > Matches: {'proto_l3': {'==': 'ip4'}, 'ip_daddr': {'==': ['2.2.2.2/32']}}
 ```
 
 ----
diff --git a/docs/source/plugins/firewall_opnsense.rst b/docs/source/plugins/firewall_opnsense.rst
@@ -66,6 +66,7 @@ Example
     > ⚠ FIREWALL PLUGIN: Unsupported rule: Chain interfaces, Rule 80
     > ⚠ FIREWALL PLUGIN: Unable to parse rule-address: "GEOIP_NEARBY"
     > ⚠ FIREWALL PLUGIN: Unsupported rule: Chain interfaces, Rule 85 (SVC_1 Proxies)
+    > 🛈 SYSTEM: Processing packet: [10.34.28.206]:50000 =tcp=> [1.1.1.1]:993
     > 🛈 ROUTER: Packet inbound-interface: lan (LAN)
     > 🛈 ROUTER: Packet inbound-route: 10.34.28.0/24, scope link
     > 🛈 FIREWALL: Processing Chain: Table "default" ip | Chain "dnat" ip nat (0 rules)
@@ -104,6 +105,7 @@ Example
     ftf-cli ... --src-ip 10.34.28.206 --dst-ip 1.10.16.4
 
     ...
+    > 🛈 SYSTEM: Processing packet: [10.34.28.206]:50000 =tcp=> [1.10.16.4]:443
     > 🛈 ROUTER: Packet inbound-interface: lan (LAN)
     > 🛈 ROUTER: Packet inbound-route: 10.34.28.0/24, scope link
     > 🛈 FIREWALL: Processing Chain: Table "default" ip | Chain "dnat" ip nat (0 rules)
@@ -124,6 +126,7 @@ Use the :code:`verbosity` flag to get more information about the rules and match
     ftf-cli ... --src-ip 10.34.28.206 --dst-ip 1.10.16.4 --verbosity 2
 
     ...
+    > 🛈 SYSTEM: Processing packet: [10.34.28.206]:50000 =tcp=> [1.10.16.4]:443
     > 🛈 ROUTER: Packet inbound-interface: lan (LAN)
     > 🛈 ROUTER: Packet inbound-route: 10.34.28.0/24, scope link
     > 🛈 FIREWALL: Processing Chain: Table "default" ip | Chain "dnat" ip nat (0 rules)
diff --git a/docs/source/usage/3_run.rst b/docs/source/usage/3_run.rst
@@ -78,6 +78,7 @@ Pass Example
             --src-ip 172.17.11.5 \
             --dst-ip 1.1.1.1
 
+    > 🛈 SYSTEM: Processing packet: [172.17.11.5]:50000 =tcp=> [1.1.1.1]:443
     > 🛈 ROUTER: Packet inbound-interface: docker0
     > 🛈 ROUTER: Packet inbound-route: 172.17.0.0/16, scope link
     > 🛈 FIREWALL: Processing Chain: Table nat ip4 | Chain PREROUTING ip4 nat
@@ -121,6 +122,7 @@ Block Example
 
     ftf-cli ... --src-ip 172.17.11.5 --dst-ip 2.2.2.2
 
+    > 🛈 SYSTEM: Processing packet: [172.17.11.5]:50000 =tcp=> [2.2.2.2]:443
     > 🛈 ROUTER: Packet inbound-interface: docker0
     > 🛈 ROUTER: Packet inbound-route: 172.17.0.0/16, scope link
     > 🛈 FIREWALL: Processing Chain: Table nat ip4 | Chain PREROUTING ip4 nat
@@ -148,6 +150,7 @@ You can get more detailed output by increasing the verbosity:
 
     ftf-cli ... --src-ip 172.17.11.5 --dst-ip 2.2.2.2 --verbosity 2
 
+    > 🛈 SYSTEM: Processing packet: [172.17.11.5]:50000 =tcp=> [2.2.2.2]:443
     > 🛈 ROUTER: Packet inbound-interface: docker0
     > 🛈 ROUTER: Packet inbound-route: 172.17.0.0/16, scope link
     > 🛈 FIREWALL: Processing Chain: Table nat ip4 | Chain PREROUTING ip4 nat
@@ -195,6 +198,7 @@ Depending on the system-specific configuration traffic can be dropped by non-fir
 
     ftf-cli ... --src-ip 172.17.11.5 --dst-ip 10.100.1.1
 
+    > 🛈 SYSTEM: Processing packet: [172.17.11.5]:50000 =tcp=> [10.100.1.1]:443
     > 🛈 ROUTER: Packet inbound-interface: docker0
     > 🛈 ROUTER: Packet inbound-route: 172.17.0.0/16, scope link
     > 🛈 FIREWALL: Processing Chain: Table nat ip4 | Chain PREROUTING ip4 nat
diff --git a/src/firewall_test/simulator/main.py b/src/firewall_test/simulator/main.py
@@ -28,6 +28,8 @@ def __init__(self, packet: PACKET_KINDS, simulator):
         self.dnat = None
         self.snat = None
 
+        log_info(label='System', v1=f'Processing packet: {packet}')
+
         ### CATEGORIZE TRAFFIC FLOW ###
 
         self.local_src, packet.ni_in = self._is_ip_local(packet.src)
diff --git a/src/firewall_test/simulator/packet.py b/src/firewall_test/simulator/packet.py
@@ -14,6 +14,12 @@ def dump(self) -> dict:
             'ni_out': self.ni_out,
         }
 
+    def __repr__(self) -> str:
+        if self.ni_in is not None and self.ni_out is not None:
+            return f'{self.ni_in} => {self.ni_out}'
+
+        return ''
+
 
 class PacketIP(Packet):
     def __init__(self, src: str, dst: str):
@@ -56,6 +62,15 @@ def dnat_str(self) -> str:
     def snat_str(self) -> str:
         return f'{self.pre_nat_src} => {self.src}'
 
+    def _repr_ni(self) -> str:
+        if self.ni_in is not None and self.ni_out is not None:
+            return f'{self.ni_in} => {self.ni_out} => '
+
+        return ''
+
+    def __repr__(self) -> str:
+        return f'{self.src} => {self._repr_ni()}{self.dst}'
+
 
 class PacketTCPUDP(PacketIP):
     def __init__(
@@ -101,6 +116,9 @@ def dump(self) -> dict:
     def dnat_str(self) -> str:
         return f'{self.pre_nat_dst}:{self.pre_nat_dst_port} => {self.dst}:{self.dport}'
 
+    def __repr__(self) -> str:
+        return f'[{self.src}]:{self.sport} ={self.proto_l4.N}=> {self._repr_ni()}[{self.dst}]:{self.dport}'
+
 
 class PacketICMP(PacketIP):
     CODE_ECHO_REPLY = 0
@@ -133,5 +151,8 @@ def dump(self) -> dict:
             'icmp_code': self.icmp_code,
         }
 
+    def __repr__(self) -> str:
+        return f'{self.src} ={self.proto_l4.N}-{self.icmp_code}=> {self._repr_ni()}{self.dst}'
+
 
 PACKET_KINDS = (PacketIP, PacketTCPUDP, PacketICMP)
