Hello Bob, 

I just tested your script, very good!

Hi Bob,

Is this script compatible with R80.X?

I assume so since nothing pre-R80 is supported any longer.

@Jarvis_Lin , yes the scrit work with the R80.X versions

I've tested it on pre-R80.40 firewalls and it works. It should work the same on R80.40 (kernel 3.10), but I haven't tested it yet.

It definitely does not work for VSX right now. Adapting it for pre-R80.40 VSX should be trivial or a little past. Might try that soon.

R80.40 fundamentally changes how VSX works internally, so I don't know how much effort would be involved getting it working there (probably no more, but I haven't poked R80.40 VSX much yet).

Edited to add: Turns out R80.40 changes where various commands are in the filesystem. The shebang at the top needs to be changed from /bin/env (which works on kernel 2.6) to /usr/bin/env (which is where it is on kernel 3.10). Seems to work just fine otherwise. Preliminary VSX support involved adding 12 lines, and changing five.

Here's an updated version with VSX support. As it is in this post, it's suitable for R80.40. I don't have any R80.30 firewalls around, but on R80.20 and earlier, the first line would need to be changed from "#!/usr/bin/env bash" to "#!/bin/env bash". That should be the only change needed between firewall versions.

#!/usr/bin/env bash

printUsage()
{
	echo "Note: this script must be run as root."
	echo ""
	echo "Usage:"
	echo "$0 [-l|-x] [-v <VSID>] [-s IP] [-S port] [-d IP] [-D port] [-P protocol]"
	echo -e "\t-l\t\tOnly list matching connections. Do not prompt."
	echo -e "\t-x\t\tDelete matching connections without prompting."
	echo -e "\t\t\tDefault is to list matches and prompt for deletion."
	echo ""
	echo -e "\t-v VSID\t\tRun in a specific VSID."
	echo -e "\t\t\tDefault is to run in VS 0."
	echo ""
	echo -e "\t-s IP\t\tSearch for the specified source IP address."
	echo -e "\t-S port\t\tSearch for the specified source port."
	echo -e "\t-d IP\t\tSearch for the specified destination IP address."
	echo -e "\t-D port\t\tSearch for the specified destination port."
	echo -e "\t-P protocol\tSearch for the specified IP protocol."
	echo -e "\t-h\t\tPrint this usage information."
}

if [ $# -eq 0 ]; then
	printUsage
	exit 1
fi

if [ $EUID -ne 0 ]; then
	echo "ERROR: This script must be run as root." >&2
	echo ""
	printUsage
	exit 1
fi

OUTPUT="interactive"
VSID=0
SOURCE_ADDR="[0-9a-f]+"
SOURCE_PORT="[0-9a-f]+"
DEST_ADDR="[0-9a-f]+"
DEST_PORT="[0-9a-f]+"
PROTOCOL="[0-9a-f]+"

while getopts "lx:v:s:S:d:D:P:h" NUKE_OPTION; do
	case $NUKE_OPTION in
	l)
		OUTPUT="list"
		;;
	x)
		OUTPUT="delete"
		;;
	v)
		VSID="${OPTARG}"
		;;
	s)
		SOURCE_ADDR=$(printf '%02x' ${OPTARG//./ })
		;;
	S)
		SOURCE_PORT=$(printf '%08x' ${OPTARG//./ })
		;;
	d)
		DEST_ADDR=$(printf '%02x' ${OPTARG//./ })
		;;
	D)
		DEST_PORT=$(printf '%08x' ${OPTARG//./ })
		;;
	P)
		PROTOCOL=$(printf '%08x' ${OPTARG//./ })
		;;
	h)
		printUsage
		exit 0
		;;
	\?)
		echo "ERROR: Invalid option: -$OPTARG" >&2
		echo ""
		printUsage
		exit 1
		;;
	:)
		echo "ERROR: Option -$OPTARG requires an argument." >&2
		echo ""
		printUsage
		exit 1
		;;
	esac
done

if [ $(cpprod_util FwIsVSX) == "0" ]; then
	FW_TAB_CMD="fw tab"
else
	FW_TAB_CMD="fw -vs ${VSID} tab"
fi

CONNECTIONS=$(\
	$FW_TAB_CMD -t connections -u \
	| egrep "<[0-9a-f]+, $SOURCE_ADDR, $SOURCE_PORT, $DEST_ADDR, $DEST_PORT, $PROTOCOL;" \
	| sed -r 's#<([0-9a-f, ]+);.+#\1#' \
	| sed -r 's# ##g')

if [ "$OUTPUT" == "interactive" ]; then
	echo "Matches:"
	echo "$CONNECTIONS"

	echo ""
	read -p "Clear these connections? (yes/[no]) " YN
	case $YN in
	[Yy][Ee][Ss])
		echo "$CONNECTIONS" | xargs -n 1 $FW_TAB_CMD -t connections -x -e
		exit 0
		;;
	*)
		echo "Not deleting."
		exit 2
		;;
	esac
elif [ "$OUTPUT" == "list" ]; then
	echo "$CONNECTIONS"
elif [ "$OUTPUT" == "delete" ]; then
	echo "$CONNECTIONS" | xargs -n 1 $FW_TAB_CMD -t connections -x -e
fi

I made a mistake in the options string on both scripts. 'lx:v:s:S:d:D:P:h' should instead be 'lxv:s:S:d:D:P:h', with no colon after the x. The colon means it expects an argument. If one isn't provided, it will catch the "ERROR: Option -$OPTARG requires an argument." at the bottom.

I was able to edit the first script, but now the post editor isn't showing up at all, so I can't fix it in the second.

@Danny , I tried to adjust the script but I had problems on the page.

I've found the WYSIWYG editor to be the easiest way to add code blocks. First, you hit the horizontal row of three dots to expand the toolbar. Then on the second row, under the closing quote mark, there is a </> button. That lets you insert a code snippet. It opens a separate editor within the window just for the code.