feat: fw --rule filter, fw help, updated wgctl help, shell banner

This commit is contained in:
Nuno Duque Nunes 2026-05-13 00:41:16 +00:00
parent a7fd62ce32
commit b1bca613de
2 changed files with 103 additions and 19 deletions

View file

@ -7,11 +7,50 @@
function cmd::fw::on_load() { function cmd::fw::on_load() {
flag::register --peer flag::register --peer
flag::register --type flag::register --type
flag::register --rule
flag::register --no-nflog flag::register --no-nflog
flag::register --no-accept flag::register --no-accept
flag::register --no-drop flag::register --no-drop
} }
# ============================================
# Help
# ============================================
function cmd::fw::help() {
cat <<EOF
Usage: wgctl fw [subcommand] [options]
Inspect and manage firewall rules.
Subcommands:
list Show FORWARD chain rules (default)
nat Show NAT/PREROUTING rules
flush-nat Flush NAT rules for a subnet
count Show rule counts by type
Options for list:
--peer <name> Filter by peer name
--rule <rule> Filter by rule name (shows all peers with that rule)
--no-nflog Hide NFLOG rules
--no-accept Hide ACCEPT rules
--no-drop Hide DROP rules
Examples:
wgctl fw list
wgctl fw list --peer phone-nuno
wgctl fw list --rule guest
wgctl fw list --no-nflog
wgctl fw nat
wgctl fw count
wgctl fw flush-nat --subnet 10.1.103.0/24
EOF
}
# ============================================
# Run
# ============================================
function cmd::fw::run() { function cmd::fw::run() {
local subcmd="${1:-list}" local subcmd="${1:-list}"
@ -34,12 +73,13 @@ function cmd::fw::run() {
} }
function cmd::fw::list() { function cmd::fw::list() {
local peer="" type="" local peer="" type="" rule=""
local show_nflog=true show_accept=true show_drop=true local show_nflog=true show_accept=true show_drop=true
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do
case "$1" in case "$1" in
--peer) peer="$2"; shift 2 ;; --peer) peer="$2"; shift 2 ;;
--rule) rule="$2"; shift 2 ;;
--type) type="$2"; shift 2 ;; --type) type="$2"; shift 2 ;;
--no-nflog) show_nflog=false; shift ;; --no-nflog) show_nflog=false; shift ;;
--no-accept) show_accept=false; shift ;; --no-accept) show_accept=false; shift ;;
@ -48,6 +88,25 @@ function cmd::fw::list() {
esac esac
done done
# Rule filter — collect all IPs for peers with this rule
if [[ -n "$rule" ]]; then
log::section "Firewall Rules (FORWARD) — rule: ${rule}"
printf "\n"
local found=false
while IFS= read -r peer_name; do
local ip
ip=$(peers::get_ip "$peer_name")
[[ -z "$ip" ]] && continue
printf " \033[0;37m── %s (%s)\033[0m\n" "$peer_name" "$ip"
iptables -L FORWARD -n -v | grep -F "$ip" \
| cmd::fw::_print_filtered "$show_nflog" "$show_accept" "$show_drop" || true
found=true
done < <(peers::with_rule "$rule")
$found || log::wg_warning "No peers found with rule: ${rule}"
printf "\n"
return 0
fi
log::section "Firewall Rules (FORWARD)" log::section "Firewall Rules (FORWARD)"
printf "\n" printf "\n"

55
wgctl
View file

@ -98,27 +98,52 @@ function wgctl::dispatch() {
function wgctl::help() { function wgctl::help() {
cat <<EOF cat <<EOF
$(log::section "wgctl — WireGuard Management" 2>/dev/null || printf "\n wgctl — WireGuard Management\n")
$(log::section "wgctl — WireGuard Management")
Usage: wgctl <command> [options] Usage: wgctl <command> [options]
Client Commands: Client Commands:
add, new, create Add a new client add, new Add a new client
remove, rm, del Remove a client remove, rm Remove a client
list, ls, show List all clients rename, mv Rename a client
list, ls List all clients
inspect Show detailed client info
config Show client config
qr Show QR code for a client qr Show QR code for a client
block, ban Block a client or add restrictions
unblock, unban Restore client access
Service Commands: Access Control:
start, up Start WireGuard block, ban Block a client entirely
stop, down Stop WireGuard unblock, unban Restore client access
restart, reload Restart WireGuard rule Manage firewall rules (list, show, add, assign...)
status, stat Show WireGuard status
logs, log Show WireGuard logs Organization:
enable Enable WireGuard on boot group Manage peer groups (list, show, block, watch...)
disable Disable WireGuard on boot
Monitoring:
watch Live monitor of WireGuard activity
logs Show activity and firewall logs
audit Verify firewall rules are correctly applied
fw Inspect firewall rules
Service:
service Manage WireGuard service (start/stop/restart/status)
restart Restart WireGuard
shell Start interactive wgctl shell
Development:
test Run the wgctl test suite
Common examples:
wgctl add --name nuno --type phone
wgctl add --name visitor --type guest --subtype phone --group family
wgctl list --blocked
wgctl list --group family
wgctl block --name phone-nuno
wgctl inspect --name phone-nuno
wgctl rule assign --name admin --peer laptop-nuno
wgctl group block --name family
wgctl logs --follow
wgctl audit
Run 'wgctl <command> --help' for command-specific help. Run 'wgctl <command> --help' for command-specific help.
EOF EOF