graphs.pl: Fixes graph failure when the DROP_HOSTILE directory is missing

  - If a fresh install is done then only the DROP_HOSTILE_IN & DROP_HOSTILE_OUT
   rrd directories are created.
- With the DROP_HOSTILE directory missing then when the fwhits graph is updated an error
   message is caused by the inability to open the required files.
- This patch adds an if/else loop into the fwhits graph code to deal with the two cases
   of the DROP_HOSTILE being present or not depending on the history and if a backup with
   logs has been restored from when DROP_HOSTILE was in use.
- Tested on vm testbed and created a historical line for the hostile data when it was not
   split
- There might be a simpler or better approach than this but it was the only option I
   could identify. I couldn't find anything about being able to use if loops within the
   RRD::Graph loop

Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/cfgroot/graphs.pl | 237 ++++++++++++++++++++++++++-------------
 1 file changed, 158 insertions(+), 79 deletions(-)
  

Hello Adolf,

The fix technically looks fine. It would have been more elegant to put the strings into a big array and then add only the ones that we need to avoid copying the large block.

However, this is fine for me to be merged.

-Michael

> On 14 Feb 2024, at 10:34, Adolf Belka <adolf.belka@ipfire.org> wrote:
> 
> - If a fresh install is done then only the DROP_HOSTILE_IN & DROP_HOSTILE_OUT
>   rrd directories are created.
> - With the DROP_HOSTILE directory missing then when the fwhits graph is updated an error
>   message is caused by the inability to open the required files.
> - This patch adds an if/else loop into the fwhits graph code to deal with the two cases
>   of the DROP_HOSTILE being present or not depending on the history and if a backup with
>   logs has been restored from when DROP_HOSTILE was in use.
> - Tested on vm testbed and created a historical line for the hostile data when it was not
>   split
> - There might be a simpler or better approach than this but it was the only option I
>   could identify. I couldn't find anything about being able to use if loops within the
>   RRD::Graph loop
> 
> Tested-by: Adolf Belka <adolf.belka@ipfire.org>
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
> config/cfgroot/graphs.pl | 237 ++++++++++++++++++++++++++-------------
> 1 file changed, 158 insertions(+), 79 deletions(-)
> 
> diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl
> index a23e49c98..96c6c26ea 100644
> --- a/config/cfgroot/graphs.pl
> +++ b/config/cfgroot/graphs.pl
> @@ -13,7 +13,7 @@
> # This program is distributed in the hope that it will be useful,             #
> # but WITHOUT ANY WARRANTY; without even the implied warranty of              #
> # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
> -# GNU General Public License for more details.                                #
> +# GNU General Public License for more details.                                #update.sh
> #                                                                             #
> # You should have received a copy of the GNU General Public License           #
> # along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
> @@ -676,84 +676,163 @@ sub updatevpnn2ngraph {
> 
> sub updatefwhitsgraph {
> my $period    = $_[0];
> - RRDs::graph(
> - @GRAPH_ARGS,
> - "-",
> - "--start",
> - "-1".$period,
> - "-r",
> - "-t ".$Lang::tr{'firewall hits per'}." ".$Lang::tr{$period."-graph"},
> - "-v ".$Lang::tr{'bytes per second'},
> - "--color=SHADEA".$color{"color19"},
> - "--color=SHADEB".$color{"color19"},
> - "--color=BACK".$color{"color21"},
> - "DEF:output=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYOUT/ipt_bytes-DROP_OUTPUT.rrd:value:AVERAGE",
> - "DEF:input=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYIN/ipt_bytes-DROP_INPUT.rrd:value:AVERAGE",
> - "DEF:forward=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYFWD/ipt_bytes-DROP_FORWARD.rrd:value:AVERAGE",
> - "DEF:newnotsyn=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-NEWNOTSYN/ipt_bytes-DROP_NEWNOTSYN.rrd:value:AVERAGE",
> - "DEF:portscan=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-PSCAN/ipt_bytes-DROP_PScan.rrd:value:AVERAGE",
> - "DEF:spoofedmartian=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-SPOOFED_MARTIAN/ipt_bytes-DROP_SPOOFED_MARTIAN.rrd:value:AVERAGE",
> - "DEF:hostilein=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP_IN/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE",
> - "DEF:hostileout=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP_OUT/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE",
> - "DEF:hostilelegacy=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE",
> -
> - # This creates a new combined hostile segment.
> - # Previously we did not split into incoming/outgoing, but we cannot go back in time. This CDEF will take the values
> - # from the old RRD database unless those are UNKNOWN (i.e. we started collected IN/OUT). If the values are unknown,
> - # we replace them with them sum of IN + OUT.
> - "CDEF:hostile=hostilelegacy,UN,hostilein,hostileout,+,hostilelegacy,IF",
> -
> - "COMMENT:".sprintf("%-26s",$Lang::tr{'caption'}),
> - "COMMENT:".sprintf("%15s",$Lang::tr{'maximal'}),
> - "COMMENT:".sprintf("%15s",$Lang::tr{'average'}),
> - "COMMENT:".sprintf("%14s",$Lang::tr{'minimal'}),
> - "COMMENT:".sprintf("%15s",$Lang::tr{'current'})."\\j",
> - "AREA:output".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}." (OUTPUT)"),
> - "GPRINT:output:MAX:%8.1lf %sBps",
> - "GPRINT:output:AVERAGE:%8.1lf %sBps",
> - "GPRINT:output:MIN:%8.1lf %sBps",
> - "GPRINT:output:LAST:%8.1lf %sBps\\j",
> - "STACK:forward".$color{"color23"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}." (FORWARD)"),
> - "GPRINT:forward:MAX:%8.1lf %sBps",
> - "GPRINT:forward:AVERAGE:%8.1lf %sBps",
> - "GPRINT:forward:MIN:%8.1lf %sBps",
> - "GPRINT:forward:LAST:%8.1lf %sBps\\j",
> - "STACK:input".$color{"color24"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}." (INPUT)"),
> - "GPRINT:input:MAX:%8.1lf %sBps",
> - "GPRINT:input:AVERAGE:%8.1lf %sBps",
> - "GPRINT:input:MIN:%8.1lf %sBps",
> - "GPRINT:input:LAST:%8.1lf %sBps\\j",
> - "STACK:newnotsyn".$color{"color14"}."A0:".sprintf("%-25s","NewNotSYN"),
> - "GPRINT:newnotsyn:MAX:%8.1lf %sBps",
> - "GPRINT:newnotsyn:AVERAGE:%8.1lf %sBps",
> - "GPRINT:newnotsyn:MIN:%8.1lf %sBps",
> - "GPRINT:newnotsyn:LAST:%8.1lf %sBps\\j",
> - "STACK:portscan".$color{"color16"}."A0:".sprintf("%-25s",$Lang::tr{'portscans'}),
> - "GPRINT:portscan:MAX:%8.1lf %sBps",
> - "GPRINT:portscan:AVERAGE:%8.1lf %sBps",
> - "GPRINT:portscan:MIN:%8.1lf %sBps",
> - "GPRINT:portscan:LAST:%8.1lf %sBps\\j",
> - "STACK:spoofedmartian".$color{"color12"}."A0:".sprintf("%-25s",$Lang::tr{'spoofed or martians'}),
> - "GPRINT:spoofedmartian:MAX:%8.1lf %sBps",
> - "GPRINT:spoofedmartian:AVERAGE:%8.1lf %sBps",
> - "GPRINT:spoofedmartian:MIN:%8.1lf %sBps",
> - "GPRINT:spoofedmartian:LAST:%8.1lf %sBps\\j",
> - "STACK:hostilein".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks in'}),
> - "GPRINT:hostilein:MAX:%8.1lf %sBps",
> - "GPRINT:hostilein:AVERAGE:%8.1lf %sBps",
> - "GPRINT:hostilein:MIN:%8.1lf %sBps",
> - "GPRINT:hostilein:LAST:%8.1lf %sBps\\j",
> - "STACK:hostileout".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks out'}),
> - "GPRINT:hostileout:MAX:%8.1lf %sBps",
> - "GPRINT:hostileout:AVERAGE:%8.1lf %sBps",
> - "GPRINT:hostileout:MIN:%8.1lf %sBps",
> - "GPRINT:hostileout:LAST:%8.1lf %sBps\\j",
> - "LINE:hostile#000000A0:".sprintf("%-25s",$Lang::tr{'hostile networks total'}),
> - "GPRINT:hostile:MAX:%8.1lf %sBps",
> - "GPRINT:hostile:AVERAGE:%8.1lf %sBps",
> - "GPRINT:hostile:MIN:%8.1lf %sBps",
> - "GPRINT:hostile:LAST:%8.1lf %sBps\\j",
> - );
> + if ( -e "$mainsettings{'RRDLOG'}/collectd/localhost/iptables-filter-HOSTILE_DROP/ipt_bytes-DROP_HOSTILE.rrd" ) {
> + RRDs::graph(
> + @GRAPH_ARGS,
> + "-",
> + "--start",
> + "-1".$period,
> + "-r",
> + "-t ".$Lang::tr{'firewall hits per'}." ".$Lang::tr{$period."-graph"},
> + "-v ".$Lang::tr{'bytes per second'},
> + "--color=SHADEA".$color{"color19"},
> + "--color=SHADEB".$color{"color19"},
> + "--color=BACK".$color{"color21"},
> + "DEF:output=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYOUT/ipt_bytes-DROP_OUTPUT.rrd:value:AVERAGE",
> + "DEF:input=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYIN/ipt_bytes-DROP_INPUT.rrd:value:AVERAGE",
> + "DEF:forward=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYFWD/ipt_bytes-DROP_FORWARD.rrd:value:AVERAGE",
> + "DEF:newnotsyn=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-NEWNOTSYN/ipt_bytes-DROP_NEWNOTSYN.rrd:value:AVERAGE",
> + "DEF:portscan=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-PSCAN/ipt_bytes-DROP_PScan.rrd:value:AVERAGE",
> + "DEF:spoofedmartian=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-SPOOFED_MARTIAN/ipt_bytes-DROP_SPOOFED_MARTIAN.rrd:value:AVERAGE",
> + "DEF:hostilein=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP_IN/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE",
> + "DEF:hostileout=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP_OUT/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE",
> + "DEF:hostilelegacy=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE",
> +
> + # This creates a new combined hostile segment.
> + # Previously we did not split into incoming/outgoing, but we cannot go back in time. This CDEF will take the values
> + # from the old RRD database if it exists and if those values are UNKNOWN (time period after Hostile was split into In and Out),
> + # we replace them with the sum of IN + OUT.
> + "CDEF:hostile=hostilelegacy,UN,hostilein,hostileout,+,hostilelegacy,IF",
> +
> + "COMMENT:".sprintf("%-26s",$Lang::tr{'caption'}),
> + "COMMENT:".sprintf("%15s",$Lang::tr{'maximal'}),
> + "COMMENT:".sprintf("%15s",$Lang::tr{'average'}),
> + "COMMENT:".sprintf("%14s",$Lang::tr{'minimal'}),
> + "COMMENT:".sprintf("%15s",$Lang::tr{'current'})."\\j",
> + "AREA:output".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}." (OUTPUT)"),
> + "GPRINT:output:MAX:%8.1lf %sBps",
> + "GPRINT:output:AVERAGE:%8.1lf %sBps",
> + "GPRINT:output:MIN:%8.1lf %sBps",
> + "GPRINT:output:LAST:%8.1lf %sBps\\j",
> + "STACK:forward".$color{"color23"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}." (FORWARD)"),
> + "GPRINT:forward:MAX:%8.1lf %sBps",
> + "GPRINT:forward:AVERAGE:%8.1lf %sBps",
> + "GPRINT:forward:MIN:%8.1lf %sBps",
> + "GPRINT:forward:LAST:%8.1lf %sBps\\j",
> + "STACK:input".$color{"color24"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}." (INPUT)"),
> + "GPRINT:input:MAX:%8.1lf %sBps",
> + "GPRINT:input:AVERAGE:%8.1lf %sBps",
> + "GPRINT:input:MIN:%8.1lf %sBps",
> + "GPRINT:input:LAST:%8.1lf %sBps\\j",
> + "STACK:newnotsyn".$color{"color14"}."A0:".sprintf("%-25s","NewNotSYN"),
> + "GPRINT:newnotsyn:MAX:%8.1lf %sBps",
> + "GPRINT:newnotsyn:AVERAGE:%8.1lf %sBps",
> + "GPRINT:newnotsyn:MIN:%8.1lf %sBps",
> + "GPRINT:newnotsyn:LAST:%8.1lf %sBps\\j",
> + "STACK:portscan".$color{"color16"}."A0:".sprintf("%-25s",$Lang::tr{'portscans'}),
> + "GPRINT:portscan:MAX:%8.1lf %sBps",
> + "GPRINT:portscan:AVERAGE:%8.1lf %sBps",
> + "GPRINT:portscan:MIN:%8.1lf %sBps",
> + "GPRINT:portscan:LAST:%8.1lf %sBps\\j",
> + "STACK:spoofedmartian".$color{"color12"}."A0:".sprintf("%-25s",$Lang::tr{'spoofed or martians'}),
> + "GPRINT:spoofedmartian:MAX:%8.1lf %sBps",
> + "GPRINT:spoofedmartian:AVERAGE:%8.1lf %sBps",
> + "GPRINT:spoofedmartian:MIN:%8.1lf %sBps",
> + "GPRINT:spoofedmartian:LAST:%8.1lf %sBps\\j",
> + "STACK:hostilein".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks in'}),
> + "GPRINT:hostilein:MAX:%8.1lf %sBps",
> + "GPRINT:hostilein:AVERAGE:%8.1lf %sBps",
> + "GPRINT:hostilein:MIN:%8.1lf %sBps",
> + "GPRINT:hostilein:LAST:%8.1lf %sBps\\j",
> + "STACK:hostileout".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks out'}),
> + "GPRINT:hostileout:MAX:%8.1lf %sBps",
> + "GPRINT:hostileout:AVERAGE:%8.1lf %sBps",
> + "GPRINT:hostileout:MIN:%8.1lf %sBps",
> + "GPRINT:hostileout:LAST:%8.1lf %sBps\\j",
> + "LINE:hostile#000000A0:".sprintf("%-25s",$Lang::tr{'hostile networks total'}),
> + "GPRINT:hostile:MAX:%8.1lf %sBps",
> + "GPRINT:hostile:AVERAGE:%8.1lf %sBps",
> + "GPRINT:hostile:MIN:%8.1lf %sBps",
> + "GPRINT:hostile:LAST:%8.1lf %sBps\\j",
> + );
> + }else{
> + RRDs::graph(
> + @GRAPH_ARGS,
> + "-",
> + "--start",
> + "-1".$period,
> + "-r",
> + "-t ".$Lang::tr{'firewall hits per'}." ".$Lang::tr{$period."-graph"},
> + "-v ".$Lang::tr{'bytes per second'},
> + "--color=SHADEA".$color{"color19"},
> + "--color=SHADEB".$color{"color19"},
> + "--color=BACK".$color{"color21"},
> + "DEF:output=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYOUT/ipt_bytes-DROP_OUTPUT.rrd:value:AVERAGE",
> + "DEF:input=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYIN/ipt_bytes-DROP_INPUT.rrd:value:AVERAGE",
> + "DEF:forward=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYFWD/ipt_bytes-DROP_FORWARD.rrd:value:AVERAGE",
> + "DEF:newnotsyn=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-NEWNOTSYN/ipt_bytes-DROP_NEWNOTSYN.rrd:value:AVERAGE",
> + "DEF:portscan=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-PSCAN/ipt_bytes-DROP_PScan.rrd:value:AVERAGE",
> + "DEF:spoofedmartian=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-SPOOFED_MARTIAN/ipt_bytes-DROP_SPOOFED_MARTIAN.rrd:value:AVERAGE",
> + "DEF:hostilein=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP_IN/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE",
> + "DEF:hostileout=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP_OUT/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE",
> +
> + # This creates a new combined hostile segment.
> + # If we started collecting IN/OUT, ie the old single Hostile RRD database is not available then this CDEF will take the values
> + # from the sum of IN + OUT.
> + "CDEF:hostile=hostilein,hostileout,+",
> +
> + "COMMENT:".sprintf("%-26s",$Lang::tr{'caption'}),
> + "COMMENT:".sprintf("%15s",$Lang::tr{'maximal'}),
> + "COMMENT:".sprintf("%15s",$Lang::tr{'average'}),
> + "COMMENT:".sprintf("%14s",$Lang::tr{'minimal'}),
> + "COMMENT:".sprintf("%15s",$Lang::tr{'current'})."\\j",
> + "AREA:output".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}." (OUTPUT)"),
> + "GPRINT:output:MAX:%8.1lf %sBps",
> + "GPRINT:output:AVERAGE:%8.1lf %sBps",
> + "GPRINT:output:MIN:%8.1lf %sBps",
> + "GPRINT:output:LAST:%8.1lf %sBps\\j",
> + "STACK:forward".$color{"color23"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}." (FORWARD)"),
> + "GPRINT:forward:MAX:%8.1lf %sBps",
> + "GPRINT:forward:AVERAGE:%8.1lf %sBps",
> + "GPRINT:forward:MIN:%8.1lf %sBps",
> + "GPRINT:forward:LAST:%8.1lf %sBps\\j",
> + "STACK:input".$color{"color24"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}." (INPUT)"),
> + "GPRINT:input:MAX:%8.1lf %sBps",
> + "GPRINT:input:AVERAGE:%8.1lf %sBps",
> + "GPRINT:input:MIN:%8.1lf %sBps",
> + "GPRINT:input:LAST:%8.1lf %sBps\\j",
> + "STACK:newnotsyn".$color{"color14"}."A0:".sprintf("%-25s","NewNotSYN"),
> + "GPRINT:newnotsyn:MAX:%8.1lf %sBps",
> + "GPRINT:newnotsyn:AVERAGE:%8.1lf %sBps",
> + "GPRINT:newnotsyn:MIN:%8.1lf %sBps",
> + "GPRINT:newnotsyn:LAST:%8.1lf %sBps\\j",
> + "STACK:portscan".$color{"color16"}."A0:".sprintf("%-25s",$Lang::tr{'portscans'}),
> + "GPRINT:portscan:MAX:%8.1lf %sBps",
> + "GPRINT:portscan:AVERAGE:%8.1lf %sBps",
> + "GPRINT:portscan:MIN:%8.1lf %sBps",
> + "GPRINT:portscan:LAST:%8.1lf %sBps\\j",
> + "STACK:spoofedmartian".$color{"color12"}."A0:".sprintf("%-25s",$Lang::tr{'spoofed or martians'}),
> + "GPRINT:spoofedmartian:MAX:%8.1lf %sBps",
> + "GPRINT:spoofedmartian:AVERAGE:%8.1lf %sBps",
> + "GPRINT:spoofedmartian:MIN:%8.1lf %sBps",
> + "GPRINT:spoofedmartian:LAST:%8.1lf %sBps\\j",
> + "STACK:hostilein".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks in'}),
> + "GPRINT:hostilein:MAX:%8.1lf %sBps",
> + "GPRINT:hostilein:AVERAGE:%8.1lf %sBps",
> + "GPRINT:hostilein:MIN:%8.1lf %sBps",
> + "GPRINT:hostilein:LAST:%8.1lf %sBps\\j",
> + "STACK:hostileout".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks out'}),
> + "GPRINT:hostileout:MAX:%8.1lf %sBps",
> + "GPRINT:hostileout:AVERAGE:%8.1lf %sBps",
> + "GPRINT:hostileout:MIN:%8.1lf %sBps",
> + "GPRINT:hostileout:LAST:%8.1lf %sBps\\j",
> + "LINE:hostile#000000A0:".sprintf("%-25s",$Lang::tr{'hostile networks total'}),
> + "GPRINT:hostile:MAX:%8.1lf %sBps",
> + "GPRINT:hostile:AVERAGE:%8.1lf %sBps",
> + "GPRINT:hostile:MIN:%8.1lf %sBps",
> + "GPRINT:hostile:LAST:%8.1lf %sBps\\j",
> + );
> + }
> $ERROR = RRDs::error;
> return "Error in RRD::graph for firewallhits: ".$ERROR."\n" if $ERROR;
> }
> -- 
> 2.43.0
>
  

Hi Michael,

On 14/02/2024 13:59, Michael Tremer wrote:
> Hello Adolf,
> 
> The fix technically looks fine. It would have been more elegant to put the strings into a big array and then add only the ones that we need to avoid copying the large block.
I also thought there must be a more elegant way but I had no idea how to 
create it.
> 
> However, this is fine for me to be merged.
I can always look at doing a later code tidy up. I will have a look at 
how to use the array approach when its a bit quieter.

Regards,
Adolf.
> 
> -Michael
> 
>> On 14 Feb 2024, at 10:34, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>
>> - If a fresh install is done then only the DROP_HOSTILE_IN & DROP_HOSTILE_OUT
>>    rrd directories are created.
>> - With the DROP_HOSTILE directory missing then when the fwhits graph is updated an error
>>    message is caused by the inability to open the required files.
>> - This patch adds an if/else loop into the fwhits graph code to deal with the two cases
>>    of the DROP_HOSTILE being present or not depending on the history and if a backup with
>>    logs has been restored from when DROP_HOSTILE was in use.
>> - Tested on vm testbed and created a historical line for the hostile data when it was not
>>    split
>> - There might be a simpler or better approach than this but it was the only option I
>>    could identify. I couldn't find anything about being able to use if loops within the
>>    RRD::Graph loop
>>
>> Tested-by: Adolf Belka <adolf.belka@ipfire.org>
>> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
>> ---
>> config/cfgroot/graphs.pl | 237 ++++++++++++++++++++++++++-------------
>> 1 file changed, 158 insertions(+), 79 deletions(-)
>>
>> diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl
>> index a23e49c98..96c6c26ea 100644
>> --- a/config/cfgroot/graphs.pl
>> +++ b/config/cfgroot/graphs.pl
>> @@ -13,7 +13,7 @@
>> # This program is distributed in the hope that it will be useful,             #
>> # but WITHOUT ANY WARRANTY; without even the implied warranty of              #
>> # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
>> -# GNU General Public License for more details.                                #
>> +# GNU General Public License for more details.                                #update.sh
>> #                                                                             #
>> # You should have received a copy of the GNU General Public License           #
>> # along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
>> @@ -676,84 +676,163 @@ sub updatevpnn2ngraph {
>>
>> sub updatefwhitsgraph {
>> my $period    = $_[0];
>> - RRDs::graph(
>> - @GRAPH_ARGS,
>> - "-",
>> - "--start",
>> - "-1".$period,
>> - "-r",
>> - "-t ".$Lang::tr{'firewall hits per'}." ".$Lang::tr{$period."-graph"},
>> - "-v ".$Lang::tr{'bytes per second'},
>> - "--color=SHADEA".$color{"color19"},
>> - "--color=SHADEB".$color{"color19"},
>> - "--color=BACK".$color{"color21"},
>> - "DEF:output=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYOUT/ipt_bytes-DROP_OUTPUT.rrd:value:AVERAGE",
>> - "DEF:input=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYIN/ipt_bytes-DROP_INPUT.rrd:value:AVERAGE",
>> - "DEF:forward=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYFWD/ipt_bytes-DROP_FORWARD.rrd:value:AVERAGE",
>> - "DEF:newnotsyn=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-NEWNOTSYN/ipt_bytes-DROP_NEWNOTSYN.rrd:value:AVERAGE",
>> - "DEF:portscan=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-PSCAN/ipt_bytes-DROP_PScan.rrd:value:AVERAGE",
>> - "DEF:spoofedmartian=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-SPOOFED_MARTIAN/ipt_bytes-DROP_SPOOFED_MARTIAN.rrd:value:AVERAGE",
>> - "DEF:hostilein=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP_IN/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE",
>> - "DEF:hostileout=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP_OUT/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE",
>> - "DEF:hostilelegacy=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE",
>> -
>> - # This creates a new combined hostile segment.
>> - # Previously we did not split into incoming/outgoing, but we cannot go back in time. This CDEF will take the values
>> - # from the old RRD database unless those are UNKNOWN (i.e. we started collected IN/OUT). If the values are unknown,
>> - # we replace them with them sum of IN + OUT.
>> - "CDEF:hostile=hostilelegacy,UN,hostilein,hostileout,+,hostilelegacy,IF",
>> -
>> - "COMMENT:".sprintf("%-26s",$Lang::tr{'caption'}),
>> - "COMMENT:".sprintf("%15s",$Lang::tr{'maximal'}),
>> - "COMMENT:".sprintf("%15s",$Lang::tr{'average'}),
>> - "COMMENT:".sprintf("%14s",$Lang::tr{'minimal'}),
>> - "COMMENT:".sprintf("%15s",$Lang::tr{'current'})."\\j",
>> - "AREA:output".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}." (OUTPUT)"),
>> - "GPRINT:output:MAX:%8.1lf %sBps",
>> - "GPRINT:output:AVERAGE:%8.1lf %sBps",
>> - "GPRINT:output:MIN:%8.1lf %sBps",
>> - "GPRINT:output:LAST:%8.1lf %sBps\\j",
>> - "STACK:forward".$color{"color23"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}." (FORWARD)"),
>> - "GPRINT:forward:MAX:%8.1lf %sBps",
>> - "GPRINT:forward:AVERAGE:%8.1lf %sBps",
>> - "GPRINT:forward:MIN:%8.1lf %sBps",
>> - "GPRINT:forward:LAST:%8.1lf %sBps\\j",
>> - "STACK:input".$color{"color24"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}." (INPUT)"),
>> - "GPRINT:input:MAX:%8.1lf %sBps",
>> - "GPRINT:input:AVERAGE:%8.1lf %sBps",
>> - "GPRINT:input:MIN:%8.1lf %sBps",
>> - "GPRINT:input:LAST:%8.1lf %sBps\\j",
>> - "STACK:newnotsyn".$color{"color14"}."A0:".sprintf("%-25s","NewNotSYN"),
>> - "GPRINT:newnotsyn:MAX:%8.1lf %sBps",
>> - "GPRINT:newnotsyn:AVERAGE:%8.1lf %sBps",
>> - "GPRINT:newnotsyn:MIN:%8.1lf %sBps",
>> - "GPRINT:newnotsyn:LAST:%8.1lf %sBps\\j",
>> - "STACK:portscan".$color{"color16"}."A0:".sprintf("%-25s",$Lang::tr{'portscans'}),
>> - "GPRINT:portscan:MAX:%8.1lf %sBps",
>> - "GPRINT:portscan:AVERAGE:%8.1lf %sBps",
>> - "GPRINT:portscan:MIN:%8.1lf %sBps",
>> - "GPRINT:portscan:LAST:%8.1lf %sBps\\j",
>> - "STACK:spoofedmartian".$color{"color12"}."A0:".sprintf("%-25s",$Lang::tr{'spoofed or martians'}),
>> - "GPRINT:spoofedmartian:MAX:%8.1lf %sBps",
>> - "GPRINT:spoofedmartian:AVERAGE:%8.1lf %sBps",
>> - "GPRINT:spoofedmartian:MIN:%8.1lf %sBps",
>> - "GPRINT:spoofedmartian:LAST:%8.1lf %sBps\\j",
>> - "STACK:hostilein".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks in'}),
>> - "GPRINT:hostilein:MAX:%8.1lf %sBps",
>> - "GPRINT:hostilein:AVERAGE:%8.1lf %sBps",
>> - "GPRINT:hostilein:MIN:%8.1lf %sBps",
>> - "GPRINT:hostilein:LAST:%8.1lf %sBps\\j",
>> - "STACK:hostileout".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks out'}),
>> - "GPRINT:hostileout:MAX:%8.1lf %sBps",
>> - "GPRINT:hostileout:AVERAGE:%8.1lf %sBps",
>> - "GPRINT:hostileout:MIN:%8.1lf %sBps",
>> - "GPRINT:hostileout:LAST:%8.1lf %sBps\\j",
>> - "LINE:hostile#000000A0:".sprintf("%-25s",$Lang::tr{'hostile networks total'}),
>> - "GPRINT:hostile:MAX:%8.1lf %sBps",
>> - "GPRINT:hostile:AVERAGE:%8.1lf %sBps",
>> - "GPRINT:hostile:MIN:%8.1lf %sBps",
>> - "GPRINT:hostile:LAST:%8.1lf %sBps\\j",
>> - );
>> + if ( -e "$mainsettings{'RRDLOG'}/collectd/localhost/iptables-filter-HOSTILE_DROP/ipt_bytes-DROP_HOSTILE.rrd" ) {
>> + RRDs::graph(
>> + @GRAPH_ARGS,
>> + "-",
>> + "--start",
>> + "-1".$period,
>> + "-r",
>> + "-t ".$Lang::tr{'firewall hits per'}." ".$Lang::tr{$period."-graph"},
>> + "-v ".$Lang::tr{'bytes per second'},
>> + "--color=SHADEA".$color{"color19"},
>> + "--color=SHADEB".$color{"color19"},
>> + "--color=BACK".$color{"color21"},
>> + "DEF:output=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYOUT/ipt_bytes-DROP_OUTPUT.rrd:value:AVERAGE",
>> + "DEF:input=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYIN/ipt_bytes-DROP_INPUT.rrd:value:AVERAGE",
>> + "DEF:forward=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYFWD/ipt_bytes-DROP_FORWARD.rrd:value:AVERAGE",
>> + "DEF:newnotsyn=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-NEWNOTSYN/ipt_bytes-DROP_NEWNOTSYN.rrd:value:AVERAGE",
>> + "DEF:portscan=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-PSCAN/ipt_bytes-DROP_PScan.rrd:value:AVERAGE",
>> + "DEF:spoofedmartian=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-SPOOFED_MARTIAN/ipt_bytes-DROP_SPOOFED_MARTIAN.rrd:value:AVERAGE",
>> + "DEF:hostilein=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP_IN/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE",
>> + "DEF:hostileout=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP_OUT/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE",
>> + "DEF:hostilelegacy=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE",
>> +
>> + # This creates a new combined hostile segment.
>> + # Previously we did not split into incoming/outgoing, but we cannot go back in time. This CDEF will take the values
>> + # from the old RRD database if it exists and if those values are UNKNOWN (time period after Hostile was split into In and Out),
>> + # we replace them with the sum of IN + OUT.
>> + "CDEF:hostile=hostilelegacy,UN,hostilein,hostileout,+,hostilelegacy,IF",
>> +
>> + "COMMENT:".sprintf("%-26s",$Lang::tr{'caption'}),
>> + "COMMENT:".sprintf("%15s",$Lang::tr{'maximal'}),
>> + "COMMENT:".sprintf("%15s",$Lang::tr{'average'}),
>> + "COMMENT:".sprintf("%14s",$Lang::tr{'minimal'}),
>> + "COMMENT:".sprintf("%15s",$Lang::tr{'current'})."\\j",
>> + "AREA:output".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}." (OUTPUT)"),
>> + "GPRINT:output:MAX:%8.1lf %sBps",
>> + "GPRINT:output:AVERAGE:%8.1lf %sBps",
>> + "GPRINT:output:MIN:%8.1lf %sBps",
>> + "GPRINT:output:LAST:%8.1lf %sBps\\j",
>> + "STACK:forward".$color{"color23"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}." (FORWARD)"),
>> + "GPRINT:forward:MAX:%8.1lf %sBps",
>> + "GPRINT:forward:AVERAGE:%8.1lf %sBps",
>> + "GPRINT:forward:MIN:%8.1lf %sBps",
>> + "GPRINT:forward:LAST:%8.1lf %sBps\\j",
>> + "STACK:input".$color{"color24"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}." (INPUT)"),
>> + "GPRINT:input:MAX:%8.1lf %sBps",
>> + "GPRINT:input:AVERAGE:%8.1lf %sBps",
>> + "GPRINT:input:MIN:%8.1lf %sBps",
>> + "GPRINT:input:LAST:%8.1lf %sBps\\j",
>> + "STACK:newnotsyn".$color{"color14"}."A0:".sprintf("%-25s","NewNotSYN"),
>> + "GPRINT:newnotsyn:MAX:%8.1lf %sBps",
>> + "GPRINT:newnotsyn:AVERAGE:%8.1lf %sBps",
>> + "GPRINT:newnotsyn:MIN:%8.1lf %sBps",
>> + "GPRINT:newnotsyn:LAST:%8.1lf %sBps\\j",
>> + "STACK:portscan".$color{"color16"}."A0:".sprintf("%-25s",$Lang::tr{'portscans'}),
>> + "GPRINT:portscan:MAX:%8.1lf %sBps",
>> + "GPRINT:portscan:AVERAGE:%8.1lf %sBps",
>> + "GPRINT:portscan:MIN:%8.1lf %sBps",
>> + "GPRINT:portscan:LAST:%8.1lf %sBps\\j",
>> + "STACK:spoofedmartian".$color{"color12"}."A0:".sprintf("%-25s",$Lang::tr{'spoofed or martians'}),
>> + "GPRINT:spoofedmartian:MAX:%8.1lf %sBps",
>> + "GPRINT:spoofedmartian:AVERAGE:%8.1lf %sBps",
>> + "GPRINT:spoofedmartian:MIN:%8.1lf %sBps",
>> + "GPRINT:spoofedmartian:LAST:%8.1lf %sBps\\j",
>> + "STACK:hostilein".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks in'}),
>> + "GPRINT:hostilein:MAX:%8.1lf %sBps",
>> + "GPRINT:hostilein:AVERAGE:%8.1lf %sBps",
>> + "GPRINT:hostilein:MIN:%8.1lf %sBps",
>> + "GPRINT:hostilein:LAST:%8.1lf %sBps\\j",
>> + "STACK:hostileout".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks out'}),
>> + "GPRINT:hostileout:MAX:%8.1lf %sBps",
>> + "GPRINT:hostileout:AVERAGE:%8.1lf %sBps",
>> + "GPRINT:hostileout:MIN:%8.1lf %sBps",
>> + "GPRINT:hostileout:LAST:%8.1lf %sBps\\j",
>> + "LINE:hostile#000000A0:".sprintf("%-25s",$Lang::tr{'hostile networks total'}),
>> + "GPRINT:hostile:MAX:%8.1lf %sBps",
>> + "GPRINT:hostile:AVERAGE:%8.1lf %sBps",
>> + "GPRINT:hostile:MIN:%8.1lf %sBps",
>> + "GPRINT:hostile:LAST:%8.1lf %sBps\\j",
>> + );
>> + }else{
>> + RRDs::graph(
>> + @GRAPH_ARGS,
>> + "-",
>> + "--start",
>> + "-1".$period,
>> + "-r",
>> + "-t ".$Lang::tr{'firewall hits per'}." ".$Lang::tr{$period."-graph"},
>> + "-v ".$Lang::tr{'bytes per second'},
>> + "--color=SHADEA".$color{"color19"},
>> + "--color=SHADEB".$color{"color19"},
>> + "--color=BACK".$color{"color21"},
>> + "DEF:output=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYOUT/ipt_bytes-DROP_OUTPUT.rrd:value:AVERAGE",
>> + "DEF:input=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYIN/ipt_bytes-DROP_INPUT.rrd:value:AVERAGE",
>> + "DEF:forward=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYFWD/ipt_bytes-DROP_FORWARD.rrd:value:AVERAGE",
>> + "DEF:newnotsyn=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-NEWNOTSYN/ipt_bytes-DROP_NEWNOTSYN.rrd:value:AVERAGE",
>> + "DEF:portscan=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-PSCAN/ipt_bytes-DROP_PScan.rrd:value:AVERAGE",
>> + "DEF:spoofedmartian=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-SPOOFED_MARTIAN/ipt_bytes-DROP_SPOOFED_MARTIAN.rrd:value:AVERAGE",
>> + "DEF:hostilein=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP_IN/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE",
>> + "DEF:hostileout=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP_OUT/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE",
>> +
>> + # This creates a new combined hostile segment.
>> + # If we started collecting IN/OUT, ie the old single Hostile RRD database is not available then this CDEF will take the values
>> + # from the sum of IN + OUT.
>> + "CDEF:hostile=hostilein,hostileout,+",
>> +
>> + "COMMENT:".sprintf("%-26s",$Lang::tr{'caption'}),
>> + "COMMENT:".sprintf("%15s",$Lang::tr{'maximal'}),
>> + "COMMENT:".sprintf("%15s",$Lang::tr{'average'}),
>> + "COMMENT:".sprintf("%14s",$Lang::tr{'minimal'}),
>> + "COMMENT:".sprintf("%15s",$Lang::tr{'current'})."\\j",
>> + "AREA:output".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}." (OUTPUT)"),
>> + "GPRINT:output:MAX:%8.1lf %sBps",
>> + "GPRINT:output:AVERAGE:%8.1lf %sBps",
>> + "GPRINT:output:MIN:%8.1lf %sBps",
>> + "GPRINT:output:LAST:%8.1lf %sBps\\j",
>> + "STACK:forward".$color{"color23"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}." (FORWARD)"),
>> + "GPRINT:forward:MAX:%8.1lf %sBps",
>> + "GPRINT:forward:AVERAGE:%8.1lf %sBps",
>> + "GPRINT:forward:MIN:%8.1lf %sBps",
>> + "GPRINT:forward:LAST:%8.1lf %sBps\\j",
>> + "STACK:input".$color{"color24"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}." (INPUT)"),
>> + "GPRINT:input:MAX:%8.1lf %sBps",
>> + "GPRINT:input:AVERAGE:%8.1lf %sBps",
>> + "GPRINT:input:MIN:%8.1lf %sBps",
>> + "GPRINT:input:LAST:%8.1lf %sBps\\j",
>> + "STACK:newnotsyn".$color{"color14"}."A0:".sprintf("%-25s","NewNotSYN"),
>> + "GPRINT:newnotsyn:MAX:%8.1lf %sBps",
>> + "GPRINT:newnotsyn:AVERAGE:%8.1lf %sBps",
>> + "GPRINT:newnotsyn:MIN:%8.1lf %sBps",
>> + "GPRINT:newnotsyn:LAST:%8.1lf %sBps\\j",
>> + "STACK:portscan".$color{"color16"}."A0:".sprintf("%-25s",$Lang::tr{'portscans'}),
>> + "GPRINT:portscan:MAX:%8.1lf %sBps",
>> + "GPRINT:portscan:AVERAGE:%8.1lf %sBps",
>> + "GPRINT:portscan:MIN:%8.1lf %sBps",
>> + "GPRINT:portscan:LAST:%8.1lf %sBps\\j",
>> + "STACK:spoofedmartian".$color{"color12"}."A0:".sprintf("%-25s",$Lang::tr{'spoofed or martians'}),
>> + "GPRINT:spoofedmartian:MAX:%8.1lf %sBps",
>> + "GPRINT:spoofedmartian:AVERAGE:%8.1lf %sBps",
>> + "GPRINT:spoofedmartian:MIN:%8.1lf %sBps",
>> + "GPRINT:spoofedmartian:LAST:%8.1lf %sBps\\j",
>> + "STACK:hostilein".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks in'}),
>> + "GPRINT:hostilein:MAX:%8.1lf %sBps",
>> + "GPRINT:hostilein:AVERAGE:%8.1lf %sBps",
>> + "GPRINT:hostilein:MIN:%8.1lf %sBps",
>> + "GPRINT:hostilein:LAST:%8.1lf %sBps\\j",
>> + "STACK:hostileout".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks out'}),
>> + "GPRINT:hostileout:MAX:%8.1lf %sBps",
>> + "GPRINT:hostileout:AVERAGE:%8.1lf %sBps",
>> + "GPRINT:hostileout:MIN:%8.1lf %sBps",
>> + "GPRINT:hostileout:LAST:%8.1lf %sBps\\j",
>> + "LINE:hostile#000000A0:".sprintf("%-25s",$Lang::tr{'hostile networks total'}),
>> + "GPRINT:hostile:MAX:%8.1lf %sBps",
>> + "GPRINT:hostile:AVERAGE:%8.1lf %sBps",
>> + "GPRINT:hostile:MIN:%8.1lf %sBps",
>> + "GPRINT:hostile:LAST:%8.1lf %sBps\\j",
>> + );
>> + }
>> $ERROR = RRDs::error;
>> return "Error in RRD::graph for firewallhits: ".$ERROR."\n" if $ERROR;
>> }
>> -- 
>> 2.43.0
>>
>