summaryrefslogtreecommitdiff
path: root/python/vyos/firewall.py
diff options
context:
space:
mode:
authorNicolas Fort <nicolasfort1988@gmail.com>2023-09-18 17:57:12 +0000
committerNicolas Fort <nicolasfort1988@gmail.com>2023-09-18 17:57:12 +0000
commit93cc0b65c2cb05d25eaf1f9291c0b5b27e2786b7 (patch)
tree72e7abc1c8247618907923dad22d24b579342646 /python/vyos/firewall.py
parentb6ae59354b5d69751cc7ea75e0aa4ac0070afa47 (diff)
downloadvyos-1x-93cc0b65c2cb05d25eaf1f9291c0b5b27e2786b7.tar.gz
vyos-1x-93cc0b65c2cb05d25eaf1f9291c0b5b27e2786b7.zip
T5590: firewall log rule: fix order which rule are processed. Log options should be added at the end of the rule, after all matchers and befora action. Also change 2 lines in policy_route smoketest, which suddenly wasn't working as expected
Diffstat (limited to 'python/vyos/firewall.py')
-rw-r--r--python/vyos/firewall.py45
1 files changed, 22 insertions, 23 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 3305eb269..69ad11d1d 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -249,29 +249,6 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
output.append(f'{proto} {prefix}port {operator} @P_{group_name}')
- if 'log' in rule_conf and rule_conf['log'] == 'enable':
- action = rule_conf['action'] if 'action' in rule_conf else 'accept'
- #output.append(f'log prefix "[{fw_name[:19]}-{rule_id}-{action[:1].upper()}]"')
- output.append(f'log prefix "[{family}-{hook}-{fw_name}-{rule_id}-{action[:1].upper()}]"')
- ##{family}-{hook}-{fw_name}-{rule_id}
- if 'log_options' in rule_conf:
-
- if 'level' in rule_conf['log_options']:
- log_level = rule_conf['log_options']['level']
- output.append(f'log level {log_level}')
-
- if 'group' in rule_conf['log_options']:
- log_group = rule_conf['log_options']['group']
- output.append(f'log group {log_group}')
-
- if 'queue_threshold' in rule_conf['log_options']:
- queue_threshold = rule_conf['log_options']['queue_threshold']
- output.append(f'queue-threshold {queue_threshold}')
-
- if 'snapshot_length' in rule_conf['log_options']:
- log_snaplen = rule_conf['log_options']['snapshot_length']
- output.append(f'snaplen {log_snaplen}')
-
if 'hop_limit' in rule_conf:
operators = {'eq': '==', 'gt': '>', 'lt': '<'}
for op, operator in operators.items():
@@ -393,6 +370,28 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
if 'priority' in rule_conf['vlan']:
output.append(f'vlan pcp {rule_conf["vlan"]["priority"]}')
+ if 'log' in rule_conf and rule_conf['log'] == 'enable':
+ action = rule_conf['action'] if 'action' in rule_conf else 'accept'
+ #output.append(f'log prefix "[{fw_name[:19]}-{rule_id}-{action[:1].upper()}]"')
+ output.append(f'log prefix "[{family}-{hook}-{fw_name}-{rule_id}-{action[:1].upper()}]"')
+ ##{family}-{hook}-{fw_name}-{rule_id}
+ if 'log_options' in rule_conf:
+
+ if 'level' in rule_conf['log_options']:
+ log_level = rule_conf['log_options']['level']
+ output.append(f'log level {log_level}')
+
+ if 'group' in rule_conf['log_options']:
+ log_group = rule_conf['log_options']['group']
+ output.append(f'log group {log_group}')
+
+ if 'queue_threshold' in rule_conf['log_options']:
+ queue_threshold = rule_conf['log_options']['queue_threshold']
+ output.append(f'queue-threshold {queue_threshold}')
+
+ if 'snapshot_length' in rule_conf['log_options']:
+ log_snaplen = rule_conf['log_options']['snapshot_length']
+ output.append(f'snaplen {log_snaplen}')
output.append('counter')