diff options
author | Nicolas Fort <nicolasfort1988@gmail.com> | 2023-09-18 17:57:12 +0000 |
---|---|---|
committer | Nicolas Fort <nicolasfort1988@gmail.com> | 2023-09-18 17:57:12 +0000 |
commit | 93cc0b65c2cb05d25eaf1f9291c0b5b27e2786b7 (patch) | |
tree | 72e7abc1c8247618907923dad22d24b579342646 /python/vyos/firewall.py | |
parent | b6ae59354b5d69751cc7ea75e0aa4ac0070afa47 (diff) | |
download | vyos-1x-93cc0b65c2cb05d25eaf1f9291c0b5b27e2786b7.tar.gz vyos-1x-93cc0b65c2cb05d25eaf1f9291c0b5b27e2786b7.zip |
T5590: firewall log rule: fix order which rule are processed. Log options should be added at the end of the rule, after all matchers and befora action. Also change 2 lines in policy_route smoketest, which suddenly wasn't working as expected
Diffstat (limited to 'python/vyos/firewall.py')
-rw-r--r-- | python/vyos/firewall.py | 45 |
1 files changed, 22 insertions, 23 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 3305eb269..69ad11d1d 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -249,29 +249,6 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name): output.append(f'{proto} {prefix}port {operator} @P_{group_name}') - if 'log' in rule_conf and rule_conf['log'] == 'enable': - action = rule_conf['action'] if 'action' in rule_conf else 'accept' - #output.append(f'log prefix "[{fw_name[:19]}-{rule_id}-{action[:1].upper()}]"') - output.append(f'log prefix "[{family}-{hook}-{fw_name}-{rule_id}-{action[:1].upper()}]"') - ##{family}-{hook}-{fw_name}-{rule_id} - if 'log_options' in rule_conf: - - if 'level' in rule_conf['log_options']: - log_level = rule_conf['log_options']['level'] - output.append(f'log level {log_level}') - - if 'group' in rule_conf['log_options']: - log_group = rule_conf['log_options']['group'] - output.append(f'log group {log_group}') - - if 'queue_threshold' in rule_conf['log_options']: - queue_threshold = rule_conf['log_options']['queue_threshold'] - output.append(f'queue-threshold {queue_threshold}') - - if 'snapshot_length' in rule_conf['log_options']: - log_snaplen = rule_conf['log_options']['snapshot_length'] - output.append(f'snaplen {log_snaplen}') - if 'hop_limit' in rule_conf: operators = {'eq': '==', 'gt': '>', 'lt': '<'} for op, operator in operators.items(): @@ -393,6 +370,28 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name): if 'priority' in rule_conf['vlan']: output.append(f'vlan pcp {rule_conf["vlan"]["priority"]}') + if 'log' in rule_conf and rule_conf['log'] == 'enable': + action = rule_conf['action'] if 'action' in rule_conf else 'accept' + #output.append(f'log prefix "[{fw_name[:19]}-{rule_id}-{action[:1].upper()}]"') + output.append(f'log prefix "[{family}-{hook}-{fw_name}-{rule_id}-{action[:1].upper()}]"') + ##{family}-{hook}-{fw_name}-{rule_id} + if 'log_options' in rule_conf: + + if 'level' in rule_conf['log_options']: + log_level = rule_conf['log_options']['level'] + output.append(f'log level {log_level}') + + if 'group' in rule_conf['log_options']: + log_group = rule_conf['log_options']['group'] + output.append(f'log group {log_group}') + + if 'queue_threshold' in rule_conf['log_options']: + queue_threshold = rule_conf['log_options']['queue_threshold'] + output.append(f'queue-threshold {queue_threshold}') + + if 'snapshot_length' in rule_conf['log_options']: + log_snaplen = rule_conf['log_options']['snapshot_length'] + output.append(f'snaplen {log_snaplen}') output.append('counter') |