From 9ab63d484741b513894f16e4925f164f0264789c Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Fri, 7 Oct 2022 20:48:13 +0200
Subject: firewall: T3907: Fix firewall state-policy logging

When log-level was introduced node `state-policy x log` was removed without migrator. This commit adds it back and improves log handling.
---
 data/templates/firewall/nftables.j2   |  6 +++---
 interface-definitions/firewall.xml.in |  3 +++
 python/vyos/template.py               | 13 +++++++++----
 3 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 9d609f73f..a0f0b8c11 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -204,13 +204,13 @@ table ip6 vyos_filter {
 {% if state_policy is vyos_defined %}
     chain VYOS_STATE_POLICY6 {
 {%     if state_policy.established is vyos_defined %}
-        {{ state_policy.established | nft_state_policy('established', ipv6=True) }}
+        {{ state_policy.established | nft_state_policy('established') }}
 {%     endif %}
 {%     if state_policy.invalid is vyos_defined %}
-        {{ state_policy.invalid | nft_state_policy('invalid', ipv6=True) }}
+        {{ state_policy.invalid | nft_state_policy('invalid') }}
 {%     endif %}
 {%     if state_policy.related is vyos_defined %}
-        {{ state_policy.related | nft_state_policy('related', ipv6=True) }}
+        {{ state_policy.related | nft_state_policy('related') }}
 {%     endif %}
         return
     }
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 773e86f00..673461036 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -711,6 +711,7 @@
             </properties>
             <children>
               #include <include/firewall/action-accept-drop-reject.xml.i>
+              #include <include/firewall/log.xml.i>
               #include <include/firewall/rule-log-level.xml.i>
             </children>
           </node>
@@ -720,6 +721,7 @@
             </properties>
             <children>
               #include <include/firewall/action-accept-drop-reject.xml.i>
+              #include <include/firewall/log.xml.i>
               #include <include/firewall/rule-log-level.xml.i>
             </children>
           </node>
@@ -729,6 +731,7 @@
             </properties>
             <children>
               #include <include/firewall/action-accept-drop-reject.xml.i>
+              #include <include/firewall/log.xml.i>
               #include <include/firewall/rule-log-level.xml.i>
             </children>
           </node>
diff --git a/python/vyos/template.py b/python/vyos/template.py
index 0870a0523..2a4135f9e 100644
--- a/python/vyos/template.py
+++ b/python/vyos/template.py
@@ -566,12 +566,17 @@ def nft_default_rule(fw_conf, fw_name, ipv6=False):
     return " ".join(output)
 
 @register_filter('nft_state_policy')
-def nft_state_policy(conf, state, ipv6=False):
+def nft_state_policy(conf, state):
     out = [f'ct state {state}']
 
-    if 'log' in conf:
-        log_level = conf['log']
-        out.append(f'log level {log_level}')
+    if 'log' in conf and 'enable' in conf['log']:
+        log_state = state[:3].upper()
+        log_action = (conf['action'] if 'action' in conf else 'accept')[:1].upper()
+        out.append(f'log prefix "[STATE-POLICY-{log_state}-{log_action}]"')
+
+        if 'log_level' in conf:
+            log_level = conf['log_level']
+            out.append(f'level {log_level}')
 
     out.append('counter')
 
-- 
cgit v1.2.3