firewall: T5834: Add support for default log for route policy

One can now do `set policy route foo default-log` which will add log to the policy route chain.
author: Indrajit Raychaudhuri <irc@indrajit.com> 2023-12-26 19:19:10 -0600
committer: Indrajit Raychaudhuri <irc@indrajit.com> 2023-12-26 21:49:42 -0600
commit: 6278ce9b7cb2060c8226a60ccbdb580a0d8a3fb5 (patch)
tree: 152db1129e97c9ce15b291090dbdf1f71412aa33
parent: 7c40b70af9def9242b30d1fc949288d9da2bd027 (diff)
download: vyos-1x-6278ce9b7cb2060c8226a60ccbdb580a0d8a3fb5.tar.gz
vyos-1x-6278ce9b7cb2060c8226a60ccbdb580a0d8a3fb5.zip
2 files changed, 15 insertions, 2 deletions
diff --git a/data/templates/firewall/nftables-policy.j2 b/data/templates/firewall/nftables-policy.j2
index d77e3f6e9..9e28899b0 100644
--- a/data/templates/firewall/nftables-policy.j2
+++ b/data/templates/firewall/nftables-policy.j2
@@ -28,6 +28,9 @@ table ip vyos_mangle {
         {{ rule_conf | nft_rule('route', route_text, rule_id, 'ip') }}
 {%             endfor %}
 {%         endif %}
+{%         if conf.default_log is vyos_defined %}
+        counter log prefix "[ipv4-{{ (route_text)[:19] }}-default]"
+{%         endif %}
     }
 {%     endfor %}
 {% endif %}
@@ -57,6 +60,9 @@ table ip6 vyos_mangle {
         {{ rule_conf | nft_rule('route6', route_text, rule_id, 'ip6') }}
 {%             endfor %}
 {%         endif %}
+{%         if conf.default_log is vyos_defined %}
+        counter log prefix "[ipv6-{{ (route_text)[:19] }}-default]"
+{%         endif %}
     }
 {%     endfor %}
 {% endif %}
diff --git a/smoketest/scripts/cli/test_policy_route.py b/smoketest/scripts/cli/test_policy_route.py
index 32e86ea7e..c0b7c1fe7 100755
--- a/smoketest/scripts/cli/test_policy_route.py
+++ b/smoketest/scripts/cli/test_policy_route.py
@@ -33,6 +33,9 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
     @classmethod
     def setUpClass(cls):
         super(TestPolicyRoute, cls).setUpClass()
+        # Clear out current configuration to allow running this test on a live system
+        cls.cli_delete(cls, ['policy', 'route'])
+        cls.cli_delete(cls, ['policy', 'route6'])
 
         cls.cli_set(cls, ['interfaces', 'ethernet', interface, 'address', interface_ip])
         cls.cli_set(cls, ['protocols', 'static', 'table', table_id, 'route', '0.0.0.0/0', 'interface', interface])
@@ -189,6 +192,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
 
 
     def test_pbr_matching_criteria(self):
+        self.cli_set(['policy', 'route', 'smoketest', 'default-log'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'protocol', 'udp'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'action', 'drop'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'mark', '2020'])
@@ -216,6 +220,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '5', 'mark', '!456-500'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '5', 'set', 'table', table_id])
 
+        self.cli_set(['policy', 'route6', 'smoketest6', 'default-log'])
         self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '1', 'protocol', 'udp'])
         self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '1', 'action', 'drop'])
         self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '2', 'protocol', 'tcp'])
@@ -255,7 +260,8 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
             ['tcp flags syn / syn,ack', 'meta mark 0x00000002-0x00000bb8', 'meta mark set ' + mark_hex],
             ['ct state new', 'tcp dport 22', 'ip saddr 198.51.100.0/24', 'ip ttl > 2', 'meta mark != 0x000001c8', 'meta mark set ' + mark_hex],
             ['log prefix "[ipv4-route-smoketest-4-A]"', 'icmp type echo-request', 'ip length { 128, 1024-2048 }', 'meta pkttype other', 'meta mark set ' + mark_hex],
-            ['ip dscp { 0x29, 0x39-0x3b }', 'meta mark != 0x000001c8-0x000001f4', 'meta mark set ' + mark_hex]
+            ['ip dscp { 0x29, 0x39-0x3b }', 'meta mark != 0x000001c8-0x000001f4', 'meta mark set ' + mark_hex],
+            ['log prefix "[ipv4-smoketest-default]"']
         ]
 
         self.verify_nftables(nftables_search, 'ip vyos_mangle')
@@ -267,7 +273,8 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
             ['tcp flags syn / syn,ack', 'meta mark set ' + mark_hex],
             ['ct state new', 'tcp dport 22', 'ip6 saddr 2001:db8::/64', 'ip6 hoplimit > 2', 'meta mark set ' + mark_hex],
             ['log prefix "[ipv6-route6-smoketest6-4-A]"', 'icmpv6 type echo-request', 'ip6 length != { 128, 1024-2048 }', 'meta pkttype multicast', 'meta mark set ' + mark_hex],
-            ['ip6 dscp != { 0x0e-0x13, 0x3d }', 'meta mark set ' + mark_hex]
+            ['ip6 dscp != { 0x0e-0x13, 0x3d }', 'meta mark set ' + mark_hex],
+            ['log prefix "[ipv6-smoketest6-default]"']
         ]
 
         self.verify_nftables(nftables6_search, 'ip6 vyos_mangle')
author	Indrajit Raychaudhuri <irc@indrajit.com>	2023-12-26 19:19:10 -0600
committer	Indrajit Raychaudhuri <irc@indrajit.com>	2023-12-26 21:49:42 -0600
commit	6278ce9b7cb2060c8226a60ccbdb580a0d8a3fb5 (patch)
tree	152db1129e97c9ce15b291090dbdf1f71412aa33
parent	7c40b70af9def9242b30d1fc949288d9da2bd027 (diff)
download	vyos-1x-6278ce9b7cb2060c8226a60ccbdb580a0d8a3fb5.tar.gz vyos-1x-6278ce9b7cb2060c8226a60ccbdb580a0d8a3fb5.zip