diff options
| author | Nicolas Fort <nicolasfort1988@gmail.com> | 2023-09-18 17:57:12 +0000 | 
|---|---|---|
| committer | Nicolas Fort <nicolasfort1988@gmail.com> | 2023-09-18 17:57:12 +0000 | 
| commit | 93cc0b65c2cb05d25eaf1f9291c0b5b27e2786b7 (patch) | |
| tree | 72e7abc1c8247618907923dad22d24b579342646 | |
| parent | b6ae59354b5d69751cc7ea75e0aa4ac0070afa47 (diff) | |
| download | vyos-1x-93cc0b65c2cb05d25eaf1f9291c0b5b27e2786b7.tar.gz vyos-1x-93cc0b65c2cb05d25eaf1f9291c0b5b27e2786b7.zip | |
T5590: firewall log rule: fix order which rule are processed. Log options should be added at the end of the rule, after all matchers and befora action. Also change 2 lines in policy_route smoketest, which suddenly wasn't working as expected
| -rw-r--r-- | python/vyos/firewall.py | 45 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_policy_route.py | 4 | 
2 files changed, 24 insertions, 25 deletions
| diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 3305eb269..69ad11d1d 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -249,29 +249,6 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):                      output.append(f'{proto} {prefix}port {operator} @P_{group_name}') -    if 'log' in rule_conf and rule_conf['log'] == 'enable': -        action = rule_conf['action'] if 'action' in rule_conf else 'accept' -        #output.append(f'log prefix "[{fw_name[:19]}-{rule_id}-{action[:1].upper()}]"') -        output.append(f'log prefix "[{family}-{hook}-{fw_name}-{rule_id}-{action[:1].upper()}]"') -                        ##{family}-{hook}-{fw_name}-{rule_id} -        if 'log_options' in rule_conf: - -            if 'level' in rule_conf['log_options']: -                log_level = rule_conf['log_options']['level'] -                output.append(f'log level {log_level}') - -            if 'group' in rule_conf['log_options']: -                log_group = rule_conf['log_options']['group'] -                output.append(f'log group {log_group}') - -                if 'queue_threshold' in rule_conf['log_options']: -                    queue_threshold = rule_conf['log_options']['queue_threshold'] -                    output.append(f'queue-threshold {queue_threshold}') - -                if 'snapshot_length' in rule_conf['log_options']: -                    log_snaplen = rule_conf['log_options']['snapshot_length'] -                    output.append(f'snaplen {log_snaplen}') -      if 'hop_limit' in rule_conf:          operators = {'eq': '==', 'gt': '>', 'lt': '<'}          for op, operator in operators.items(): @@ -393,6 +370,28 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):          if 'priority' in rule_conf['vlan']:              output.append(f'vlan pcp {rule_conf["vlan"]["priority"]}') +    if 'log' in rule_conf and rule_conf['log'] == 'enable': +        action = rule_conf['action'] if 'action' in rule_conf else 'accept' +        #output.append(f'log prefix "[{fw_name[:19]}-{rule_id}-{action[:1].upper()}]"') +        output.append(f'log prefix "[{family}-{hook}-{fw_name}-{rule_id}-{action[:1].upper()}]"') +                        ##{family}-{hook}-{fw_name}-{rule_id} +        if 'log_options' in rule_conf: + +            if 'level' in rule_conf['log_options']: +                log_level = rule_conf['log_options']['level'] +                output.append(f'log level {log_level}') + +            if 'group' in rule_conf['log_options']: +                log_group = rule_conf['log_options']['group'] +                output.append(f'log group {log_group}') + +                if 'queue_threshold' in rule_conf['log_options']: +                    queue_threshold = rule_conf['log_options']['queue_threshold'] +                    output.append(f'queue-threshold {queue_threshold}') + +                if 'snapshot_length' in rule_conf['log_options']: +                    log_snaplen = rule_conf['log_options']['snapshot_length'] +                    output.append(f'snaplen {log_snaplen}')      output.append('counter') diff --git a/smoketest/scripts/cli/test_policy_route.py b/smoketest/scripts/cli/test_policy_route.py index 118b1d3a2..c7ddf873e 100755 --- a/smoketest/scripts/cli/test_policy_route.py +++ b/smoketest/scripts/cli/test_policy_route.py @@ -250,7 +250,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):              ['meta l4proto udp', 'drop'],              ['tcp flags syn / syn,ack', 'meta mark set ' + mark_hex],              ['ct state new', 'tcp dport 22', 'ip saddr 198.51.100.0/24', 'ip ttl > 2', 'meta mark set ' + mark_hex], -            ['meta l4proto icmp', 'log prefix "[ipv4-route-smoketest-4-A]"', 'icmp type echo-request', 'ip length { 128, 1024-2048 }', 'meta pkttype other', 'meta mark set ' + mark_hex], +            ['log prefix "[ipv4-route-smoketest-4-A]"', 'icmp type echo-request', 'ip length { 128, 1024-2048 }', 'meta pkttype other', 'meta mark set ' + mark_hex],              ['ip dscp { 0x29, 0x39-0x3b }', 'meta mark set ' + mark_hex]          ] @@ -262,7 +262,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):              ['meta l4proto udp', 'drop'],              ['tcp flags syn / syn,ack', 'meta mark set ' + mark_hex],              ['ct state new', 'tcp dport 22', 'ip6 saddr 2001:db8::/64', 'ip6 hoplimit > 2', 'meta mark set ' + mark_hex], -            ['meta l4proto ipv6-icmp', 'log prefix "[ipv6-route6-smoketest6-4-A]"', 'icmpv6 type echo-request', 'ip6 length != { 128, 1024-2048 }', 'meta pkttype multicast', 'meta mark set ' + mark_hex], +            ['log prefix "[ipv6-route6-smoketest6-4-A]"', 'icmpv6 type echo-request', 'ip6 length != { 128, 1024-2048 }', 'meta pkttype multicast', 'meta mark set ' + mark_hex],              ['ip6 dscp != { 0x0e-0x13, 0x3d }', 'meta mark set ' + mark_hex]          ] | 
