diff options
author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-10-07 20:48:13 +0200 |
---|---|---|
committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-10-09 22:15:21 +0200 |
commit | 9ab63d484741b513894f16e4925f164f0264789c (patch) | |
tree | 8d69bf3d2ffff17534d6d2226c6a105bfe4998bb | |
parent | bb4901773df9682b67081dda5baf0cb39c742d1e (diff) | |
download | vyos-1x-9ab63d484741b513894f16e4925f164f0264789c.tar.gz vyos-1x-9ab63d484741b513894f16e4925f164f0264789c.zip |
firewall: T3907: Fix firewall state-policy logging
When log-level was introduced node `state-policy x log` was removed without migrator. This commit adds it back and improves log handling.
-rw-r--r-- | data/templates/firewall/nftables.j2 | 6 | ||||
-rw-r--r-- | interface-definitions/firewall.xml.in | 3 | ||||
-rw-r--r-- | python/vyos/template.py | 13 |
3 files changed, 15 insertions, 7 deletions
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 9d609f73f..a0f0b8c11 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -204,13 +204,13 @@ table ip6 vyos_filter { {% if state_policy is vyos_defined %} chain VYOS_STATE_POLICY6 { {% if state_policy.established is vyos_defined %} - {{ state_policy.established | nft_state_policy('established', ipv6=True) }} + {{ state_policy.established | nft_state_policy('established') }} {% endif %} {% if state_policy.invalid is vyos_defined %} - {{ state_policy.invalid | nft_state_policy('invalid', ipv6=True) }} + {{ state_policy.invalid | nft_state_policy('invalid') }} {% endif %} {% if state_policy.related is vyos_defined %} - {{ state_policy.related | nft_state_policy('related', ipv6=True) }} + {{ state_policy.related | nft_state_policy('related') }} {% endif %} return } diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in index 773e86f00..673461036 100644 --- a/interface-definitions/firewall.xml.in +++ b/interface-definitions/firewall.xml.in @@ -711,6 +711,7 @@ </properties> <children> #include <include/firewall/action-accept-drop-reject.xml.i> + #include <include/firewall/log.xml.i> #include <include/firewall/rule-log-level.xml.i> </children> </node> @@ -720,6 +721,7 @@ </properties> <children> #include <include/firewall/action-accept-drop-reject.xml.i> + #include <include/firewall/log.xml.i> #include <include/firewall/rule-log-level.xml.i> </children> </node> @@ -729,6 +731,7 @@ </properties> <children> #include <include/firewall/action-accept-drop-reject.xml.i> + #include <include/firewall/log.xml.i> #include <include/firewall/rule-log-level.xml.i> </children> </node> diff --git a/python/vyos/template.py b/python/vyos/template.py index 0870a0523..2a4135f9e 100644 --- a/python/vyos/template.py +++ b/python/vyos/template.py @@ -566,12 +566,17 @@ def nft_default_rule(fw_conf, fw_name, ipv6=False): return " ".join(output) @register_filter('nft_state_policy') -def nft_state_policy(conf, state, ipv6=False): +def nft_state_policy(conf, state): out = [f'ct state {state}'] - if 'log' in conf: - log_level = conf['log'] - out.append(f'log level {log_level}') + if 'log' in conf and 'enable' in conf['log']: + log_state = state[:3].upper() + log_action = (conf['action'] if 'action' in conf else 'accept')[:1].upper() + out.append(f'log prefix "[STATE-POLICY-{log_state}-{log_action}]"') + + if 'log_level' in conf: + log_level = conf['log_level'] + out.append(f'level {log_level}') out.append('counter') |