summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorsarthurdev <965089+sarthurdev@users.noreply.github.com>2022-10-07 20:48:13 +0200
committersarthurdev <965089+sarthurdev@users.noreply.github.com>2022-10-09 22:15:21 +0200
commit9ab63d484741b513894f16e4925f164f0264789c (patch)
tree8d69bf3d2ffff17534d6d2226c6a105bfe4998bb
parentbb4901773df9682b67081dda5baf0cb39c742d1e (diff)
downloadvyos-1x-9ab63d484741b513894f16e4925f164f0264789c.tar.gz
vyos-1x-9ab63d484741b513894f16e4925f164f0264789c.zip
firewall: T3907: Fix firewall state-policy logging
When log-level was introduced node `state-policy x log` was removed without migrator. This commit adds it back and improves log handling.
-rw-r--r--data/templates/firewall/nftables.j26
-rw-r--r--interface-definitions/firewall.xml.in3
-rw-r--r--python/vyos/template.py13
3 files changed, 15 insertions, 7 deletions
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 9d609f73f..a0f0b8c11 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -204,13 +204,13 @@ table ip6 vyos_filter {
{% if state_policy is vyos_defined %}
chain VYOS_STATE_POLICY6 {
{% if state_policy.established is vyos_defined %}
- {{ state_policy.established | nft_state_policy('established', ipv6=True) }}
+ {{ state_policy.established | nft_state_policy('established') }}
{% endif %}
{% if state_policy.invalid is vyos_defined %}
- {{ state_policy.invalid | nft_state_policy('invalid', ipv6=True) }}
+ {{ state_policy.invalid | nft_state_policy('invalid') }}
{% endif %}
{% if state_policy.related is vyos_defined %}
- {{ state_policy.related | nft_state_policy('related', ipv6=True) }}
+ {{ state_policy.related | nft_state_policy('related') }}
{% endif %}
return
}
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 773e86f00..673461036 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -711,6 +711,7 @@
</properties>
<children>
#include <include/firewall/action-accept-drop-reject.xml.i>
+ #include <include/firewall/log.xml.i>
#include <include/firewall/rule-log-level.xml.i>
</children>
</node>
@@ -720,6 +721,7 @@
</properties>
<children>
#include <include/firewall/action-accept-drop-reject.xml.i>
+ #include <include/firewall/log.xml.i>
#include <include/firewall/rule-log-level.xml.i>
</children>
</node>
@@ -729,6 +731,7 @@
</properties>
<children>
#include <include/firewall/action-accept-drop-reject.xml.i>
+ #include <include/firewall/log.xml.i>
#include <include/firewall/rule-log-level.xml.i>
</children>
</node>
diff --git a/python/vyos/template.py b/python/vyos/template.py
index 0870a0523..2a4135f9e 100644
--- a/python/vyos/template.py
+++ b/python/vyos/template.py
@@ -566,12 +566,17 @@ def nft_default_rule(fw_conf, fw_name, ipv6=False):
return " ".join(output)
@register_filter('nft_state_policy')
-def nft_state_policy(conf, state, ipv6=False):
+def nft_state_policy(conf, state):
out = [f'ct state {state}']
- if 'log' in conf:
- log_level = conf['log']
- out.append(f'log level {log_level}')
+ if 'log' in conf and 'enable' in conf['log']:
+ log_state = state[:3].upper()
+ log_action = (conf['action'] if 'action' in conf else 'accept')[:1].upper()
+ out.append(f'log prefix "[STATE-POLICY-{log_state}-{log_action}]"')
+
+ if 'log_level' in conf:
+ log_level = conf['log_level']
+ out.append(f'level {log_level}')
out.append('counter')