diff options
author | Nicolas Fort <nicolasfort1988@gmail.com> | 2022-05-11 16:41:21 +0000 |
---|---|---|
committer | Nicolas Fort <nicolasfort1988@gmail.com> | 2022-05-11 16:41:21 +0000 |
commit | 1ca645d1a499441abb74c549e7e1fbd03087097d (patch) | |
tree | 9057243e8ff6c3450b7b91496672732c117d3b57 /src | |
parent | 432fd1b5e7b5a1e5b8503bf0dcd106369e323dc7 (diff) | |
download | vyos-1x-1ca645d1a499441abb74c549e7e1fbd03087097d.tar.gz vyos-1x-1ca645d1a499441abb74c549e7e1fbd03087097d.zip |
Firewall: T3907: add log-level options in firewall
Diffstat (limited to 'src')
-rwxr-xr-x | src/migration-scripts/firewall/6-to-7 | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/src/migration-scripts/firewall/6-to-7 b/src/migration-scripts/firewall/6-to-7 index 5f4cff90d..1e698da0b 100755 --- a/src/migration-scripts/firewall/6-to-7 +++ b/src/migration-scripts/firewall/6-to-7 @@ -19,6 +19,11 @@ # utc: nftables userspace uses localtime and calculates the UTC offset automatically # icmp/v6: migrate previously available `type-name` to valid type/code # T4178: Update tcp flags to use multi value node +# T3907: Add log levels +# `enable-default-log` --> `enable-default-log warn` +# `rule X log enable` --> `rule X log warn` +# `rule X log disable` --> No log config + import re @@ -100,6 +105,9 @@ icmpv6_translations = { if config.exists(base + ['name']): for name in config.list_nodes(base + ['name']): + if config.exists(base + ['name', name, 'enable-default-log']): + config.set(base + ['name', name, 'enable-default-log'], value='warn') + if not config.exists(base + ['name', name, 'rule']): continue @@ -108,6 +116,7 @@ if config.exists(base + ['name']): rule_time = base + ['name', name, 'rule', rule, 'time'] rule_tcp_flags = base + ['name', name, 'rule', rule, 'tcp', 'flags'] rule_icmp = base + ['name', name, 'rule', rule, 'icmp'] + rule_log = base + ['name', name, 'rule', rule, 'log'] if config.exists(rule_time + ['monthdays']): config.delete(rule_time + ['monthdays']) @@ -146,6 +155,13 @@ if config.exists(base + ['name']): config.set(rule_icmp + ['type'], value=translate[0]) config.set(rule_icmp + ['code'], value=translate[1]) + if config.exists(rule_log): + tmp = config.return_value(rule_log) + if tmp == 'disable': + config.delete(rule_log) + else: + config.set(rule_log, value='warn') + for src_dst in ['destination', 'source']: pg_base = base + ['name', name, 'rule', rule, src_dst, 'group', 'port-group'] proto_base = base + ['name', name, 'rule', rule, 'protocol'] @@ -153,6 +169,9 @@ if config.exists(base + ['name']): config.set(proto_base, value='tcp_udp') if config.exists(base + ['ipv6-name']): + if config.exists(base + ['ipv6-name', name, 'enable-default-log']): + config.set(base + ['ipv6-name', name, 'enable-default-log'], value='warn') + for name in config.list_nodes(base + ['ipv6-name']): if not config.exists(base + ['ipv6-name', name, 'rule']): continue @@ -162,6 +181,7 @@ if config.exists(base + ['ipv6-name']): rule_time = base + ['ipv6-name', name, 'rule', rule, 'time'] rule_tcp_flags = base + ['ipv6-name', name, 'rule', rule, 'tcp', 'flags'] rule_icmp = base + ['ipv6-name', name, 'rule', rule, 'icmpv6'] + rule_log = base + ['ipv6-name', name, 'rule', rule, 'log'] if config.exists(rule_time + ['monthdays']): config.delete(rule_time + ['monthdays']) @@ -212,6 +232,13 @@ if config.exists(base + ['ipv6-name']): else: config.rename(rule_icmp + ['type'], 'type-name') + if config.exists(rule_log): + tmp = config.return_value(rule_log) + if tmp == 'disable': + config.delete(rule_log) + else: + config.set(rule_log, value='warn') + for src_dst in ['destination', 'source']: pg_base = base + ['ipv6-name', name, 'rule', rule, src_dst, 'group', 'port-group'] proto_base = base + ['ipv6-name', name, 'rule', rule, 'protocol'] |