summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--interface-definitions/firewall.xml.in8
-rw-r--r--interface-definitions/include/firewall/common-rule.xml.i1
-rw-r--r--interface-definitions/include/firewall/name-default-log.xml.i2
-rw-r--r--interface-definitions/include/firewall/rule-log-level.xml.i45
-rw-r--r--python/vyos/firewall.py7
-rw-r--r--python/vyos/template.py7
-rwxr-xr-xsmoketest/scripts/cli/test_firewall.py23
-rwxr-xr-xsrc/conf_mode/firewall.py5
8 files changed, 82 insertions, 16 deletions
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index d0218579c..3250794d3 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -117,7 +117,7 @@
<description>Domain address to match</description>
</valueHelp>
<constraint>
- <regex>[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}?(\/.*)?</regex>
+ <regex>[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,99}?(\/.*)?</regex>
</constraint>
<multi/>
</properties>
@@ -624,7 +624,7 @@
</properties>
<children>
#include <include/firewall/action-accept-drop-reject.xml.i>
- #include <include/firewall/log.xml.i>
+ #include <include/firewall/rule-log-level.xml.i>
</children>
</node>
<node name="invalid">
@@ -633,7 +633,7 @@
</properties>
<children>
#include <include/firewall/action-accept-drop-reject.xml.i>
- #include <include/firewall/log.xml.i>
+ #include <include/firewall/rule-log-level.xml.i>
</children>
</node>
<node name="related">
@@ -642,7 +642,7 @@
</properties>
<children>
#include <include/firewall/action-accept-drop-reject.xml.i>
- #include <include/firewall/log.xml.i>
+ #include <include/firewall/rule-log-level.xml.i>
</children>
</node>
</children>
diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i
index 2a5137dbf..079864122 100644
--- a/interface-definitions/include/firewall/common-rule.xml.i
+++ b/interface-definitions/include/firewall/common-rule.xml.i
@@ -95,6 +95,7 @@
</constraint>
</properties>
</leafNode>
+#include <include/firewall/rule-log-level.xml.i>
<node name="connection-status">
<properties>
<help>Connection status</help>
diff --git a/interface-definitions/include/firewall/name-default-log.xml.i b/interface-definitions/include/firewall/name-default-log.xml.i
index 979395146..1d0ff9497 100644
--- a/interface-definitions/include/firewall/name-default-log.xml.i
+++ b/interface-definitions/include/firewall/name-default-log.xml.i
@@ -5,4 +5,4 @@
<valueless/>
</properties>
</leafNode>
-<!-- include end -->
+<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/rule-log-level.xml.i b/interface-definitions/include/firewall/rule-log-level.xml.i
new file mode 100644
index 000000000..10c8de5e3
--- /dev/null
+++ b/interface-definitions/include/firewall/rule-log-level.xml.i
@@ -0,0 +1,45 @@
+<!-- include start from firewall/common-rule.xml.i -->
+<leafNode name="log-level">
+ <properties>
+ <help>Set log-level. Log must be enable.</help>
+ <completionHelp>
+ <list>emerg alert crit err warn notice info debug</list>
+ </completionHelp>
+ <valueHelp>
+ <format>emerg</format>
+ <description>Emerg log level</description>
+ </valueHelp>
+ <valueHelp>
+ <format>alert</format>
+ <description>Alert log level</description>
+ </valueHelp>
+ <valueHelp>
+ <format>crit</format>
+ <description>Critical log level</description>
+ </valueHelp>
+ <valueHelp>
+ <format>err</format>
+ <description>Error log level</description>
+ </valueHelp>
+ <valueHelp>
+ <format>warn</format>
+ <description>Warning log level</description>
+ </valueHelp>
+ <valueHelp>
+ <format>notice</format>
+ <description>Notice log level</description>
+ </valueHelp>
+ <valueHelp>
+ <format>info</format>
+ <description>Info log level</description>
+ </valueHelp>
+ <valueHelp>
+ <format>debug</format>
+ <description>Debug log level</description>
+ </valueHelp>
+ <constraint>
+ <regex>(emerg|alert|crit|err|warn|notice|info|debug)</regex>
+ </constraint>
+ </properties>
+</leafNode>
+<!-- include end --> \ No newline at end of file
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index b962c4f18..31fe8b5e3 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -217,7 +217,12 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
if 'log' in rule_conf and rule_conf['log'] == 'enable':
action = rule_conf['action'] if 'action' in rule_conf else 'accept'
- output.append(f'log prefix "[{fw_name[:19]}-{rule_id}-{action[:1].upper()}] "')
+ output.append(f'log prefix "[{fw_name[:19]}-{rule_id}-{action[:1].upper()}]"')
+
+ if 'log_level' in rule_conf:
+ log_level = rule_conf['log_level']
+ output.append(f'level {log_level}')
+
if 'hop_limit' in rule_conf:
operators = {'eq': '==', 'gt': '>', 'lt': '<'}
diff --git a/python/vyos/template.py b/python/vyos/template.py
index 132f5ddde..ee82f8f8f 100644
--- a/python/vyos/template.py
+++ b/python/vyos/template.py
@@ -554,7 +554,7 @@ def nft_default_rule(fw_conf, fw_name):
if 'enable_default_log' in fw_conf:
action_suffix = default_action[:1].upper()
- output.append(f'log prefix "[{fw_name[:19]}-default-{action_suffix}] "')
+ output.append(f'log prefix "[{fw_name[:19]}-default-{action_suffix}]"')
output.append(nft_action(default_action))
output.append(f'comment "{fw_name} default-action {default_action}"')
@@ -564,8 +564,9 @@ def nft_default_rule(fw_conf, fw_name):
def nft_state_policy(conf, state, ipv6=False):
out = [f'ct state {state}']
- if 'log' in conf and 'enable' in conf['log']:
- out.append('log')
+ if 'log' in conf:
+ log_level = conf['log']
+ out.append(f'log level {log_level}')
out.append('counter')
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 79d22e361..b1fd663d2 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -64,6 +64,8 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
for ips in example_org:
self.cli_set(hostmap_path + ['example.org', 'inet', ips])
+ self.cli_commit()
+
self.cli_set(['firewall', 'group', 'mac-group', 'smoketest_mac', 'mac-address', '00:01:02:03:04:05'])
self.cli_set(['firewall', 'group', 'network-group', 'smoketest_network', 'network', '172.16.99.0/24'])
self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port', 'port', '53'])
@@ -108,18 +110,24 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
def test_basic_rules(self):
self.cli_set(['firewall', 'name', 'smoketest', 'default-action', 'drop'])
+ self.cli_set(['firewall', 'name', 'smoketest', 'enable-default-log'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'action', 'accept'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'source', 'address', '172.16.20.10'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'destination', 'address', '172.16.10.10'])
+ self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'log', 'enable'])
+ self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'log-level', 'debug'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'action', 'reject'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'protocol', 'tcp'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'destination', 'port', '8888'])
+ self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'log', 'enable'])
+ self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'log-level', 'err'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'tcp', 'flags', 'syn'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'tcp', 'flags', 'not', 'ack'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '3', 'action', 'accept'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '3', 'protocol', 'tcp'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '3', 'destination', 'port', '22'])
self.cli_set(['firewall', 'name', 'smoketest', 'rule', '3', 'limit', 'rate', '5/minute'])
+ self.cli_set(['firewall', 'name', 'smoketest', 'rule', '3', 'log', 'disable'])
self.cli_set(['interfaces', 'ethernet', 'eth0', 'firewall', 'in', 'name', 'smoketest'])
@@ -127,10 +135,10 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
nftables_search = [
['iifname "eth0"', 'jump NAME_smoketest'],
- ['saddr 172.16.20.10', 'daddr 172.16.10.10', 'return'],
- ['tcp flags & (syn | ack) == syn', 'tcp dport { 8888 }', 'reject'],
+ ['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[smoketest-1-A]" level debug','return'],
+ ['tcp flags & (syn | ack) == syn', 'tcp dport { 8888 }', 'log prefix "[smoketest-2-R]" level err', 'reject'],
['tcp dport { 22 }', 'limit rate 5/minute', 'return'],
- ['smoketest default-action', 'drop']
+ ['log prefix "[smoketest-default-D]"','smoketest default-action', 'drop']
]
nftables_output = cmd('sudo nft list table ip filter')
@@ -145,9 +153,14 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
def test_basic_rules_ipv6(self):
self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'enable-default-log'])
+
self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '1', 'action', 'accept'])
self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '1', 'source', 'address', '2002::1'])
self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '1', 'destination', 'address', '2002::1:1'])
+ self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '1', 'log', 'enable'])
+ self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '1', 'log-level', 'crit'])
+
self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '2', 'action', 'reject'])
self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '2', 'protocol', 'tcp_udp'])
self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'rule', '2', 'destination', 'port', '8888'])
@@ -158,9 +171,9 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
nftables_search = [
['iifname "eth0"', 'jump NAME6_v6-smoketest'],
- ['saddr 2002::1', 'daddr 2002::1:1', 'return'],
+ ['saddr 2002::1', 'daddr 2002::1:1', 'log prefix "[v6-smoketest-1-A]" level crit', 'return'],
['meta l4proto { tcp, udp }', 'th dport { 8888 }', 'reject'],
- ['smoketest default-action', 'drop']
+ ['smoketest default-action', 'log prefix "[v6-smoketest-default-D]"', 'drop']
]
nftables_output = cmd('sudo nft list table ip6 filter')
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 335098bf1..fbe0a3a13 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -423,8 +423,9 @@ def apply(firewall):
call('systemctl restart vyos-domain-group-resolve.service')
for group, group_config in firewall['group']['domain_group'].items():
domains = []
- for address in group_config['address']:
- domains.append(address)
+ if group_config.get('address') is not None:
+ for address in group_config.get('address'):
+ domains.append(address)
# Add elements to domain-group, try to resolve domain => ip
# and add elements to nft set
ip_dict = get_ips_domains_dict(domains)