Skip to content

Commit

Permalink
T6636: firewall: fix firewall template in order to write logs for def…
Browse files Browse the repository at this point in the history 
…ault-action in order to match same structure as in rules. This way op-mode command for showing firewall log prints logs for default-actions too
  • Loading branch information
@nicolas-fort
nicolas-fort committed Aug 14, 2024
1 parent e229d74 commit 747363e
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 11 deletions.
6 changes: 3 additions & 3 deletions data/templates/firewall/nftables.j2
100644 → 100755
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ table ip vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
{{ conf | nft_default_rule(name_text, 'ipv4') }}
{{ conf | nft_default_rule('NAM-' + name_text, 'ipv4') }}
}
{% endfor %}
{% endif %}
Expand Down Expand Up @@ -287,7 +287,7 @@ table ip6 vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
{{ conf | nft_default_rule(name_text, 'ipv6') }}
{{ conf | nft_default_rule('NAM-' + name_text, 'ipv6') }}
}
{% endfor %}
{% endif %}
Expand Down Expand Up @@ -416,7 +416,7 @@ table bridge vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
{{ conf | nft_default_rule(name_text, 'bri') }}
{{ conf | nft_default_rule('NAM-' + name_text, 'bri') }}
}
{% endfor %}
{% endif %}
Expand Down
14 changes: 6 additions & 8 deletions smoketest/scripts/cli/test_firewall.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -280,7 +280,7 @@ def test_ipv4_basic_rules(self):
['chain NAME_smoketest'],
['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[ipv4-NAM-smoketest-1-A]" log level debug', 'ip ttl 15', 'accept'],
['tcp flags syn / syn,ack', 'tcp dport 8888', 'log prefix "[ipv4-NAM-smoketest-2-R]" log level err', 'ip ttl > 102', 'reject'],
['log prefix "[ipv4-smoketest-default-D]"','smoketest default-action', 'drop']
['log prefix "[ipv4-NAM-smoketest-default-D]"','smoketest default-action', 'drop']
]

self.verify_nftables(nftables_search, 'ip vyos_filter')
Expand Down Expand Up @@ -341,7 +341,7 @@ def test_ipv4_advanced(self):
[f'chain NAME_{name}'],
['ip length { 64, 512, 1024 }', 'ip dscp { 0x11, 0x34 }', f'log prefix "[ipv4-NAM-{name}-6-A]" log group 66 snaplen 6666 queue-threshold 32000', 'accept'],
['ip length 1-30000', 'ip length != 60000-65535', 'ip dscp 0x03-0x0b', 'ip dscp != 0x15-0x19', 'accept'],
[f'log prefix "[ipv4-{name}-default-D]"', 'drop']
[f'log prefix "[ipv4-NAM-{name}-default-D]"', 'drop']
]

self.verify_nftables(nftables_search, 'ip vyos_filter')
Expand Down Expand Up @@ -511,7 +511,7 @@ def test_ipv6_basic_rules(self):
['PRE-raw default-action accept', 'accept'],
[f'chain NAME6_{name}'],
['saddr 2002::1-2002::10', 'daddr 2002::1:1', 'log prefix "[ipv6-NAM-v6-smoketest-1-A]" log level crit', 'accept'],
[f'"{name} default-action drop"', f'log prefix "[ipv6-{name}-default-D]"', 'drop'],
[f'"NAM-{name} default-action drop"', f'log prefix "[ipv6-NAM-{name}-default-D]"', 'drop'],
['jump VYOS_STATE_POLICY6'],
['chain VYOS_STATE_POLICY6'],
['ct state established', 'accept'],
Expand All @@ -522,9 +522,7 @@ def test_ipv6_basic_rules(self):
self.verify_nftables(nftables_search, 'ip6 vyos_filter')

def test_ipv6_advanced(self):
name = 'v6-smoketest-adv'
name2 = 'v6-smoketest-adv2'
interface = 'eth0'
name = 'v6-smoke-adv'

self.cli_set(['firewall', 'ipv6', 'name', name, 'default-action', 'drop'])
self.cli_set(['firewall', 'ipv6', 'name', name, 'default-log'])
Expand Down Expand Up @@ -559,7 +557,7 @@ def test_ipv6_advanced(self):
['ip6 saddr 2001:db8::/64', 'meta mark != 0x000019ff-0x00001e56', f'jump NAME6_{name}'],
[f'chain NAME6_{name}'],
['ip6 length { 65, 513, 1025 }', 'ip6 dscp { af21, 0x35 }', 'accept'],
[f'log prefix "[ipv6-{name}-default-D]"', 'drop']
[f'log prefix "[ipv6-NAM-{name}-default-D]"', 'drop']
]

self.verify_nftables(nftables_search, 'ip6 vyos_filter')
Expand Down Expand Up @@ -686,7 +684,7 @@ def test_ipv4_state_and_status_rules(self):
['ct state new', 'ct status dnat', 'accept'],
['ct state { established, new }', 'ct status snat', 'accept'],
['ct state related', 'ct helper { "ftp", "pptp" }', 'accept'],
['drop', f'comment "{name} default-action drop"']
['drop', f'comment "NAM-{name} default-action drop"']
]

self.verify_nftables(nftables_search, 'ip vyos_filter')
Expand Down

0 comments on commit 747363e

Please sign in to comment.