diff options
| author | Jo-Philipp Wich | 2022-06-17 12:42:03 +0000 |
|---|---|---|
| committer | Stijn Tintel | 2022-06-17 14:58:21 +0000 |
| commit | 15c38317eff2bdef963cc3032512ce6cf191dadb (patch) | |
| tree | 2dc25fb5b1dd243eb2da020b4f96be00117aeca3 | |
| parent | d79911c7ad40645ab21eaadf09c281fe998e3769 (diff) | |
| download | firewall4-15c38317eff2bdef963cc3032512ce6cf191dadb.tar.gz | |
fw4: add support for `option log` in rule and redirect sections
Sections of type `rule` and type `redirect` may now specify
`option log value` to enable logging matched traffic for the
corresponding rule/redirect.
The value may be either a string, in which case it is used as log prefix
verbatim or a boolean value (`1`, `on`, `true`, `yes`, `0`, `off`, `false`
or `no`).
In case a boolean false value is specified (the default), no logging is
performed. In case a true boolean value is specified, matched traffic is
logged and the rule's name (or uci section id i ncase the name is absent)
is used as log prefix.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
| -rw-r--r-- | root/usr/share/firewall4/templates/redirect.uc | 2 | ||||
| -rw-r--r-- | root/usr/share/ucode/fw4.uc | 21 |
2 files changed, 22 insertions, 1 deletions
diff --git a/root/usr/share/firewall4/templates/redirect.uc b/root/usr/share/firewall4/templates/redirect.uc index 5b81f64..933fbd7 100644 --- a/root/usr/share/firewall4/templates/redirect.uc +++ b/root/usr/share/firewall4/templates/redirect.uc @@ -63,6 +63,8 @@ }} @{{ redirect.ipset.name }} {%+ endif -%} {%+ if (redirect.counter): -%} counter {%+ endif -%} +{%+ if (redirect.log): -%} + log prefix {{ fw4.quote(redirect.log, true) }} {%+ endif -%} {% if (redirect.target == "redirect"): -%} redirect{% if (redirect.rport): %} to {{ fw4.port(redirect.rport) }}{% endif %} {%- elif (redirect.target == "accept" || redirect.target == "masquerade"): -%} diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc index e6bd365..1b4764c 100644 --- a/root/usr/share/ucode/fw4.uc +++ b/root/usr/share/ucode/fw4.uc @@ -2244,6 +2244,7 @@ return { set_dscp: [ "dscp", null, NO_INVERT ], counter: [ "bool", "1" ], + log: [ "string" ], target: [ "target" ] }); @@ -2278,6 +2279,15 @@ return { return; } + switch (this.parse_bool(rule.log)) { + case true: + rule.log = rule.name; + break; + + case false: + delete rule.log; + } + let ipset; if (rule.ipset) { @@ -2550,6 +2560,7 @@ return { reflection_zone: [ "zone_ref", null, PARSE_LIST ], counter: [ "bool", "1" ], + log: [ "string" ], target: [ "target", "dnat" ] }); @@ -2568,6 +2579,15 @@ return { redir.target = "dnat"; } + switch (this.parse_bool(redir.log)) { + case true: + redir.log = redir.name; + break; + + case false: + delete redir.log; + } + let ipset; if (redir.ipset) { @@ -2656,7 +2676,6 @@ return { redir.dest.zone.dflags[redir.target] = true; } - let add_rule = (family, proto, saddrs, daddrs, raddrs, sport, dport, rport, ipset, redir) => { let r = { ...redir, |