Currently, enabling log on firewall rules, sets log level to "warning".
It would be good to have log level options when enabling log in firewall rules.
Example:
Firewall config:
set firewall name FW-ETH3-IN default-action 'accept' set firewall name FW-ETH3-IN rule 10 action 'drop' set firewall name FW-ETH3-IN rule 10 log 'enable' set firewall name FW-ETH3-IN rule 10 source group network-group 'DENIED'
Rules generated in iptables:
vyos@vyos# sudo iptables -L | grep "FW-ETH3-IN" Chain FW-ETH3-IN (1 references) LOG all -- anywhere anywhere /* FW-ETH3-IN-10 */ match-set DENIED src LOG level warning prefix "[FW-ETH3-IN-10-D] " DROP all -- anywhere anywhere /* FW-ETH3-IN-10 */ match-set DENIED src RETURN all -- anywhere anywhere /* FW-ETH3-IN-20 */ match-set ACCEPT src RETURN all -- anywhere anywhere /* FW-ETH3-IN-10000 default-action accept */ vyos@vyos# sudo iptables -S | grep "FW-ETH3-IN" -N FW-ETH3-IN -A FW-ETH3-IN -m comment --comment FW-ETH3-IN-10 -m set --match-set DENIED src -j LOG --log-prefix "[FW-ETH3-IN-10-D] " -A FW-ETH3-IN -m comment --comment FW-ETH3-IN-10 -m set --match-set DENIED src -j DROP -A FW-ETH3-IN -m comment --comment FW-ETH3-IN-20 -m set --match-set ACCEPT src -j RETURN -A FW-ETH3-IN -m comment --comment "FW-ETH3-IN-10000 default-action accept" -j RETURN
It would be useful to be able to set log level to different levels. Something similar to this:
vyos@vyos# set firewall name FW-ETH3-IN rule 10 log enable log-level[TAB] Possible completions: <0-7> Set security level for log entries. Default level is 4 (warning) [edit]