Page MenuHomeVyOS Platform
Create Task
Maniphest T3907

Firewall - Set log levels
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Currently, enabling log on firewall rules, sets log level to "warning".
It would be good to have log level options when enabling log in firewall rules.

Example:
Firewall config:

set firewall name FW-ETH3-IN default-action 'accept'
set firewall name FW-ETH3-IN rule 10 action 'drop'
set firewall name FW-ETH3-IN rule 10 log 'enable'
set firewall name FW-ETH3-IN rule 10 source group network-group 'DENIED'

Rules generated in iptables:

vyos@vyos# sudo iptables -L | grep "FW-ETH3-IN"
Chain FW-ETH3-IN (1 references)
LOG        all  --  anywhere             anywhere             /* FW-ETH3-IN-10 */ match-set DENIED src LOG level warning prefix "[FW-ETH3-IN-10-D] "
DROP       all  --  anywhere             anywhere             /* FW-ETH3-IN-10 */ match-set DENIED src
RETURN     all  --  anywhere             anywhere             /* FW-ETH3-IN-20 */ match-set ACCEPT src
RETURN     all  --  anywhere             anywhere             /* FW-ETH3-IN-10000 default-action accept */

vyos@vyos# sudo iptables -S | grep "FW-ETH3-IN"
-N FW-ETH3-IN
-A FW-ETH3-IN -m comment --comment FW-ETH3-IN-10 -m set --match-set DENIED src -j LOG --log-prefix "[FW-ETH3-IN-10-D] "
-A FW-ETH3-IN -m comment --comment FW-ETH3-IN-10 -m set --match-set DENIED src -j DROP
-A FW-ETH3-IN -m comment --comment FW-ETH3-IN-20 -m set --match-set ACCEPT src -j RETURN
-A FW-ETH3-IN -m comment --comment "FW-ETH3-IN-10000 default-action accept" -j RETURN

It would be useful to be able to set log level to different levels. Something similar to this:

vyos@vyos# set firewall name FW-ETH3-IN rule 10 log enable log-level[TAB]
Possible completions:
  <0-7>	Set security level for log entries. Default level is 4 (warning)

[edit]

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

n.fort created this task.Oct 14 2021, 12:31 PM
Viacheslav added a subscriber: Viacheslav.Oct 14 2021, 12:52 PM

As for me, it should be configured in the global firewall log level, not per rule.

set firewall log-level x
n.fort added a comment.Oct 14 2021, 1:00 PM

Maybe, but if the effort is made in order to be able to configure log level, it would be good that it can be set in different levels.
I'm thinking in a mix scenario, where majority of rules may log with info/debug level (for example default accept rules), while other rules may need a warning/error level (some drop rules).

fernando added a subscriber: fernando.Oct 14 2021, 6:54 PM
n.fort changed the task status from Open to In progress.May 11 2022, 1:42 PM
n.fort claimed this task.
pasik added a subscriber: pasik.May 12 2022, 12:12 PM
n.fort changed the task status from In progress to Needs testing.Jun 10 2022, 3:11 PM
n.fort closed this task as Resolved.Jun 28 2022, 12:48 PM