Maniphest T6636

Show log firewall not printing logs for default-actions for custom ruleset
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	n.fort
	Aug 5 2024, 5:42 PM

Tags

Referenced Files

None

Subscribers

Description

While defining a particular ipv4 or ipv6 ruleset, and enabling log for default-rule, op-mode command show log firewall ipvX name <name> doesn't print logs for default rule.

Step to reproduce:

# Create custom chain:
set firewall ipv4 name FOO default-action accept
set firewall ipv4 name FOO default-log
set firewall ipv4 input filter rule 1 action 'jump'
set firewall ipv4 input filter rule 1 jump-target 'FOO'

Check chain, op-mode command and logs with journalctl:

vyos@140:~$ sudo nft list chain ip vyos_filter NAME_FOO
table ip vyos_filter {
        chain NAME_FOO {
                counter packets 77 bytes 15395 log prefix "[ipv4-FOO-default-A]" accept comment "FOO default-action accept"
        }
}
vyos@140:~$ show log firewall ipv4 name FOO 
vyos@140:~$ sudo journalctl -b | grep -c "ipv4-FOO-default"
77
vyos@140:~$

Details

Version: 1.5-rolling-202408050022
Is it a breaking change?: Perfectly compatible
Issue type: Bug (incorrect behavior)

Related Objects

Mentioned In: 1.4.2
rVYOSONEXada962d9e458: Merge pull request #3982 from nicolas-fort/T6636
rVYOSONEX747363e3ecd3: T6636: firewall: fix firewall template in order to write logs for default…

Event Timeline

n.fort created this task.Aug 5 2024, 5:42 PM

pasik subscribed.Aug 5 2024, 5:42 PM

n.fort changed the task status from Open to Confirmed.Aug 5 2024, 5:42 PM

n.fort claimed this task.

n.fort added a project: VyOS Rolling.

Viacheslav triaged this task as Normal priority.Aug 6 2024, 10:01 AM

n.fort mentioned this in rVYOSONEX747363e3ecd3: T6636: firewall: fix firewall template in order to write logs for default….Aug 14 2024, 2:53 PM

Restricted Repository Identity mentioned this in rVYOSONEXada962d9e458: Merge pull request #3982 from nicolas-fort/T6636.Aug 15 2024, 10:14 AM

n.fort closed this task as Resolved.Aug 23 2024, 12:15 PM

dmbaturin added a project: VyOS 1.4 Sagitta (1.4.2).Apr 1 2025, 3:19 PM

dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.

dmbaturin mentioned this in 1.4.2.Apr 2 2025, 3:24 PM

dmbaturin edited projects, added VyOS 1.5 Circinus (1.5-stream-2025-Q2); removed VyOS 1.5 Circinus.Jul 9 2025, 10:50 AM