fw4: add support for `option log` in rule and redirect sections

Sections of type `rule` and type `redirect` may now specify
`option log value` to enable logging matched traffic for the
corresponding rule/redirect.

The value may be either a string, in which case it is used as log prefix
verbatim or a boolean value (`1`, `on`, `true`, `yes`, `0`, `off`, `false`
or `no`).

In case a boolean false value is specified (the default), no logging is
performed. In case a true boolean value is specified, matched traffic is
logged and the rule's name (or uci section id i ncase the name is absent)
is used as log prefix.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>

diff --git a/root/usr/share/firewall4/templates/redirect.uc b/root/usr/share/firewall4/templates/redirect.uc
index 5b81f64bab240e0bfd8e9e809de06285d0b3a1cc..933fbd72276d1713b1aab253f581de4db0282a01 100644 (file)
--- a/root/usr/share/firewall4/templates/redirect.uc
+++ b/root/usr/share/firewall4/templates/redirect.uc
@@ -63,6 +63,8 @@
        }} @{{ redirect.ipset.name }} {%+ endif -%}
 {%+ if (redirect.counter): -%}
        counter {%+ endif -%}
+{%+ if (redirect.log): -%}
+       log prefix {{ fw4.quote(redirect.log, true) }} {%+ endif -%}
 {% if (redirect.target == "redirect"): -%}
        redirect{% if (redirect.rport): %} to {{ fw4.port(redirect.rport) }}{% endif %}
 {%- elif (redirect.target == "accept" || redirect.target == "masquerade"): -%}

diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index e6bd3652141f835763e18abf6932ff80aca23a89..1b4764cea4fa04d4810b4786b4c28e9b59c84c17 100644 (file)
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -2244,6 +2244,7 @@ return {
                        set_dscp: [ "dscp", null, NO_INVERT ],
 
                        counter: [ "bool", "1" ],
+                       log: [ "string" ],
 
                        target: [ "target" ]
                });
@@ -2278,6 +2279,15 @@ return {
                        return;
                }
 
+               switch (this.parse_bool(rule.log)) {
+               case true:
+                       rule.log = rule.name;
+                       break;
+
+               case false:
+                       delete rule.log;
+               }
+
                let ipset;
 
                if (rule.ipset) {
@@ -2550,6 +2560,7 @@ return {
                        reflection_zone: [ "zone_ref", null, PARSE_LIST ],
 
                        counter: [ "bool", "1" ],
+                       log: [ "string" ],
 
                        target: [ "target", "dnat" ]
                });
@@ -2568,6 +2579,15 @@ return {
                        redir.target = "dnat";
                }
 
+               switch (this.parse_bool(redir.log)) {
+               case true:
+                       redir.log = redir.name;
+                       break;
+
+               case false:
+                       delete redir.log;
+               }
+
                let ipset;
 
                if (redir.ipset) {
@@ -2656,7 +2676,6 @@ return {
                        redir.dest.zone.dflags[redir.target] = true;
                }
 
-
                let add_rule = (family, proto, saddrs, daddrs, raddrs, sport, dport, rport, ipset, redir) => {
                        let r = {
                                ...redir,