Firewall: add general firewall log for alias and filter syslog messages (#5894)

2026-03-17 01:54:49 +00:00 · 2022-07-21 16:11:32 +02:00 · 2022-07-21 16:11:32 +02:00 · 30f499e89e
commit 30f499e89e
parent e9c57fd59b
6 changed files with 25 additions and 5 deletions
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@ -334,6 +334,8 @@ function filter_configure_sync($verbose = false, $load_aliases = true)
        }
    }

+    openlog("firewall", LOG_DAEMON, LOG_LOCAL4);
+
    $aliases = filter_generate_aliases();
    $aliases .= "\n# Plugins tables\n";
    $aliases .= $fw->tablesToText();
@ -450,7 +452,7 @@ function filter_configure_sync($verbose = false, $load_aliases = true)
    }

    if (!@file_put_contents('/tmp/rules.debug', $rules, LOCK_EX)) {
-        log_error("WARNING: Could not write new rules!");
+        syslog(LOG_ERR, 'ERROR: Could not write new rules!');
        unlock($filterlck);
        if ($verbose) {
            echo "failed.\n";
@ -486,13 +488,13 @@ function filter_configure_sync($verbose = false, $load_aliases = true)
        /* Brutal ugly hack but required -- PF is stuck, unwedge */
        if (strstr("$rules_error[0]", "busy")) {
            exec('/sbin/pfctl -d; /sbin/pfctl -e; /sbin/pfctl -f /tmp/rules.debug');
-            log_error('PF was wedged/busy and has been reset.');
+            syslog(LOG_WARNING, 'PF was wedged/busy and has been reset.');
            file_notice(gettext('PF was wedged/busy and has been reset.'));
        } else {
            exec('/sbin/pfctl -f /tmp/rules.debug.old 2>&1');
        }

-        log_error(sprintf('There were error(s) loading the rules: %s%s', $rules_error[0], $config_line));
+        syslog(LOG_ERR, sprintf('There were error(s) loading the rules: %s%s', $rules_error[0], $config_line));
        file_notice(sprintf(gettext('There were error(s) loading the rules: %s%s'), $rules_error[0], $config_line));
        unlock($filterlck);

@ -671,7 +673,7 @@ function filter_generate_aliases()
                # a bit of a hack, but prevents the ruleset from not being able to load if these types are in
                # the configuration.
                $aliases .= "{$aliased['name']} = \"{ 0 <> 65535 }\"\n";
-                log_error(sprintf('URL port aliases types not supported [%s]', $aliased['name']));
+                syslog(LOG_ERR, sprintf('URL port aliases types not supported [%s]', $aliased['name']));
                file_notice(sprintf(gettext('URL port aliases types not supported [%s]'), $aliased['name']));
                break;
            case "port":
--- a/src/etc/inc/plugins.inc.d/core.inc
+++ b/src/etc/inc/plugins.inc.d/core.inc
@ -253,7 +253,6 @@ function core_syslog()
    $logfacilities['audit'] = array('facility' => array('audit'));
    $logfacilities['configd'] = array('facility' => array('configd.py'));
    $logfacilities['dhcpd'] = array('facility' => array('dhcpd', 'dhcrelay'));
-    $logfacilities['filter'] = array('facility' => array('filterlog'));
    $logfacilities['gateways'] = array('facility' => array('dpinger'));
    $logfacilities['lighttpd'] = array('facility' => array('lighttpd'));
    $logfacilities['pkg'] = array('facility' => array('pkg', 'pkg-static'));
--- a/src/etc/inc/plugins.inc.d/pf.inc
+++ b/src/etc/inc/plugins.inc.d/pf.inc
@ -170,6 +170,16 @@ function pf_firewall($fw)
    }
 }

+function pf_syslog()
+{
+    $logfacilities = [];
+
+    $logfacilities['firewall'] = ['facility' => ['firewall']];
+    $logfacilities['filter'] = ['facility' => ['filterlog']];
+
+    return $logfacilities;
+}
+
 function pf_xmlrpc_sync()
 {
    $result = array();
--- a/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml
@ -310,6 +310,13 @@
            <pattern>firewall_virtual_ip.php*</pattern>
        </patterns>
    </page-firewall-virtualipaddresses>
+    <page-diagnostics-logs-firewall-general>
+        <name>Diagnostics: Log: Firewall: General</name>
+        <patterns>
+            <pattern>ui/diagnostics/log/core/firewall/*</pattern>
+            <pattern>api/diagnostics/log/core/firewall/*</pattern>
+        </patterns>
+    </page-diagnostics-logs-firewall-general>
    <page-diagnostics-logs-firewall-plain>
        <name>Diagnostics: Logs: Firewall: Plain View</name>
        <patterns>
--- a/src/opnsense/mvc/app/models/OPNsense/Core/Menu/Menu.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Core/Menu/Menu.xml
@ -187,6 +187,7 @@
            <Statistics url="/ui/diagnostics/firewall/statistics"/>
        </Diagnostics>
        <LogFiles order="400" VisibleName="Log Files" cssClass="fa fa-eye fa-fw">
+            <General VisibleName="General" url="/ui/diagnostics/log/core/firewall"/>
            <Live VisibleName="Live View" url="/ui/diagnostics/firewall/log"/>
            <Overview url="/ui/diagnostics/firewall/stats"/>
            <Plain VisibleName="Plain View" url="/ui/diagnostics/log/core/filter"/>
--- a/src/opnsense/scripts/filter/update_tables.py
+++ b/src/opnsense/scripts/filter/update_tables.py
@ -120,6 +120,7 @@ if __name__ == '__main__':
    parser.add_argument('--output', help='output type [json/text]', default='json')
    parser.add_argument('--source_conf', help='configuration xml', default='/usr/local/etc/filter_tables.conf')
    inputargs = parser.parse_args()
+    syslog.openlog('firewall', logoption=syslog.LOG_DAEMON, facility=syslog.LOG_LOCAL4)
    # make sure our target directory exists
    if not os.path.isdir('/var/db/aliastables'):
        os.makedirs('/var/db/aliastables')