From 30f499e89eec0863ca4f1fd10c08b057f5b6152f Mon Sep 17 00:00:00 2001 From: Stephan de Wit Date: Thu, 21 Jul 2022 16:11:32 +0200 Subject: [PATCH] Firewall: add general firewall log for alias and filter syslog messages (#5894) --- src/etc/inc/filter.inc | 10 ++++++---- src/etc/inc/plugins.inc.d/core.inc | 1 - src/etc/inc/plugins.inc.d/pf.inc | 10 ++++++++++ src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml | 7 +++++++ .../mvc/app/models/OPNsense/Core/Menu/Menu.xml | 1 + src/opnsense/scripts/filter/update_tables.py | 1 + 6 files changed, 25 insertions(+), 5 deletions(-) diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc index c69747653..0b6d60fb4 100644 --- a/src/etc/inc/filter.inc +++ b/src/etc/inc/filter.inc @@ -334,6 +334,8 @@ function filter_configure_sync($verbose = false, $load_aliases = true) } } + openlog("firewall", LOG_DAEMON, LOG_LOCAL4); + $aliases = filter_generate_aliases(); $aliases .= "\n# Plugins tables\n"; $aliases .= $fw->tablesToText(); @@ -450,7 +452,7 @@ function filter_configure_sync($verbose = false, $load_aliases = true) } if (!@file_put_contents('/tmp/rules.debug', $rules, LOCK_EX)) { - log_error("WARNING: Could not write new rules!"); + syslog(LOG_ERR, 'ERROR: Could not write new rules!'); unlock($filterlck); if ($verbose) { echo "failed.\n"; @@ -486,13 +488,13 @@ function filter_configure_sync($verbose = false, $load_aliases = true) /* Brutal ugly hack but required -- PF is stuck, unwedge */ if (strstr("$rules_error[0]", "busy")) { exec('/sbin/pfctl -d; /sbin/pfctl -e; /sbin/pfctl -f /tmp/rules.debug'); - log_error('PF was wedged/busy and has been reset.'); + syslog(LOG_WARNING, 'PF was wedged/busy and has been reset.'); file_notice(gettext('PF was wedged/busy and has been reset.')); } else { exec('/sbin/pfctl -f /tmp/rules.debug.old 2>&1'); } - log_error(sprintf('There were error(s) loading the rules: %s%s', $rules_error[0], $config_line)); + syslog(LOG_ERR, sprintf('There were error(s) loading the rules: %s%s', $rules_error[0], $config_line)); file_notice(sprintf(gettext('There were error(s) loading the rules: %s%s'), $rules_error[0], $config_line)); unlock($filterlck); @@ -671,7 +673,7 @@ function filter_generate_aliases() # a bit of a hack, but prevents the ruleset from not being able to load if these types are in # the configuration. $aliases .= "{$aliased['name']} = \"{ 0 <> 65535 }\"\n"; - log_error(sprintf('URL port aliases types not supported [%s]', $aliased['name'])); + syslog(LOG_ERR, sprintf('URL port aliases types not supported [%s]', $aliased['name'])); file_notice(sprintf(gettext('URL port aliases types not supported [%s]'), $aliased['name'])); break; case "port": diff --git a/src/etc/inc/plugins.inc.d/core.inc b/src/etc/inc/plugins.inc.d/core.inc index baa6514ec..84041ae24 100644 --- a/src/etc/inc/plugins.inc.d/core.inc +++ b/src/etc/inc/plugins.inc.d/core.inc @@ -253,7 +253,6 @@ function core_syslog() $logfacilities['audit'] = array('facility' => array('audit')); $logfacilities['configd'] = array('facility' => array('configd.py')); $logfacilities['dhcpd'] = array('facility' => array('dhcpd', 'dhcrelay')); - $logfacilities['filter'] = array('facility' => array('filterlog')); $logfacilities['gateways'] = array('facility' => array('dpinger')); $logfacilities['lighttpd'] = array('facility' => array('lighttpd')); $logfacilities['pkg'] = array('facility' => array('pkg', 'pkg-static')); diff --git a/src/etc/inc/plugins.inc.d/pf.inc b/src/etc/inc/plugins.inc.d/pf.inc index dbd894911..62fb02f0e 100644 --- a/src/etc/inc/plugins.inc.d/pf.inc +++ b/src/etc/inc/plugins.inc.d/pf.inc @@ -170,6 +170,16 @@ function pf_firewall($fw) } } +function pf_syslog() +{ + $logfacilities = []; + + $logfacilities['firewall'] = ['facility' => ['firewall']]; + $logfacilities['filter'] = ['facility' => ['filterlog']]; + + return $logfacilities; +} + function pf_xmlrpc_sync() { $result = array(); diff --git a/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml b/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml index 2fb504157..c5953c45e 100644 --- a/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml +++ b/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml @@ -310,6 +310,13 @@ firewall_virtual_ip.php* + + Diagnostics: Log: Firewall: General + + ui/diagnostics/log/core/firewall/* + api/diagnostics/log/core/firewall/* + + Diagnostics: Logs: Firewall: Plain View diff --git a/src/opnsense/mvc/app/models/OPNsense/Core/Menu/Menu.xml b/src/opnsense/mvc/app/models/OPNsense/Core/Menu/Menu.xml index d2c0a19d8..9e067615c 100644 --- a/src/opnsense/mvc/app/models/OPNsense/Core/Menu/Menu.xml +++ b/src/opnsense/mvc/app/models/OPNsense/Core/Menu/Menu.xml @@ -187,6 +187,7 @@ + diff --git a/src/opnsense/scripts/filter/update_tables.py b/src/opnsense/scripts/filter/update_tables.py index 3326739e0..7aabbfce8 100755 --- a/src/opnsense/scripts/filter/update_tables.py +++ b/src/opnsense/scripts/filter/update_tables.py @@ -120,6 +120,7 @@ if __name__ == '__main__': parser.add_argument('--output', help='output type [json/text]', default='json') parser.add_argument('--source_conf', help='configuration xml', default='/usr/local/etc/filter_tables.conf') inputargs = parser.parse_args() + syslog.openlog('firewall', logoption=syslog.LOG_DAEMON, facility=syslog.LOG_LOCAL4) # make sure our target directory exists if not os.path.isdir('/var/db/aliastables'): os.makedirs('/var/db/aliastables')