move log_deny info from router to acllist

In order to use different log_deny attributes on different VRFs of the same router. Before only the log_deny of first VRF was used on all deny labels.
hknutzen · Sep 15, 2023 · 8e1ecf9 · 8e1ecf9
1 parent 9952bfb
commit 8e1ecf9
Show file tree

Hide file tree

Showing 8 changed files with 308 additions and 14 deletions.
diff --git a/go/pkg/jcode/types.go b/go/pkg/jcode/types.go
@@ -10,7 +10,6 @@ type RouterData struct {
 	ACLs          []*ACLInfo `json:"acls"`
 	FilterOnly    []string   `json:"filter_only,omitempty"`
 	DoObjectgroup bool       `json:"do_objectgroup,omitempty"`
-	LogDeny       string     `json:"log_deny,omitempty"`
 }
 
 type ACLInfo struct {
@@ -27,6 +26,7 @@ type ACLInfo struct {
 	IsCryptoACL  bool     `json:"is_crypto_acl,omitempty"`
 	Tier         string   `json:"tier,omitempty"`
 	VRF          string   `json:"vrf,omitempty"`
+	LogDeny      string   `json:"log_deny,omitempty"`
 }
 
 type Rule struct {

diff --git a/go/pkg/pass1/print-code.go b/go/pkg/pass1/print-code.go
@@ -2245,6 +2245,10 @@ func (c *spoc) printAcls(path string, vrfMembers []*router) {
 			if t := model.tier; t != "" {
 				jACL.Tier = t
 			}
+			if r.logDeny == "" {
+				r.logDeny = r.logDefault
+			}
+			jACL.LogDeny = r.logDeny
 			return jACL
 		}
 
@@ -2280,10 +2284,6 @@ func (c *spoc) printAcls(path string, vrfMembers []*router) {
 		}
 		result.FilterOnly = list
 	}
-	if r.logDeny == "" {
-		r.logDeny = r.logDefault
-	}
-	result.LogDeny = r.logDeny
 	c.writeJson(path, result)
 }
 

diff --git a/go/pkg/pass2/cisco.go b/go/pkg/pass2/cisco.go
@@ -997,8 +997,8 @@ func printCiscoACL(fd *os.File, aclInfo *aclInfo, routerData *routerData) {
 			}
 			if rule.log != "" {
 				result += " " + rule.log
-			} else if rule.deny && routerData.logDeny != "" {
-				result += " " + routerData.logDeny
+			} else if rule.deny && aclInfo.logDeny != "" {
+				result += " " + aclInfo.logDeny
 			}
 
 			// Add line numbers.

diff --git a/go/pkg/pass2/nsx.go b/go/pkg/pass2/nsx.go
@@ -79,10 +79,10 @@ func printNSXRules(fd *os.File, rData *routerData) {
 		protoMap[name] = srcRgPrt{prt: prt, srcRg: srcRange}
 		return "/infra/services/" + name
 	}
-	addLog := func(ru *ciscoRule, j jsonMap) {
+	addLog := func(ru *ciscoRule, j jsonMap, aclInfo *aclInfo) {
 		modifier := ru.log
 		if modifier == "" && ru.deny {
-			modifier = rData.logDeny
+			modifier = aclInfo.logDeny
 		}
 		if modifier != "" {
 			j["logged"] = true
@@ -163,7 +163,7 @@ func printNSXRules(fd *os.File, rData *routerData) {
 						"sequence_number":    seqNum,
 						"profiles":           single("ANY"),
 					}
-					addLog(rule, nsxRule)
+					addLog(rule, nsxRule, acl)
 					nsxRules = append(nsxRules, nsxRule)
 				}
 			}

diff --git a/go/pkg/pass2/pan-os.go b/go/pkg/pass2/pan-os.go
@@ -114,11 +114,11 @@ func printPanOSRules(fd *os.File, vsys string, rData *routerData) {
 		protoMap[name] = srcRgPrt{prt: prt, srcRg: srcRange, name: name}
 		return member(name)
 	}
-	getLog := func(ru *ciscoRule) string {
+	getLog := func(ru *ciscoRule, aclInfo *aclInfo) string {
 		result := ""
 		modifiers := ru.log
 		if modifiers == "" && ru.deny {
-			modifiers = rData.logDeny
+			modifiers = aclInfo.logDeny
 		}
 		if modifiers != "" {
 			for _, log := range strings.Split(modifiers, " ") {
@@ -149,7 +149,7 @@ func printPanOSRules(fd *os.File, vsys string, rData *routerData) {
 				source := getAddress(rule.src)
 				destination := getAddress(rule.dst)
 				service := getService(rule)
-				log := getLog(rule)
+				log := getLog(rule, acl)
 				fmt.Fprintf(fd,
 					`<entry name="%s">
 <action>%s</action>

diff --git a/go/pkg/pass2/spoc2.go b/go/pkg/pass2/spoc2.go
@@ -191,6 +191,7 @@ type aclInfo struct {
 	objectGroups                                     []*objGroup
 	tier                                             string
 	vrf                                              string
+	logDeny                                          string
 }
 
 func convertACLs(
@@ -229,6 +230,7 @@ func convertACLs(
 		addDeny:      jACL.AddDeny,
 		tier:         jACL.Tier,
 		vrf:          jACL.VRF,
+		logDeny:      jACL.LogDeny,
 		intfRules:    intfRules,
 		intfRuHasLog: hasLog1,
 		rules:        rules,
@@ -308,7 +310,6 @@ func readJSON(path string) *routerData {
 		rData.ipv6 = true
 	}
 	rData.model = jData.Model
-	rData.logDeny = jData.LogDeny
 	rData.doObjectgroup = jData.DoObjectgroup
 	acls := make([]*aclInfo, len(jData.ACLs))
 	for i, jACL := range jData.ACLs {

diff --git a/go/testdata/ipv6/nsx_ipv6.t b/go/testdata/ipv6/nsx_ipv6.t
@@ -1022,6 +1022,153 @@ router:r1@v1 = {
 }
 =END=
 
+############################################################
+=TITLE=Log Deny for multiple vrfs
+=PARAMS=--ipv6
+=INPUT=
+network:n1 = { ip = ::a01:100/120; }
+network:n2 = { ip = ::a01:200/120; }
+router:r1 = {
+ model = NSX;
+ management_instance;
+ interface:n1 = { ip = ::a01:101; }
+}
+router:r1@v1 = {
+ model = NSX, T1;
+ managed;
+ log_deny = tag:r1@v1;
+ interface:n1 = { ip = ::a01:102; hardware = IN; }
+ interface:n2 = { ip = ::a01:201; hardware = OUT; }
+}
+router:r1@v2 = {
+ model = NSX, T1;
+ managed;
+ log_deny = tag:r1@v2;
+ interface:n1 = { ip = ::a01:103; hardware = IN; }
+ interface:n2 = { ip = ::a01:202; hardware = OUT; }
+}
+=OUTPUT=
+--ipv6/r1
+{
+ "groups": null,
+ "policies": [
+  {
+   "id": "Netspoc-v1",
+   "resource_type": "GatewayPolicy",
+   "rules": [
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "OUT",
+     "id": "v6r1",
+     "ip_protocol": "IPV6",
+     "logged": true,
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-1s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ],
+     "tag": "r1@v1"
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "IN",
+     "id": "v6r2",
+     "ip_protocol": "IPV6",
+     "logged": true,
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-1s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ],
+     "tag": "r1@v1"
+    }
+   ]
+  },
+  {
+   "id": "Netspoc-v2",
+   "resource_type": "GatewayPolicy",
+   "rules": [
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "OUT",
+     "id": "v6r1",
+     "ip_protocol": "IPV6",
+     "logged": true,
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-1s/v2"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ],
+     "tag": "r1@v2"
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "IN",
+     "id": "v6r2",
+     "ip_protocol": "IPV6",
+     "logged": true,
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-1s/v2"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ],
+     "tag": "r1@v2"
+    }
+   ]
+  }
+ ],
+ "services": null
+}
+=END=
+
 ############################################################
 =TITLE=ICMP and numeric protocol with mixed logging
 =PARAMS=--ipv6