Pipelines add logging iptables

ci/docker/tester/Dockerfile

@@ -6,9 +6,9 @@ COPY requirements.txt /tmp/requirements.txt
 
 # Install Debian packages
 RUN apt-get update && \
-    DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \
+    DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install vim linux-modules-6.8.0-49-generic \
         # linux app
-        apt-utils curl git iputils-ping sudo kmod systemd \
+        apt-utils curl git iputils-ping sudo kmod systemd ulogd2 \
         # preinstall deps required by nordvpn
         libxml2 iproute2 iptables \
         # install wireguard tools for tests
@@ -23,6 +23,8 @@ RUN apt-get update && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
+RUN modprobe nfnetlink_log
+
 # Install Python packages for tests
 RUN python3 -m pip install --no-cache-dir -r /tmp/requirements.txt && rm -rf /tmp/*
 

daemon/firewall/iptables/iptables.go

@@ -106,6 +106,16 @@ func (ipt *IPTables) applyRule(rule firewall.Rule, add bool) error {
 			continue
 		}
 		for _, ipTableRule := range ipTablesRules {
+			if !rule.Allow {
+				prefix := fmt.Sprintf("-j NFLOG --nflog-prefix \"LOG-post-%s\"", rule.Name)
+				log.Println(internal.DebugPrefix, "[iptables-debug], add rule: ", prefix)
+				logRule := strings.Replace(ipTableRule, "-j DROP", prefix, -1)
+				args := fmt.Sprintf("%s %s -w"+internal.SecondsToWaitForIptablesLock, flag, logRule)
+				out, err := exec.Command(iptableVersion, strings.Split(args, " ")...).CombinedOutput()
+				if err != nil {
+					log.Printf(internal.ErrorPrefix+" [iptables-debug]"+" failed to add rule: %ss: %s", err, string(out))
+				}
+			}
 			// -w does not accept arguments on older iptables versions
 			args := fmt.Sprintf("%s %s -w "+internal.SecondsToWaitForIptablesLock, flag, ipTableRule)
 			// #nosec G204 -- input is properly sanitized
@@ -116,6 +126,17 @@ func (ipt *IPTables) applyRule(rule firewall.Rule, add bool) error {
 				}
 				return fmt.Errorf("%s %s rule '%s': %w: %s", errStr, iptableVersion, ipTableRule, err, string(out))
 			}
+
+			if !rule.Allow {
+				prefix := fmt.Sprintf("-j NFLOG --nflog-prefix \"LOG-pre-%s\"", rule.Name)
+				log.Println(internal.DebugPrefix, "[iptables-debug], add rule: ", prefix)
+				logRule := strings.Replace(ipTableRule, "-j DROP", prefix, -1)
+				args := fmt.Sprintf("%s %s -w"+internal.SecondsToWaitForIptablesLock, flag, logRule)
+				out, err := exec.Command(iptableVersion, strings.Split(args, " ")...).CombinedOutput()
+				if err != nil {
+					log.Printf(internal.ErrorPrefix+"[iptables-debug]"+" failed to add rule: %s: %s", err, string(out))
+				}
+			}
 		}
 	}
 	return nil

magefiles/mage.go

@@ -23,7 +23,7 @@ const (
 	imageSnapPackager      = registryPrefix + "snaper:0.0.4"
 	imageProtobufGenerator = registryPrefix + "generator:1.4.1"
 	imageScanner           = registryPrefix + "scanner:1.1.0"
-	imageTester            = registryPrefix + "tester:1.3.2"
+	imageTester            = registryPrefix + "tester:ulog"
 	imageQAPeer            = registryPrefix + "qa-peer:1.0.4"
 	imageRuster            = registryPrefix + "ruster:1.3.0"
 

test/qa/test_connect.py

@@ -7,12 +7,20 @@
 
 import lib
 from lib import daemon, info, logging, login, network, server
+import os
+
+import shutil
+import subprocess
 
 CONNECT_ALIAS = [
     "connect",
     "c"
 ]
 
+def setup_module():
+    subprocess.call(['sudo','/etc/init.d/ulogd2','start'])
+    time.sleep(5)
+
 def setup_function(function):  # noqa: ARG001
     daemon.start()
     login.login_as("default")
@@ -23,6 +31,11 @@
     logging.log(data=info.collect())
     logging.log()
 
+    project_root = os.environ["WORKDIR"]
+
+    # shutil.copy("/var/log/syslogemu.log", f"{project_root}/dist/logs")
+    subprocess.call(['sudo','cp', "/var/log/ulog/syslogemu.log", f"{project_root}/dist/logs"])
+
     sh.nordvpn.logout("--persist-token")
     sh.nordvpn.set.defaults()
     daemon.stop()