commit 821f04205d505da14587896cf436cbab5dba4dd9
Author: Thomas Woerner <twoerner@redhat.com>
Date:   Fri Sep 16 16:11:53 2016 +0200

    firewall.core.fw_zone: Fix LOG rule placement for LogDenied
    
    The LOG rule needs to be placed exactly before the DROP or REJECT rule and not
    afterwards.

diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index d72caa5..97596bc 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -325,13 +325,13 @@ class FirewallZone(object):
                        chain in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]:
                         if target in [ "REJECT", "%%REJECT%%" ]:
                             transaction.add_rule(
-                                ipv, [ "-I", _zone, "5", "-t", table,
+                                ipv, [ "-I", _zone, "4", "-t", table,
                                        "%%LOGTYPE%%",
                                        "-j", "LOG", "--log-prefix",
                                        "\"%s_REJECT: \"" % _zone ])
                         if target == "DROP":
                             transaction.add_rule(
-                                ipv, [ "-I", _zone, "5", "-t", table,
+                                ipv, [ "-I", _zone, "4", "-t", table,
                                        "%%LOGTYPE%%",
                                        "-j", "LOG", "--log-prefix",
                                        "\"%s_DROP: \"" % _zone ])