Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

option log '0' doesn't seem to work #47

Open
brianjmurrell opened this issue Feb 11, 2025 · 5 comments
Open

option log '0' doesn't seem to work #47

brianjmurrell opened this issue Feb 11, 2025 · 5 comments

Comments

@brianjmurrell
Copy link

If I want to have a rule that simply suppresses the logging for some noisy (i.e. broadcast) traffic when logging is enabled for the zone, it seems that creating such a rule with option log '0' doesn't actually suppress the logging on it. I.e.:

config rule
	option name 'Dont-LOG-Misc-Broadcast'
	option target 'DROP'
	option src 'lan'
	option family 'ipv4'
	list proto 'all'
	list dest_ip '10.75.22.255'
	list dest_ip '255.255.255.255'
	option log '0'

This results in the nft rule:

	chain input_lan { # 
…
		ip daddr { 10.75.22.255, 255.255.255.255 } counter jump drop_from_lan comment "!fw4: Dont-LOG-Misc-Broadcast"

and with logging enabled for the lan zone:

	chain drop_from_lan { # 
		iifname "eth0.1" counter log prefix "drop lan in: " drop comment "!fw4: drop lan IPv4/IPv6 traffic" # 
	}

which is the cause of the logging.

But what is really interesting is that if I disable logging on the lan zone, the drop_from_lan chain becomes:

	chain drop_from_lan { # 
	}

to disable the logging for the zone, but also, the rule added to the input_lan chain is changed to:

	chain input_lan { # 
…
		ip daddr { 10.75.22.255, 255.255.255.255 } counter drop comment "!fw4: Dont-LOG-Misc-Broadcast" #

What is so interesting about this is that when zone logging is disabled, in addition to removing the logging from the drop_from_lan, the disposition of the rule changes from a jump drop_from_lan to a more simple drop.

I'm not sure what is triggering the change from jump drop_from_lan to a more simple drop, but that is actually what we want to happen for a rule that has option log '0' even when logging is enabled for the zone. That would achieve the expected results of option log '0'.
@brada4
Copy link

brada4 commented Feb 11, 2025

It is same hard to understand precedence that makes little sense. Zone log is one world rule log is another. I dont know how it should be...
zone log is bitmask btw

@brianjmurrell
Copy link
Author

Intuitively I would say that setting log to 0 on a rule should override zone log settings. It seems the least surprising behaviour (as opposed to just being ignored and having no effect) and most useful behaviour.

And it seems it's already very close to working given the jump drop_from_lan vs. drop. But I've also looked at the code (hoping it was a simple fix I could submit a PR for) and don't really understand it unfortunately. I've not really done much of anything with ucode or any languages it's syntax is similar to. 😦

@brada4
Copy link

brada4 commented Feb 11, 2025

I wish it was "log what fell through other rules"

@brianjmurrell
Copy link
Author

I wish it was "log what fell through other rules"

Hrm. Given the examples in my original posting, I think it can be. If rules that are using jump drop_from_lan used drop instead (as they seem to do when logging is disabled for the zone) then you would get the behaviour that you want.

@brada4
Copy link

brada4 commented Feb 11, 2025

That is what i do, i really dont understand why defaults are not your/my way that per-rule setting would override zone setting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brianjmurrell @brada4