[LEDE-DEV] [PATCH] firewall: fix logging of dropped & rejected packets

Alin Năstac alin.nastac at gmail.com
Tue Apr 3 07:22:49 PDT 2018 

Hi Jo,

The idea is to fix log issues created by chains such as these:
iptables -S zone_lan_forward
-A zone_lan_forward -m comment --comment "!fw3: user chain for
forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: drop_lan_2_guest" -j
zone_guest_dest_DROP
-A zone_lan_forward -m comment --comment "!fw3: Default action for
outgoing NAT" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> wan"
-j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment
"!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
iptables -S zone_guest_dest_DROP
-A zone_guest_dest_DROP -m limit --limit 5/min -m comment --comment
"!fw3" -j LOG --log-prefix "DROP(dest guest)"
-A zone_guest_dest_DROP -o br-guest -m comment --comment "!fw3" -j DROP

As you can see, packets forwarded from lan to wan will also pass
zone_guest_dest_DROP which will generate traces such as these:
[17091.072000] DROP(dest guest)IN=br-lan OUT=pppoe-wan
MAC=a4:91:b1:46:44:6e:30:91:8f:f7:e5:e5:08:00 SRC=192.168.1.105
DST=83.170.84.172 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=20150 DF
PROTO=TCP SPT=53122 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x9800

To do that I had to unify the LOG and DROP targets in a new chain
called DROP_dest_guest. These types of chains are created only when
necessary, i.e. when zone has log=1. Here is an example of how such
chains are created:
iptables -S zone_wan_dest_DROP
-A zone_wan_dest_DROP -o pppoe-wan -m comment --comment "!fw3" -j DROP_dest_wan
iptables -S DROP_dest_wan
-A DROP_dest_wan -m limit --limit 10/sec -m comment --comment "!fw3"
-j LOG --log-prefix "DROP(dest wan)"
-A DROP_dest_wan -m comment --comment "!fw3" -j DROP

BR,
Alin

On Tue, Apr 3, 2018 at 3:44 PM, Jo-Philipp Wich <jo at mein.io> wrote:
> Hi Alin,
>
> thanks for the patch.
>
> Unfortunately it definitely is too big for a simple "fix logging". Will
> take a deeper look at it later but from a first glance it does a few
> unrelated changes, renames chains and has some minor style deviations.
>
> Regards,
> Jo

More information about the Lede-dev mailing list