Hi Jo, The idea is to fix log issues created by chains such as these: iptables -S zone_lan_forward -A zone_lan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_lan_rule -A zone_lan_forward -m comment --comment "!fw3: drop_lan_2_guest" -j zone_guest_dest_DROP -A zone_lan_forward -m comment --comment "!fw3: Default action for outgoing NAT" -j zone_wan_dest_ACCEPT -A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> wan" -j zone_wan_dest_ACCEPT -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT iptables -S zone_guest_dest_DROP -A zone_guest_dest_DROP -m limit --limit 5/min -m comment --comment "!fw3" -j LOG --log-prefix "DROP(dest guest)" -A zone_guest_dest_DROP -o br-guest -m comment --comment "!fw3" -j DROP
As you can see, packets forwarded from lan to wan will also pass zone_guest_dest_DROP which will generate traces such as these: [17091.072000] DROP(dest guest)IN=br-lan OUT=pppoe-wan MAC=a4:91:b1:46:44:6e:30:91:8f:f7:e5:e5:08:00 SRC=192.168.1.105 DST=83.170.84.172 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=20150 DF PROTO=TCP SPT=53122 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x9800 To do that I had to unify the LOG and DROP targets in a new chain called DROP_dest_guest. These types of chains are created only when necessary, i.e. when zone has log=1. Here is an example of how such chains are created: iptables -S zone_wan_dest_DROP -A zone_wan_dest_DROP -o pppoe-wan -m comment --comment "!fw3" -j DROP_dest_wan iptables -S DROP_dest_wan -A DROP_dest_wan -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "DROP(dest wan)" -A DROP_dest_wan -m comment --comment "!fw3" -j DROP BR, Alin On Tue, Apr 3, 2018 at 3:44 PM, Jo-Philipp Wich <[email protected]> wrote: > Hi Alin, > > thanks for the patch. > > Unfortunately it definitely is too big for a simple "fix logging". Will > take a deeper look at it later but from a first glance it does a few > unrelated changes, renames chains and has some minor style deviations. > > Regards, > Jo _______________________________________________ Lede-dev mailing list [email protected] http://lists.infradead.org/mailman/listinfo/lede-dev
