Luci firewall - Limit log messages


On 22.03.4 the Luci Setting (Network -> Firewall -> General Settings -> Edit a Zone > Advanced Settings) "Limit log messages" has no effect and does not appear in "nft list ruleset".

Is this a bug or do I miss something?


What log messages are you limiting?

Don't now what you mean...
I log the "reject's" from a zone and these are not limeted when I set the parameter "Limit log messages" to default value of 10/minute.

1 Like

Thanks for the clarification. That's exactly what I was inquiring. I'm sure someone can better assist you now.

Sorry, for unclear wording (and bad english) and thank you for your answer.

For further clarification:

  • Logs are working with luci setting, but the limitation do not.
  • Limits are working if i set them "by hand" in the nftables ruleset.
1 Like

It is unsupported in fw4


How do you set them by hand exactly? Back when I implemented fw4 there was no option to limit the log target in nftables, so maybe that changed now and it could be added to the ruleset generation.

1 Like

I'm no expert with nftables and don't know how to do this.
What I did is: 2 rules with the same condition, one for log with limit, the other with reject.
Otherwise the log will be flooded.

1 Like

Ah okay, that’s what I suspected. Two different rules - one for logging and one for the action - was the common approach with iptables, but it introduces unwanted overhead due to the need to match packets twice.

Nope, nftables allows to perform two actions in one single rule, contrary to iptables which required two rules for this. E.g. in banIP I'm using this:

ip daddr @blocklistv4 log prefix "banIP/fwd-lan/rej/blocklistv4: " level debug counter packets 0 bytes 0 reject with icmp admin-prohibited
ip6 daddr @blocklistv6 log prefix "banIP/fwd-lan/rej/blocklistv6: " level debug counter packets 0 bytes 0 reject with icmpv6 admin-prohibited

Currently no log limit but a combined rule plus log prefix.

Yes, and fw4 does it this way. But there's no way (I know of) to apply a limit to only one action of a rule.

Yes, of course, but maybe less load in case of portscan's filling the logs.
From my point of view, it would be more practicable.