Luci firewall - Limit log messages

rwalli · April 21, 2023, 6:03pm

Hello!

On 22.03.4 the Luci Setting (Network -> Firewall -> General Settings -> Edit a Zone > Advanced Settings) "Limit log messages" has no effect and does not appear in "nft list ruleset".

Is this a bug or do I miss something?

Robert

lleachii · April 21, 2023, 9:55pm

What log messages are you limiting?

rwalli · April 21, 2023, 10:11pm

Don't now what you mean...
I log the "reject's" from a zone and these are not limeted when I set the parameter "Limit log messages" to default value of 10/minute.

lleachii · April 21, 2023, 10:13pm

Thanks for the clarification. That's exactly what I was inquiring. I'm sure someone can better assist you now.

rwalli · April 21, 2023, 10:23pm

Sorry, for unclear wording (and bad english) and thank you for your answer.

For further clarification:

Logs are working with luci setting, but the limitation do not.
Limits are working if i set them "by hand" in the nftables ruleset.

dave14305 · April 21, 2023, 11:00pm

It is unsupported in fw4

github.com

openwrt/firewall4/blob/30ee17a9c65d05d54cb077b69e320ed8b4e237ec/root/usr/share/ucode/fw4.uc#L1996-L1997


      
          			log: [ "int" ],
          			log_limit: [ "limit", null, UNSUPPORTED ],

jow · April 22, 2023, 8:45am

How do you set them by hand exactly? Back when I implemented fw4 there was no option to limit the log target in nftables, so maybe that changed now and it could be added to the ruleset generation.

rwalli · April 22, 2023, 3:01pm

I'm no expert with nftables and don't know how to do this.
What I did is: 2 rules with the same condition, one for log with limit, the other with reject.
Otherwise the log will be flooded.

jow · April 22, 2023, 8:13pm

Ah okay, that’s what I suspected. Two different rules - one for logging and one for the action - was the common approach with iptables, but it introduces unwanted overhead due to the need to match packets twice.

dibdot · April 22, 2023, 8:46pm

Nope, nftables allows to perform two actions in one single rule, contrary to iptables which required two rules for this. E.g. in banIP I'm using this:

[...]
ip daddr @blocklistv4 log prefix "banIP/fwd-lan/rej/blocklistv4: " level debug counter packets 0 bytes 0 reject with icmp admin-prohibited
ip6 daddr @blocklistv6 log prefix "banIP/fwd-lan/rej/blocklistv6: " level debug counter packets 0 bytes 0 reject with icmpv6 admin-prohibited
[...]

Currently no log limit but a combined rule plus log prefix.

jow · April 22, 2023, 8:52pm

Yes, and fw4 does it this way. But there's no way (I know of) to apply a limit to only one action of a rule.

rwalli · April 22, 2023, 10:43pm

Yes, of course, but maybe less load in case of portscan's filling the logs.
From my point of view, it would be more practicable.