Support for logging BCP38 dropped packets

mariojjsimoes · November 1, 2025, 10:08am

When BCP38 prevented spoofed packet attempts are dropped this happens silently.
Coud an option on the bcp38 package and on luci-app-bcp38 be added so that when dropping something is written to the systemlog? Ex: “BCP38 DROP…”

Spoofed packet attempts may be an indication that a device in the network has been compromised and currently the bcp38 package does not provide an option for this. It should be possible for this to be monitored for detecting such compromised hosts in the network.

A possible implementation would be:

addition checkbox to enable logging to the system log on luci-app-bcp-38.
addition of support for enabling loggin on the bcp38 script
If checkbox is checked then the nft add command will include something like “log prefix "BCP38 DROP: " level warning drop”

brada4 · November 1, 2025, 10:44am

It is a very simple script
Here: https://github.com/openwrt/packages/tree/master/net/bcp38
Your contribution is welcome.

May I offer you no-firewall version Bogons/cgnat are we able to remove it? - #34 by brada4
(sysctl martian logging to get logs)

EDIT: should be s/counter/counter log zzzz/2 around here https://github.com/openwrt/packages/blob/c5010307881eab643d13f507a51b7aad963a5139/net/bcp38/files/run.sh#L89

Log martian example (courtesy upnp)

 IPv4: martian source 192.168.254.204 from 100.77.60.185, on dev pppoe-wan