Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:Update
SuSEfirewall2.4633
0003-logging-don-t-flood-log-with-dropped-IPv6-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0003-logging-don-t-flood-log-with-dropped-IPv6-multicast-bnc-847193.patch of Package SuSEfirewall2.4633
From 6ca6b1b0912b1f44eafa0b3bc23f8b8283e8c46c Mon Sep 17 00:00:00 2001 From: Matthias Gerstner <matthias.gerstner@suse.de> Date: Fri, 3 Mar 2017 16:35:30 +0100 Subject: [PATCH] logging: don't flood log with dropped IPv6 multicast packets (bnc#847193) turns out there was already some logic to not log broadcast and multicast by default, but it only covered IPv4. This commit merges handling for IPv4/IPv6 and multicast/broadcast packets regarding logging. --- SuSEfirewall2 | 18 ++++++++++-------- SuSEfirewall2.sysconfig | 8 ++++++-- 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/SuSEfirewall2 b/SuSEfirewall2 index 7753c5b..d82875e 100755 --- a/SuSEfirewall2 +++ b/SuSEfirewall2 @@ -1410,7 +1410,7 @@ drop_broadcast() $IPTABLES $match -p udp --dport $port -j "$ACCEPT" done - if [ "$ignore" != yes ]; then + if [ "$ignore" != 'yes' ]; then for port in $ignore; do [ $port = no ] && continue $IPTABLES $match -p udp --dport $port -j "$DROP" @@ -2337,16 +2337,18 @@ drop_all() drop="$DROP" fi - # log and drop multicast packets separately to not flood - # other log targets (#155326, #538053) - $LDA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-DROP-DEFLT " -m pkttype --pkt-type multicast - $IPTABLES -A $chain -j "$DROP" -m pkttype --pkt-type multicast - eval local ignore="\$FW_IGNORE_FW_BROADCAST_`cibiz $zone`" + + # log and drop broadcast/multicast packets separately, only if not + # ignored, to not flood other log targets (#155326, #538053, #847193) + if [ "$ignore" != 'yes' ]; then - $LDA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-DROP-DEFLT " -m pkttype --pkt-type broadcast + $LDA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-DROP-DEFLT " -m pkttype \! --pkt-type unicast + $LDA $IP6TABLES -A $chain ${LOG}"-`rulelog $chain`-DROP-DEFLT " -m pkttype \! --pkt-type unicast fi - $IPTABLES -A $chain -j "$DROP" -m pkttype --pkt-type broadcast + $IPTABLES -A $chain -j "$DROP" -m pkttype \! --pkt-type unicast + $IP6TABLES -A $chain -j "$DROP" -m pkttype \! --pkt-type unicast + # some packet types are considered critical if [ -z "$LDC" ]; then local log=${LOG}"-`rulelog $chain`-DROP-DEFLT" diff --git a/SuSEfirewall2.sysconfig b/SuSEfirewall2.sysconfig index df874eb..8e8f565 100644 --- a/SuSEfirewall2.sysconfig +++ b/SuSEfirewall2.sysconfig @@ -647,7 +647,7 @@ FW_LOG_DROP_CRIT="" # # whether all dropped packets should be logged # -# Note: for broadcasts to be logged you also need to set +# Note: for broadcasts or multicasts to be logged you also need to set # FW_IGNORE_FW_BROADCAST_* to 'no' # # defaults to "no" if not set @@ -822,6 +822,8 @@ FW_ALLOW_FW_BROADCAST_DMZ="" # Suppress logging of dropped broadcast packets. Useful if you don't allow # broadcasts on a LAN interface. # +# This affects both broadcast and multicast packets for both IPv4 and IPv6 +# # This setting only affects packets that are not allowed according # to FW_ALLOW_FW_BROADCAST_* # @@ -834,17 +836,19 @@ FW_ALLOW_FW_BROADCAST_DMZ="" # - "no" log all dropped broadcast packets # # -# defaults to "no" if not set +# defaults to "yes" FW_IGNORE_FW_BROADCAST_EXT="" ## Type: string # # see comments for FW_IGNORE_FW_BROADCAST_EXT +# defaults to "no" FW_IGNORE_FW_BROADCAST_INT="" ## Type: string # # see comments for FW_IGNORE_FW_BROADCAST_EXT +# defaults to "no" FW_IGNORE_FW_BROADCAST_DMZ="" ## Type: list(yes,no,int,ext,dmz,) -- 2.10.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor