From: Jo-Philipp Wich <jo@mein.io>
Date: Fri, 14 Oct 2022 15:56:27 +0000 (+0200)
Subject: ruleset.uc: log forwarded traffic not matched by zone policies
X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=4fbf6d75a4a9e523d1848a28d8a3ea095e870195;p=project%2Ffirewall4.git

ruleset.uc: log forwarded traffic not matched by zone policies

When zone logging is enabled and the global forward policy set to drop or
reject, then stage an extra logging rule to log traffic that will be
dropped by subsequent rules or the global reject policy.

Ref: https://forum.openwrt.org/t/x/137182/4
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---

diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index 2e33d5d..d6333f1 100644
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -240,6 +240,9 @@ table inet fw4 {
 {%  endif %}
 {%  fw4.includes('chain-append', `forward_${zone.name}`) %}
 		jump {{ zone.forward }}_to_{{ zone.name }}
+{%  if (fw4.forward_policy() != "accept" && (zone.log & 1)): %}
+		log prefix "{{ fw4.forward_policy() }} {{ zone.name }} forward: "
+{%  endif %}
 	}
 
 {%  if (zone.dflags.helper): %}