Skip to content

fix(rpfilter): use log denied packet type#1451

Open
TorontoMedia wants to merge 2 commits intofirewalld:mainfrom
TorontoMedia:gh1436
Open

fix(rpfilter): use log denied packet type#1451
TorontoMedia wants to merge 2 commits intofirewalld:mainfrom
TorontoMedia:gh1436

Conversation

@TorontoMedia
Copy link
Copy Markdown
Collaborator

@TorontoMedia TorontoMedia commented Feb 1, 2025

Fixes: #1436

erig0
erig0 requested changes May 30, 2025
View reviewed changes
Comment thread src/tests/features/rpfilter.at Outdated
chain filter_PREROUTING {
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
meta nfproto ipv6 fib saddr . mark . iif oif missing drop
meta nfproto ipv6 fib saddr . mark . iif oif missing meta pkttype multicast log prefix "rpfilter_DROP: " drop
Copy link
Copy Markdown
Collaborator

@erig0 erig0 May 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Won't this cause it to drop only for multicast packets? Where as LogDenied is only about logging.

To support this, I think it would have to be two separate rules.

Copy link
Copy Markdown
Collaborator Author

@TorontoMedia TorontoMedia Jun 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct, I apologize! I’ve now separated the rule configurations for cases where log denied is not equal to 'all', and created distinct test cases to specifically validate each scenario.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@erig0 erig0 erig0 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

LogDenied=unicast logs ipv6 multicast traffic

2 participants

@TorontoMedia @erig0