Project

General

Profile

Actions
Copy link

Bug #16068

closed

Logging of packets with IP options cannot be disabled

Added by Andrew Almond 3 months ago. Updated 4 days ago.

Status:
Needs Patch
Priority:
Normal
Assignee:
-
Category:
Logging
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

Logging of packets with options (IGMP) was added/fixed as mentioned in redmine 15400 , however that was closed without addressing the increased logs messages that occur as a side effect.

While this may be intentional, it is confusing because the default ruleset causes it, but disabling the options "Log packets matched from the default block rules in the ruleset" and "Log packets matched from the default pass rules put in the ruleset" does not stop the log messages.

This fix/new behavior can create a lot of noise in the logs and cause increased disk writes, as discussed in this thread

There is the document Troubleshooting Blocked Log Entries for Legitimate Connection Packets, but it is not intuitive or easy to locate when faced with this issue, especially because it is caused by the default behavior. This is a widespread issue, and having to manually add rules to stop IGMP packets from being logged is a workaround but not a solution.

I suggest adding a setting to not "Log packets with IP options" which either modifies the default ruleset or creates the necessary floating rules. This behavior should also be mentioned and linked on the Log Settings page.

Related issues

Related to Regression #15400: IGMP packets are logged when the filter rule has logging disabledNot a Bug

Actions
Related to Feature #16110: Automatically check ``Allow IP options`` when IGMP is selectedFeedbackMarcos M

Actions
Related to Feature #16215: Allow matching on IP Options with firewall match rulesFeedbackMarcos M

Actions
Actions
Copy link
 #1

Updated by Marcos M 3 months ago

  • Assignee set to Marcos M
Actions
Copy link
 #2

Updated by Marcos M 3 months ago

  • Status changed from New to Needs Patch
  • Assignee deleted (Marcos M)

Unfortunately there doesn't seem to be a way to match only on the packets with IP options, hence the only way to prevent these from being logged by default would be to allow IP options in the default allow rules. For now the behavior can be noted in the log settings (edit: done for 25.03). There is also #15415. This issue can be reconsidered if there's a change upstream.

Actions
Copy link
 #3

Updated by Marcos M 2 months ago

  • Related to Regression #15400: IGMP packets are logged when the filter rule has logging disabled added
Actions
Copy link
 #5

Updated by Marcos M 3 days ago

  • Related to Feature #16110: Automatically check ``Allow IP options`` when IGMP is selected added
Actions
Copy link
 #6

Updated by Marcos M 3 days ago

  • Related to Feature #16215: Allow matching on IP Options with firewall match rules added
Actions
Copy link

Also available in: Atom PDF