Feature #16068
open
Allow disabling logging of packets blocked due to unmatched IP options
100%
Description
Logging of packets with options (IGMP) was added/fixed as mentioned in redmine 15400 , however that was closed without addressing the increased logs messages that occur as a side effect.
While this may be intentional, it is confusing because the default ruleset causes it, but disabling the options "Log packets matched from the default block rules in the ruleset" and "Log packets matched from the default pass rules put in the ruleset" does not stop the log messages.
This fix/new behavior can create a lot of noise in the logs and cause increased disk writes, as discussed in this thread
There is the document Troubleshooting Blocked Log Entries for Legitimate Connection Packets, but it is not intuitive or easy to locate when faced with this issue, especially because it is caused by the default behavior. This is a widespread issue, and having to manually add rules to stop IGMP packets from being logged is a workaround but not a solution.
I suggest adding a setting to not "Log packets with IP options" which either modifies the default ruleset or creates the necessary floating rules. This behavior should also be mentioned and linked on the Log Settings page.
Related issues
Updated by Marcos M 6 months ago
- Status changed from New to Needs Patch
- Assignee deleted (
Marcos M)
Unfortunately there doesn't seem to be a way to match only on the packets with IP options, hence the only way to prevent these from being logged by default would be to allow IP options in the default allow rules. For now the behavior can be noted in the log settings (edit: done for 25.03). There is also #15415. This issue can be reconsidered if there's a change upstream.
Updated by Marcos M 6 months ago
- Related to Regression #15400: IGMP packets are logged when the filter rule has logging disabled added
Updated by Marcos M 4 months ago
- Related to Feature #16110: Automatically check ``Allow IP options`` when IGMP is selected added
Updated by Marcos M 4 months ago
- Related to Feature #16215: Allow matching on IP Options with firewall match rules added
Updated by Marcos M about 2 months ago
- Tracker changed from Bug to Feature
- Subject changed from Logging of packets with IP options cannot be disabled to Allow disabling logging of packets blocked due to unmatched IP options
- Status changed from Needs Patch to In Progress
- Assignee set to Marcos M
- Target version set to 2.9.0
- Plus Target Version set to 25.11
This is now possible with an update to filterlog:
https://github.com/pfsense/FreeBSD-ports/commit/5e5a1253371c559dd322516e7f84f50403baab19
Marking this as a feature since this is a request to change the intended default behavior.
Updated by Marcos M about 2 months ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Implemented with 89cbbbb635e742a845e344bd54613689227b684d.
Updated by Andrew Almond about 2 months ago
Marcos M Thanks for implementing this!