git.ipfire.org Git - people/mfischer/ipfire-2.x.git/commit

author	Peter Müller <peter.mueller@ipfire.org>
	Fri, 18 Feb 2022 22:40:55 +0000 (22:40 +0000)
committer	Arne Fitzenreiter <arne_f@ipfire.org>
	Sat, 19 Feb 2022 15:37:16 +0000 (15:37 +0000)
commit	926d840faeafe9528532f42aa12a0922188c1959
tree	1ca5153bc0ee3581b1fffb6fba2ee6b21c3e3e08	tree \| snapshot
parent	5c1af49c835921232a0312819025fb08dddae4b3	commit \| diff

firewall: Make logging of conntrack INVALIDs configureable

In theory, logging of dropped packets classified by conntrack as being
INVALID should never be disabled, since one wants to have a paper trail
of what his/her firewall is doing.

However, conntrack seems to drop a lot of (at the first glance
legitimate) packets, hence bloating the logs, making spotting the
important firewall hits more difficult.

This patch therefore adds the option to disable logging of packets being
dropped by conntrack due to INVALID state.

Please note:
- This patch does not add this category to the firewall hits graph.
- The variables in this patch ("LOGDROPCTINVALID") should make it clear
  that it is about toggling _logging_, not the actual _dropping_. Other
  variables are still in need of being renamed to clarify this, which
  will be done in a dedicated patch.
- Also, the changes made to update.sh need to take place in
  config/rootfiles/core/164/update.sh for "master", since this patch has
  been developed against "next". Kindly cherry-pick the necessary
  changes.

Partially fixes: #12778

Reported-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>

config/rootfiles/core/164/update.sh		diff \| blob \| blame \| history
html/cgi-bin/optionsfw.cgi		diff \| blob \| blame \| history
langs/de/cgi-bin/de.pl		diff \| blob \| blame \| history
langs/en/cgi-bin/en.pl		diff \| blob \| blame \| history
lfs/configroot		diff \| blob \| blame \| history
src/initscripts/system/firewall		diff \| blob \| blame \| history