firewalld icon indicating copy to clipboard operation
firewalld copied to clipboard
verified publisher icon firewalld

LogDenied=unicast logs ipv6 multicast traffic

Open SDedik opened this issue 1 year ago • 0 comments

What happened

I have LogDenied option set to 'unicast'

cat /etc/firewalld/firewalld.conf | grep LogDenied=
LogDenied=unicast

However, in /var/log/kern I see tons of entries related to ipv6 multicast

Dec 20 11:01:41 <redacted> kernel: rpfilter_DROP: IN=eth0 OUT= MAC=33:33:00:00:00:02:34:40:b5:ab:f2:b8:86:dd SRC=fe80:0000:0000:0000:3640:b5ff:feab:f2b8 DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=56 TC=0 HOPLIMIT=255 FLOWLBL=148171 PROTO=ICMPv6 TYPE=133 CODE=0
Dec 20 11:01:55 <redacted> kernel: rpfilter_DROP: IN=eth0 OUT= MAC=33:33:00:00:00:fb:6c:b3:11:13:d2:d0:86:dd SRC=fe80:0000:0000:0000:bbb1:96ae:416a:d4b2 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=85 TC=0 HOPLIMIT=1 FLOWLBL=223537 PROTO=UDP SPT=5353 DPT=5353 LEN=45
Dec 20 11:01:55 <redacted> kernel: rpfilter_DROP: IN=eth0 OUT= MAC=33:33:00:00:00:fb:6c:b3:11:13:d2:d0:86:dd SRC=fe80:0000:0000:0000:bbb1:96ae:416a:d4b2 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=85 TC=0 HOPLIMIT=1 FLOWLBL=223537 PROTO=UDP SPT=5353 DPT=5353 LEN=45
Dec 20 11:02:28 <redacted> kernel: rpfilter_DROP: IN=eth0 OUT= MAC=33:33:00:00:00:16:00:50:56:6a:a2:0e:86:dd SRC=fe80:0000:0000:0000:0250:56ff:fe6a:a20e DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=76 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0
Dec 20 11:02:28 <redacted> kernel: rpfilter_DROP: IN=eth0 OUT= MAC=33:33:00:00:00:16:00:50:56:6a:a2:0e:86:dd SRC=fe80:0000:0000:0000:0250:56ff:fe6a:a20e DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=76 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0

All these seem to be coming from firewalld/nft (notice the log prefix "rpfilter_DROP: " part):

nft list ruleset | grep "chain filter_PREROUTING" -A 4
        chain filter_PREROUTING {
                type filter hook prerouting priority filter + 10; policy accept;
                icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
                meta nfproto ipv6 fib saddr . mark . iif oif missing log prefix "rpfilter_DROP: " drop
        }

What you expected to happen

I expect that when LogDenied option is set to unicast it behaves according to documentation and doesn't log multicast traffic

How to reproduce it (as minimally and precisely as possible)

Place a host in a network with ipv6 traffic. Make sure host has ipv6 enabled (which usually is the case nowadays by default). Set the LogDenied=unicast in the /etc/firewalld/firewalld.conf Do not forget to enable rsysylog to output kernel messages to a log file:

cat /etc/rsyslog.conf | grep /var/log/kern
kern.*                                                  /var/log/kern

Observe logged entries in /var/log/kern

Anything else we need to know?

That is probably it. Feel free to ask any questions though :)

Firewalld Version

1.3.4

Firewalld Backend

nftables

Linux distribution

Rocky Linux 9.5 (Blue Onyx)

Linux kernel version

5.14.0-503.16.1.el9_5.x86_64

Other information

No response

SDedik avatar Dec 20 '24 08:12 SDedik