improve firewall log format

This commit is contained in:
Daniel Barlow 2024-02-08 17:21:26 +00:00
parent a9ea01428e
commit 87f6a31a06

View file

@ -97,7 +97,7 @@ in {
(accept "oifname \"int\" iifname \"ppp0\" ct state established,related") (accept "oifname \"int\" iifname \"ppp0\" ct state established,related")
(accept "iifname \"int\" oifname \"ppp0\" ") (accept "iifname \"int\" oifname \"ppp0\" ")
"log prefix \"denied forward-ip6 \"" "log prefix \"DENIED CHAIN=forward-ip6 \""
]; ];
}; };
@ -136,7 +136,7 @@ in {
# how does this even make sense in an input chain? # how does this even make sense in an input chain?
(accept "oifname \"int\" iifname \"ppp0\" ct state established,related") (accept "oifname \"int\" iifname \"ppp0\" ct state established,related")
(accept "iifname \"int\" oifname \"ppp0\" ") (accept "iifname \"int\" oifname \"ppp0\" ")
"log prefix \"denied input-ip6 \"" "log prefix \"DENIED CHAIN=input-ip6 \""
]; ];
}; };
@ -174,6 +174,11 @@ in {
]; ];
}; };
# these chains are for rules that have to be present for things to
# basically work at all: for example, the router won't issue DHCP
# unless it's allowed to receive DHCP requests. For "site policy"
# rules you may prefer to use incoming-allowed-ip[46] instead
input-ip4-lan = { input-ip4-lan = {
type = "filter"; type = "filter";
family = "ip"; family = "ip";
@ -203,6 +208,7 @@ in {
"iifname ppp0 jump input-ip4-wan" "iifname ppp0 jump input-ip4-wan"
"oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip4" "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip4"
"ct state vmap established,related accept" "ct state vmap established,related accept"
"log prefix \"DENIED CHAIN=input-ip4 \""
]; ];
}; };
@ -215,7 +221,7 @@ in {
"iifname \"int\" accept" "iifname \"int\" accept"
"ct state vmap { established : accept, related : accept, invalid : drop }" "ct state vmap { established : accept, related : accept, invalid : drop }"
"oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip4" "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip4"
"log prefix \"denied forward-ip4 \"" "log prefix \"DENIED CHAIN=forward-ip4 \""
]; ];
}; };