From fdbf6ea047c3a6e2ffdee06c1842023d41cfcd0a Mon Sep 17 00:00:00 2001
From: Stepan Henek <stepan.henek@nic.cz>
Date: Tue, 12 Apr 2016 13:29:29 +0200
Subject: [PATCH] make sure that WAN device is used to log incoming packets
---
firewall-turris-apply.sh | 41 ++++++++++++++-------
tests/files/script/ip6tables.out | 60 +++++++++++++++----------------
tests/files/script/iptables.out | 62 ++++++++++++++++----------------
3 files changed, 89 insertions(+), 74 deletions(-)
diff --git a/firewall-turris-apply.sh b/firewall-turris-apply.sh
index 5336154..47fd282 100755
--- a/firewall-turris-apply.sh
+++ b/firewall-turris-apply.sh
@@ -392,15 +392,30 @@ ulogd_restart() {
merge_turris_chain() {
local source_chain="$1"
local target_chain="$2"
+ local direction_opt="$3"
+
+ local base_text="${source_chain}"
+ local base_text6="${source_chain}"
+
+ if [ "${direction_opt}" == "-o" ]; then
+ base_text="${base_text} -o ${WAN}"
+ base_text6="${base_text6} -o ${WAN6}"
+ elif [ "${direction_opt}" == "-i" ]; then
+ base_text="${base_text} -i ${WAN}"
+ base_text6="${base_text6} -i ${WAN6}"
+ fi
+
+ base_text="${base_text} -j ${target_chain}"
+ base_text6="${base_text6} -j ${target_chain}"
#ipv4
- if ! iptables -C "${source_chain}" -j "${target_chain}" 2>/dev/null ; then
- iptables -I "${source_chain}" -j "${target_chain}"
+ if ! iptables -C ${base_text} 2>/dev/null ; then
+ iptables -I ${base_text}
fi
#ipv6
- if ! ip6tables -C "${source_chain}" -j "${target_chain}" 2>/dev/null ; then
- ip6tables -I "${source_chain}" -j "${target_chain}"
+ if ! ip6tables -C ${base_text6} 2>/dev/null ; then
+ ip6tables -I ${base_text6}
fi
}
@@ -409,8 +424,8 @@ merge_turris_chains() {
merge_turris_chain "forwarding_rule" "turris-nflog"
merge_turris_chain "input_rule" "turris-nflog"
merge_turris_chain "output_rule" "turris-nflog"
- merge_turris_chain "reject" "turris-log-incoming"
- merge_turris_chain "drop" "turris-log-incoming"
+ merge_turris_chain "reject" "turris-log-incoming" -i
+ merge_turris_chain "drop" "turris-log-incoming" -i
}
load_ipsets_to_iptables() {
@@ -570,7 +585,7 @@ load_ipsets_to_iptables() {
eval nflog_rules_${ip_type}=\"$(eval echo '$'nflog_rules_${ip_type})"-A ${nflog_chain_local} -i ${wan_local} -m set --match-set ${ipset_name_x} ${match_src} -m comment --comment turris-nflog -j NFLOG --nflog-group $((1000 + $nflog_idx))\n"\"
fi
if [ "$nflog_dropped_local" = "yes" ]; then
- eval nflog_log_drop_${ip_type}=\"$(eval echo '$'nflog_log_drop_${ip_type})"-A turris-log-incoming -i ${wan_local} -m set --match-set ${ipset_name_x} ${match_src} -m comment --comment turris-nflog -j NFLOG --nflog-group $((1000 + $nflog_idx))\n"\"
+ eval nflog_log_drop_${ip_type}=\"$(eval echo '$'nflog_log_drop_${ip_type})"-A turris-log-incoming -m set --match-set ${ipset_name_x} ${match_src} -m comment --comment turris-nflog -j NFLOG --nflog-group $((1000 + $nflog_idx))\n"\"
fi
fi
@@ -582,14 +597,14 @@ load_ipsets_to_iptables() {
"l")
eval log_rules_${ip_type}=\""$(eval echo '$'log_rules_${ip_type})"-A turris -o ${wan_local} -m limit --limit 1/sec -m set --match-set ${ipset_name_x} ${match} -j LOG --log-prefix \'turris-${rule_id}: \' --log-level debug\\n\"
eval log_rules_${ip_type}=\""$(eval echo '$'log_rules_${ip_type})"-A turris -i ${wan_local} -m limit --limit 1/sec -m set --match-set ${ipset_name_x} ${match_src} -j LOG --log-prefix \'turris-${rule_id}: \' --log-level debug\\n\"
- eval reject_rules_${ip_type}=\""$(eval echo '$'reject_rules_${ip_type})"-A turris-log-incoming -i ${wan_local} -m limit --limit 1/sec -m set --match-set ${ipset_name_x} ${match_src} -j LOG --log-prefix \'turris-${rule_id}: \' --log-level debug\\n\"
- eval return_rules_${ip_type}=\"$(eval echo '$'return_rules_${ip_type})"-A turris-log-incoming -i ${wan_local} -m set --match-set ${ipset_name_x} ${match_src} -j RETURN\n"\"
+ eval reject_rules_${ip_type}=\""$(eval echo '$'reject_rules_${ip_type})"-A turris-log-incoming -m limit --limit 1/sec -m set --match-set ${ipset_name_x} ${match_src} -j LOG --log-prefix \'turris-${rule_id}: \' --log-level debug\\n\"
+ eval return_rules_${ip_type}=\"$(eval echo '$'return_rules_${ip_type})"-A turris-log-incoming -m set --match-set ${ipset_name_x} ${match_src} -j RETURN\n"\"
;;
"lb")
eval log_rules_${ip_type}=\""$(eval echo '$'log_rules_${ip_type})"-A turris -o ${wan_local} -m limit --limit 1/sec -m set --match-set ${ipset_name_x} ${match} -j LOG --log-prefix \'turris-${rule_id}: \' --log-level debug\\n\"
eval log_rules_${ip_type}=\""$(eval echo '$'log_rules_${ip_type})"-A turris -i ${wan_local} -m limit --limit 1/sec -m set --match-set ${ipset_name_x} ${match_src} -j LOG --log-prefix \'turris-${rule_id}: \' --log-level debug\\n\"
- eval reject_rules_${ip_type}=\""$(eval echo '$'reject_rules_${ip_type})"-A turris-log-incoming -i ${wan_local} -m limit --limit 1/sec -m set --match-set ${ipset_name_x} ${match_src} -j LOG --log-prefix \'turris-${rule_id}: \' --log-level debug\\n\"
- eval return_rules_${ip_type}=\"$(eval echo '$'return_rules_${ip_type})"-A turris-log-incoming -i ${wan_local} -m set --match-set ${ipset_name_x} ${match_src} -j RETURN\n"\"
+ eval reject_rules_${ip_type}=\""$(eval echo '$'reject_rules_${ip_type})"-A turris-log-incoming -m limit --limit 1/sec -m set --match-set ${ipset_name_x} ${match_src} -j LOG --log-prefix \'turris-${rule_id}: \' --log-level debug\\n\"
+ eval return_rules_${ip_type}=\"$(eval echo '$'return_rules_${ip_type})"-A turris-log-incoming -m set --match-set ${ipset_name_x} ${match_src} -j RETURN\n"\"
eval drop_rules_${ip_type}=\"$(eval echo '$'drop_rules_${ip_type})"-A turris -o ${wan_local} -m set --match-set ${ipset_name_x} ${match} -j DROP\n"\"
eval drop_rules_${ip_type}=\"$(eval echo '$'drop_rules_${ip_type})"-A turris -i ${wan_local} -m set --match-set ${ipset_name_x} ${match_src} -j DROP\n"\"
;;
@@ -613,7 +628,7 @@ load_ipsets_to_iptables() {
echo -e "${return_rules_4}" | tr \' \" >> "${TMP_FILE}"
echo -e "-A turris-log-incoming -m limit --limit 1/sec --limit-burst 500 -j LOG --log-prefix \"turris-00000000: \" --log-level 7" >> "${TMP_FILE}"
if [ $global_pcap_enabled = "yes" -a $global_nflog_other_dropped = "yes" ]; then
- echo -e "-A turris-log-incoming -i ${WAN} -m comment --comment turris-nflog -j NFLOG --nflog-group 999" >> "${TMP_FILE}"
+ echo -e "-A turris-log-incoming -m comment --comment turris-nflog -j NFLOG --nflog-group 999" >> "${TMP_FILE}"
fi
echo -e "${drop_rules_4}" >> "${TMP_FILE}"
@@ -623,7 +638,7 @@ load_ipsets_to_iptables() {
echo -e "${return_rules_6}" | tr \' \" >> "${TMP_FILE6}"
echo -e "-A turris-log-incoming -m limit --limit 1/sec --limit-burst 500 -j LOG --log-prefix \"turris-00000000: \" --log-level 7" >> "${TMP_FILE6}"
if [ $global_pcap_enabled = "yes" -a $global_nflog_other_dropped = "yes" ]; then
- echo -e "-A turris-log-incoming -i ${WAN6} -m comment --comment turris-nflog -j NFLOG --nflog-group 999" >> "${TMP_FILE6}"
+ echo -e "-A turris-log-incoming -m comment --comment turris-nflog -j NFLOG --nflog-group 999" >> "${TMP_FILE6}"
fi
echo -e "" >> "${TMP_FILE6}"
echo -e "${drop_rules_6}" >> "${TMP_FILE6}"
diff --git a/tests/files/script/ip6tables.out b/tests/files/script/ip6tables.out
index 6c2c0d5..fe1f76a 100644
--- a/tests/files/script/ip6tables.out
+++ b/tests/files/script/ip6tables.out
@@ -2,11 +2,11 @@
:turris-log-incoming - [0:0]
:turris-nflog - [0:0]
-A accept -j turris
--A drop -j turris-log-incoming
+-A drop -i eth1 -j turris-log-incoming
-A forwarding_rule -j turris-nflog
-A input_rule -j turris-nflog
-A output_rule -j turris-nflog
--A reject -j turris-log-incoming
+-A reject -i eth1 -j turris-log-incoming
-A turris -o eth1 -m set --match-set turris_00000001_l_a_6_X dst -m comment --comment turris-nflog -j NFLOG --nflog-group 1001
-A turris -o eth1 -m set --match-set turris_00000001_l_ap_6_X dst,dst -m comment --comment turris-nflog -j NFLOG --nflog-group 1003
-A turris -o eth1 -m set --match-set turris_00000001_lb_a_6_X dst -m comment --comment turris-nflog -j NFLOG --nflog-group 1005
@@ -55,32 +55,32 @@
-A turris -i eth1 -m set --match-set turris_10000001_lb_a_6_X src -j DROP
-A turris -o eth1 -m set --match-set turris_10000001_lb_ap_6_X dst,dst -j DROP
-A turris -i eth1 -m set --match-set turris_10000001_lb_ap_6_X src,src -j DROP
--A turris-log-incoming -i eth1 -m limit --limit 1/sec -m set --match-set turris_00000001_l_a_6_X src -j LOG --log-prefix "turris-00000001: " --log-level 7
--A turris-log-incoming -i eth1 -m limit --limit 1/sec -m set --match-set turris_00000001_l_ap_6_X src,src -j LOG --log-prefix "turris-00000001: " --log-level 7
--A turris-log-incoming -i eth1 -m limit --limit 1/sec -m set --match-set turris_00000001_lb_a_6_X src -j LOG --log-prefix "turris-00000001: " --log-level 7
--A turris-log-incoming -i eth1 -m limit --limit 1/sec -m set --match-set turris_00000001_lb_ap_6_X src,src -j LOG --log-prefix "turris-00000001: " --log-level 7
--A turris-log-incoming -i eth1 -m limit --limit 1/sec -m set --match-set turris_00000005_lb_a_6_X src -j LOG --log-prefix "turris-00000005: " --log-level 7
--A turris-log-incoming -i eth1 -m limit --limit 1/sec -m set --match-set turris_00000007_l_a_6_X src -j LOG --log-prefix "turris-00000007: " --log-level 7
--A turris-log-incoming -i eth1 -m limit --limit 1/sec -m set --match-set turris_00000009_l_a_6_X src -j LOG --log-prefix "turris-00000009: " --log-level 7
--A turris-log-incoming -i eth1 -m limit --limit 1/sec -m set --match-set turris_0000000B_l_a_6_X src -j LOG --log-prefix "turris-0000000B: " --log-level 7
--A turris-log-incoming -i eth1 -m limit --limit 1/sec -m set --match-set turris_0000000D_l_a_6_X src -j LOG --log-prefix "turris-0000000D: " --log-level 7
--A turris-log-incoming -i eth1 -m limit --limit 1/sec -m set --match-set turris_0000000F_l_a_6_X src -j LOG --log-prefix "turris-0000000F: " --log-level 7
--A turris-log-incoming -i eth1 -m limit --limit 1/sec -m set --match-set turris_10000001_l_a_6_X src -j LOG --log-prefix "turris-10000001: " --log-level 7
--A turris-log-incoming -i eth1 -m limit --limit 1/sec -m set --match-set turris_10000001_lb_a_6_X src -j LOG --log-prefix "turris-10000001: " --log-level 7
--A turris-log-incoming -i eth1 -m limit --limit 1/sec -m set --match-set turris_10000001_l_ap_6_X src,src -j LOG --log-prefix "turris-10000001: " --log-level 7
--A turris-log-incoming -i eth1 -m limit --limit 1/sec -m set --match-set turris_10000001_lb_ap_6_X src,src -j LOG --log-prefix "turris-10000001: " --log-level 7
--A turris-log-incoming -i eth1 -m set --match-set turris_00000001_l_a_6_X src -j RETURN
--A turris-log-incoming -i eth1 -m set --match-set turris_00000001_l_ap_6_X src,src -j RETURN
--A turris-log-incoming -i eth1 -m set --match-set turris_00000001_lb_a_6_X src -j RETURN
--A turris-log-incoming -i eth1 -m set --match-set turris_00000001_lb_ap_6_X src,src -j RETURN
--A turris-log-incoming -i eth1 -m set --match-set turris_00000005_lb_a_6_X src -j RETURN
--A turris-log-incoming -i eth1 -m set --match-set turris_00000007_l_a_6_X src -j RETURN
--A turris-log-incoming -i eth1 -m set --match-set turris_00000009_l_a_6_X src -j RETURN
--A turris-log-incoming -i eth1 -m set --match-set turris_0000000B_l_a_6_X src -j RETURN
--A turris-log-incoming -i eth1 -m set --match-set turris_0000000D_l_a_6_X src -j RETURN
--A turris-log-incoming -i eth1 -m set --match-set turris_0000000F_l_a_6_X src -j RETURN
--A turris-log-incoming -i eth1 -m set --match-set turris_10000001_l_a_6_X src -j RETURN
--A turris-log-incoming -i eth1 -m set --match-set turris_10000001_lb_a_6_X src -j RETURN
--A turris-log-incoming -i eth1 -m set --match-set turris_10000001_l_ap_6_X src,src -j RETURN
--A turris-log-incoming -i eth1 -m set --match-set turris_10000001_lb_ap_6_X src,src -j RETURN
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_00000001_l_a_6_X src -j LOG --log-prefix "turris-00000001: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_00000001_l_ap_6_X src,src -j LOG --log-prefix "turris-00000001: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_00000001_lb_a_6_X src -j LOG --log-prefix "turris-00000001: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_00000001_lb_ap_6_X src,src -j LOG --log-prefix "turris-00000001: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_00000005_lb_a_6_X src -j LOG --log-prefix "turris-00000005: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_00000007_l_a_6_X src -j LOG --log-prefix "turris-00000007: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_00000009_l_a_6_X src -j LOG --log-prefix "turris-00000009: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_0000000B_l_a_6_X src -j LOG --log-prefix "turris-0000000B: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_0000000D_l_a_6_X src -j LOG --log-prefix "turris-0000000D: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_0000000F_l_a_6_X src -j LOG --log-prefix "turris-0000000F: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_10000001_l_a_6_X src -j LOG --log-prefix "turris-10000001: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_10000001_lb_a_6_X src -j LOG --log-prefix "turris-10000001: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_10000001_l_ap_6_X src,src -j LOG --log-prefix "turris-10000001: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_10000001_lb_ap_6_X src,src -j LOG --log-prefix "turris-10000001: " --log-level 7
+-A turris-log-incoming -m set --match-set turris_00000001_l_a_6_X src -j RETURN
+-A turris-log-incoming -m set --match-set turris_00000001_l_ap_6_X src,src -j RETURN
+-A turris-log-incoming -m set --match-set turris_00000001_lb_a_6_X src -j RETURN
+-A turris-log-incoming -m set --match-set turris_00000001_lb_ap_6_X src,src -j RETURN
+-A turris-log-incoming -m set --match-set turris_00000005_lb_a_6_X src -j RETURN
+-A turris-log-incoming -m set --match-set turris_00000007_l_a_6_X src -j RETURN
+-A turris-log-incoming -m set --match-set turris_00000009_l_a_6_X src -j RETURN
+-A turris-log-incoming -m set --match-set turris_0000000B_l_a_6_X src -j RETURN
+-A turris-log-incoming -m set --match-set turris_0000000D_l_a_6_X src -j RETURN
+-A turris-log-incoming -m set --match-set turris_0000000F_l_a_6_X src -j RETURN
+-A turris-log-incoming -m set --match-set turris_10000001_l_a_6_X src -j RETURN
+-A turris-log-incoming -m set --match-set turris_10000001_lb_a_6_X src -j RETURN
+-A turris-log-incoming -m set --match-set turris_10000001_l_ap_6_X src,src -j RETURN
+-A turris-log-incoming -m set --match-set turris_10000001_lb_ap_6_X src,src -j RETURN
-A turris-log-incoming -m limit --limit 1/sec --limit-burst 500 -j LOG --log-prefix "turris-00000000: " --log-level 7
diff --git a/tests/files/script/iptables.out b/tests/files/script/iptables.out
index d38af6e..e50330e 100644
--- a/tests/files/script/iptables.out
+++ b/tests/files/script/iptables.out
@@ -2,11 +2,11 @@
:turris-log-incoming - [0:0]
:turris-nflog - [0:0]
-A accept -j turris
--A drop -j turris-log-incoming
+-A drop -i eth0 -j turris-log-incoming
-A forwarding_rule -j turris-nflog
-A input_rule -j turris-nflog
-A output_rule -j turris-nflog
--A reject -j turris-log-incoming
+-A reject -i eth0 -j turris-log-incoming
-A turris -o eth0 -m set --match-set turris_00000001_l_a_4_X dst -m comment --comment turris-nflog -j NFLOG --nflog-group 1000
-A turris -o eth0 -m set --match-set turris_00000001_l_ap_4_X dst,dst -m comment --comment turris-nflog -j NFLOG --nflog-group 1002
-A turris -o eth0 -m set --match-set turris_00000001_lb_a_4_X dst -m comment --comment turris-nflog -j NFLOG --nflog-group 1004
@@ -57,35 +57,35 @@
-A turris -i eth0 -m set --match-set turris_10000001_lb_a_4_X src -j DROP
-A turris -o eth0 -m set --match-set turris_10000001_lb_ap_4_X dst,dst -j DROP
-A turris -i eth0 -m set --match-set turris_10000001_lb_ap_4_X src,src -j DROP
--A turris-log-incoming -i eth0 -m limit --limit 1/sec -m set --match-set turris_00000001_l_a_4_X src -j LOG --log-prefix "turris-00000001: " --log-level 7
--A turris-log-incoming -i eth0 -m limit --limit 1/sec -m set --match-set turris_00000001_l_ap_4_X src,src -j LOG --log-prefix "turris-00000001: " --log-level 7
--A turris-log-incoming -i eth0 -m limit --limit 1/sec -m set --match-set turris_00000001_lb_a_4_X src -j LOG --log-prefix "turris-00000001: " --log-level 7
--A turris-log-incoming -i eth0 -m limit --limit 1/sec -m set --match-set turris_00000001_lb_ap_4_X src,src -j LOG --log-prefix "turris-00000001: " --log-level 7
--A turris-log-incoming -i eth0 -m limit --limit 1/sec -m set --match-set turris_00000003_lb_a_4_X src -j LOG --log-prefix "turris-00000003: " --log-level 7
--A turris-log-incoming -i eth0 -m limit --limit 1/sec -m set --match-set turris_00000006_l_a_4_X src -j LOG --log-prefix "turris-00000006: " --log-level 7
--A turris-log-incoming -i eth0 -m limit --limit 1/sec -m set --match-set turris_00000008_l_a_4_X src -j LOG --log-prefix "turris-00000008: " --log-level 7
--A turris-log-incoming -i eth0 -m limit --limit 1/sec -m set --match-set turris_0000000A_l_a_4_X src -j LOG --log-prefix "turris-0000000A: " --log-level 7
--A turris-log-incoming -i eth0 -m limit --limit 1/sec -m set --match-set turris_0000000C_l_a_4_X src -j LOG --log-prefix "turris-0000000C: " --log-level 7
--A turris-log-incoming -i eth0 -m limit --limit 1/sec -m set --match-set turris_0000000E_l_a_4_X src -j LOG --log-prefix "turris-0000000E: " --log-level 7
--A turris-log-incoming -i eth0 -m limit --limit 1/sec -m set --match-set turris_10000001_l_a_4_X src -j LOG --log-prefix "turris-10000001: " --log-level 7
--A turris-log-incoming -i eth0 -m limit --limit 1/sec -m set --match-set turris_10000001_lb_a_4_X src -j LOG --log-prefix "turris-10000001: " --log-level 7
--A turris-log-incoming -i eth0 -m limit --limit 1/sec -m set --match-set turris_10000001_l_ap_4_X src,src -j LOG --log-prefix "turris-10000001: " --log-level 7
--A turris-log-incoming -i eth0 -m limit --limit 1/sec -m set --match-set turris_10000001_lb_ap_4_X src,src -j LOG --log-prefix "turris-10000001: " --log-level 7
--A turris-log-incoming -i eth0 -m set --match-set turris_0000000C_l_a_4_X src -m comment --comment turris-nflog -j NFLOG --nflog-group 1016
--A turris-log-incoming -i eth0 -m set --match-set turris_00000001_l_a_4_X src -j RETURN
--A turris-log-incoming -i eth0 -m set --match-set turris_00000001_l_ap_4_X src,src -j RETURN
--A turris-log-incoming -i eth0 -m set --match-set turris_00000001_lb_a_4_X src -j RETURN
--A turris-log-incoming -i eth0 -m set --match-set turris_00000001_lb_ap_4_X src,src -j RETURN
--A turris-log-incoming -i eth0 -m set --match-set turris_00000003_lb_a_4_X src -j RETURN
--A turris-log-incoming -i eth0 -m set --match-set turris_00000006_l_a_4_X src -j RETURN
--A turris-log-incoming -i eth0 -m set --match-set turris_00000008_l_a_4_X src -j RETURN
--A turris-log-incoming -i eth0 -m set --match-set turris_0000000A_l_a_4_X src -j RETURN
--A turris-log-incoming -i eth0 -m set --match-set turris_0000000C_l_a_4_X src -j RETURN
--A turris-log-incoming -i eth0 -m set --match-set turris_0000000E_l_a_4_X src -j RETURN
--A turris-log-incoming -i eth0 -m set --match-set turris_10000001_l_a_4_X src -j RETURN
--A turris-log-incoming -i eth0 -m set --match-set turris_10000001_lb_a_4_X src -j RETURN
--A turris-log-incoming -i eth0 -m set --match-set turris_10000001_l_ap_4_X src,src -j RETURN
--A turris-log-incoming -i eth0 -m set --match-set turris_10000001_lb_ap_4_X src,src -j RETURN
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_00000001_l_a_4_X src -j LOG --log-prefix "turris-00000001: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_00000001_l_ap_4_X src,src -j LOG --log-prefix "turris-00000001: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_00000001_lb_a_4_X src -j LOG --log-prefix "turris-00000001: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_00000001_lb_ap_4_X src,src -j LOG --log-prefix "turris-00000001: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_00000003_lb_a_4_X src -j LOG --log-prefix "turris-00000003: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_00000006_l_a_4_X src -j LOG --log-prefix "turris-00000006: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_00000008_l_a_4_X src -j LOG --log-prefix "turris-00000008: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_0000000A_l_a_4_X src -j LOG --log-prefix "turris-0000000A: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_0000000C_l_a_4_X src -j LOG --log-prefix "turris-0000000C: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_0000000E_l_a_4_X src -j LOG --log-prefix "turris-0000000E: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_10000001_l_a_4_X src -j LOG --log-prefix "turris-10000001: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_10000001_lb_a_4_X src -j LOG --log-prefix "turris-10000001: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_10000001_l_ap_4_X src,src -j LOG --log-prefix "turris-10000001: " --log-level 7
+-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_10000001_lb_ap_4_X src,src -j LOG --log-prefix "turris-10000001: " --log-level 7
+-A turris-log-incoming -m set --match-set turris_0000000C_l_a_4_X src -m comment --comment turris-nflog -j NFLOG --nflog-group 1016
+-A turris-log-incoming -m set --match-set turris_00000001_l_a_4_X src -j RETURN
+-A turris-log-incoming -m set --match-set turris_00000001_l_ap_4_X src,src -j RETURN
+-A turris-log-incoming -m set --match-set turris_00000001_lb_a_4_X src -j RETURN
+-A turris-log-incoming -m set --match-set turris_00000001_lb_ap_4_X src,src -j RETURN
+-A turris-log-incoming -m set --match-set turris_00000003_lb_a_4_X src -j RETURN
+-A turris-log-incoming -m set --match-set turris_00000006_l_a_4_X src -j RETURN
+-A turris-log-incoming -m set --match-set turris_00000008_l_a_4_X src -j RETURN
+-A turris-log-incoming -m set --match-set turris_0000000A_l_a_4_X src -j RETURN
+-A turris-log-incoming -m set --match-set turris_0000000C_l_a_4_X src -j RETURN
+-A turris-log-incoming -m set --match-set turris_0000000E_l_a_4_X src -j RETURN
+-A turris-log-incoming -m set --match-set turris_10000001_l_a_4_X src -j RETURN
+-A turris-log-incoming -m set --match-set turris_10000001_lb_a_4_X src -j RETURN
+-A turris-log-incoming -m set --match-set turris_10000001_l_ap_4_X src,src -j RETURN
+-A turris-log-incoming -m set --match-set turris_10000001_lb_ap_4_X src,src -j RETURN
-A turris-log-incoming -m limit --limit 1/sec --limit-burst 500 -j LOG --log-prefix "turris-00000000: " --log-level 7
-A turris-nflog -o eth0 -m set --match-set turris_00000008_l_a_4_X dst -m comment --comment turris-nflog -j NFLOG --nflog-group 1014
-A turris-nflog -i eth0 -m set --match-set turris_00000008_l_a_4_X src -m comment --comment turris-nflog -j NFLOG --nflog-group 1014
--
GitLab