banip: logging with limits also limits packet drops

[jorti]

Package Name

banip

Maintainer

@dibdot

OpenWrt Version

24.10.4

OpenWrt Target/Subtarget

mediatek/mt7622

Steps to Reproduce

1. Enable some banIP feeds for the input table, for example firehol1
2. Enable logging for inbound

The created rules in nftables are like this:

ip saddr @firehol1.v4 log prefix "banIP/inbound/drop/firehol1.v4: " limit rate 10/second burst 5 packets counter packets 5176 bytes 223292 drop

Actual Behaviour

If my understanding of limit in nftables is correct, the limit is also applying to the drop instance, so it's dropping only 10 packets/second.

I think this should be split into 2 rules: logging (with limits) and dropping.

Confirmation Checklist

• The package is maintained in this repository.
• I understand that issues related to the base OpenWrt repository or LuCI repository will be closed.
• I am reporting an issue for OpenWrt, not an unsupported fork.

[dibdot]

Nope, the limit rate 10/second burst 5 packets is a so-called match filter for the log action. It ensures that only up to 10 log entries per second (with a start buffer of 5) are written. The drop action is not affected by this. Every packet that meets the condition (ip saddr @firehol1.v4) is discarded, regardless of whether it is logged or not.

[jorti]

Nope, the limit rate 10/second burst 5 packets is a so-called match filter for the log action. It ensures that only up to 10 log entries per second (with a start buffer of 5) are written. The drop action is not affected by this. Every packet that meets the condition (ip saddr @firehol1.v4) is discarded, regardless of whether it is logged or not.

I disagree. I've done a quick test and I've confirmed that the limit statement also limits the drops, so any packet over limits can skip the drop. See below the details of my test:

I have a web server in a VM with this nft ruleset:

table inet test {
        chain prerouting {
                type filter hook prerouting priority filter; policy accept;
                tcp dport 22 accept
                meta l4proto { tcp, udp } log prefix "test-drop: " limit rate 1/second burst 1 packets counter drop
                tcp dport 80 log prefix "accepted: " counter accept
        }
}

From another machine, I run curl in a tight loop:

while :; do curl -I --max-time 1 http://192.168.100.193 & sleep 0.1; done

You can see that the counter of port 80 is being increased:

# nft list ruleset
table inet test {
	chain prerouting {
		type filter hook prerouting priority filter; policy accept;
		tcp dport 22 accept
		meta l4proto { tcp, udp } log prefix "test-drop: " limit rate 1/second burst 1 packets counter packets 208 bytes 12336 drop
		tcp dport 80 log prefix "accepted: " counter packets 10920 bytes 728352 accept
	}
}

Kernel is logging accepts in port 80:

Dec 01 07:25:20 kernel: accepted: IN=eth0 OUT= MAC=52:54:00:84:af:a5:52:54:00:ac:e9:8a:08:00 SRC=192.168.100.1 DST=192.168.100.193 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=7165 DF PROTO=TCP SPT=41672 DPT=80 WINDOW=63 RES=0x00 ACK FIN URGP=0 
Dec 01 07:25:20 kernel: test-drop: IN=eth0 OUT= MAC=52:54:00:84:af:a5:52:54:00:ac:e9:8a:08:00 SRC=192.168.100.1 DST=192.168.100.193 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=7166 DF PROTO=TCP SPT=41672 DPT=80 WINDOW=63 RES=0x00 ACK URGP=0 
Dec 01 07:25:20 kernel: accepted: IN=eth0 OUT= MAC=52:54:00:84:af:a5:52:54:00:ac:e9:8a:08:00 SRC=192.168.100.1 DST=192.168.100.193 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=7166 DF PROTO=TCP SPT=41672 DPT=80 WINDOW=63 RES=0x00 ACK URGP=0 
Dec 01 07:25:20 kernel: test-drop: IN=eth0 OUT= MAC=52:54:00:84:af:a5:52:54:00:ac:e9:8a:08:00 SRC=192.168.100.1 DST=192.168.100.193 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26221 DF PROTO=TCP SPT=41686 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 
Dec 01 07:25:20 kernel: accepted: IN=eth0 OUT= MAC=52:54:00:84:af:a5:52:54:00:ac:e9:8a:08:00 SRC=192.168.100.1 DST=192.168.100.193 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26221 DF PROTO=TCP SPT=41686 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 
Dec 01 07:25:20 kernel: test-drop: IN=eth0 OUT= MAC=52:54:00:84:af:a5:52:54:00:ac:e9:8a:08:00 SRC=192.168.100.1 DST=192.168.100.193 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=26222 DF PROTO=TCP SPT=41686 DPT=80 WINDOW=63 RES=0x00 ACK URGP=0 
Dec 01 07:25:20 kernel: accepted: IN=eth0 OUT= MAC=52:54:00:84:af:a5:52:54:00:ac:e9:8a:08:00 SRC=192.168.100.1 DST=192.168.100.193 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=26222 DF PROTO=TCP SPT=41686 DPT=80 WINDOW=63 RES=0x00 ACK URGP=0 
Dec 01 07:25:20 kernel: test-drop: IN=eth0 OUT= MAC=52:54:00:84:af:a5:52:54:00:ac:e9:8a:08:00 SRC=192.168.100.1 DST=192.168.100.193 LEN=132 TOS=0x00 PREC=0x00 TTL=64 ID=26223 DF PROTO=TCP SPT=41686 DPT=80 WINDOW=63 RES=0x00 ACK PSH URGP=0 
Dec 01 07:25:20 kernel: accepted: IN=eth0 OUT= MAC=52:54:00:84:af:a5:52:54:00:ac:e9:8a:08:00 SRC=192.168.100.1 DST=192.168.100.193 LEN=132 TOS=0x00 PREC=0x00 TTL=64 ID=26223 DF PROTO=TCP SPT=41686 DPT=80 WINDOW=63 RES=0x00 ACK PSH URGP=0 
Dec 01 07:25:20 kernel: test-drop: IN=eth0 OUT= MAC=52:54:00:84:af:a5:52:54:00:ac:e9:8a:08:00 SRC=192.168.100.1 DST=192.168.100.193 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=26224 DF PROTO=TCP SPT=41686 DPT=80 WINDOW=63 RES=0x00 ACK URGP=0 
Dec 01 07:25:20 kernel: accepted: IN=eth0 OUT= MAC=52:54:00:84:af:a5:52:54:00:ac:e9:8a:08:00 SRC=192.168.100.1 DST=192.168.100.193 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=26224 DF PROTO=TCP SPT=41686 DPT=80 WINDOW=63 RES=0x00 ACK URGP=0 
Dec 01 07:25:20 kernel: test-drop: IN=eth0 OUT= MAC=52:54:00:84:af:a5:52:54:00:ac:e9:8a:08:00 SRC=192.168.100.1 DST=192.168.100.193 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=26225 DF PROTO=TCP SPT=41686 DPT=80 WINDOW=63 RES=0x00 ACK FIN URGP=0 
Dec 01 07:25:20 kernel: accepted: IN=eth0 OUT= MAC=52:54:00:84:af:a5:52:54:00:ac:e9:8a:08:00 SRC=192.168.100.1 DST=192.168.100.193 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=26225 DF PROTO=TCP SPT=41686 DPT=80 WINDOW=63 RES=0x00 ACK FIN URGP=0 
Dec 01 07:25:20 kernel: test-drop: IN=eth0 OUT= MAC=52:54:00:84:af:a5:52:54:00:ac:e9:8a:08:00 SRC=192.168.100.1 DST=192.168.100.193 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=26226 DF PROTO=TCP SPT=41686 DPT=80 WINDOW=63 RES=0x00 ACK URGP=0 
Dec 01 07:25:20 kernel: accepted: IN=eth0 OUT= MAC=52:54:00:84:af:a5:52:54:00:ac:e9:8a:08:00 SRC=192.168.100.1 DST=192.168.100.193 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=26226 DF PROTO=TCP SPT=41686 DPT=80 WINDOW=63 RES=0x00 ACK URGP=0 

Please, consider reopening the bug.

[dibdot]

Looks reasonable, thanks for testing. I'll reopen the ticket ...