Rule logging could slow down the system

[filippocarletti]

Enabling logging on single rules or zones may slow down the firewall.
Logging should always be limited.

Steps to reproduce

• Create a firewall rule with logging enabled (prefer the UDP protocol)
• Generate network traffic matching the rule

Expected behavior

The system should behave consistently while logging packets.

Actual behavior

Network traffic slows down while traffic is being logged.

See also

https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_traffic_logging
openwrt/firewall4@597dc90
openwrt/firewall4@1874050

[filippocarletti]

Rule limit:

firewall.ns_b99826ea.log='1'
firewall.ns_b99826ea.log_limit='1/s'

Zone limit:

firewall.ns_lan.log='1'
firewall.ns_lan.log_limit='5/s'

[filippocarletti]

A command to generate traffic:

sudo nmap -sU -Pn -T5 --min-rate 1000 192.168.1.1

[github-actions]

Testing image version: 8-24.10.0-ns.1.4.99-alpha1-17-g3baea05c

[gsanchietti]

Test case 1: firewall rules

• From the UI, create a firewall rule with logging enabled
• Verify the new rule has the log_limit option
• From the UI, disable the logging for the same rule
• Verify log option is set to 0 and log_limit option is not present

Test case 2: firewall rules, custom limit per rule

• From the UI, create a firewall rule with logging enabled
• Verify the new rule has the log_limit option
• Manually change the limit from command line:

  uci set firewall.<id_rule>.log_limit='30/s'`
  uci commit firewall
  reload_config
  

• From the UI, change something on the rule (eg. the name)
• Verify the custom log_limit has not been overridden

Test case 3: redirects

• Repeat the test case 1 but with a redirect (port-forward) rule

Test case 4: redirects, custom limit per rule

• Repeat the test case 2 but with a redirect (port-forward) rule

Test case 5: zones

• Repeat the test case 1 but with a zone

Test case 6: zones, custom limit

• Repeat the test case 2 but with a zone

Test case 7

• Use an existing installation where the issue is reproducible
• From the command line, execute: firewall-apply-default-logging
• Verify that all firewall rules, redirects rules and zones with logging enabled, now have the log_limit option
• Verify the issue is not reproducible: the firewall must handle all the traffic without slowing down

[filippocarletti]

I've successfully verified test cases 1-6.
Only one note, about the not harmful messages on every firewall restart:

root@NethSec:~# /etc/init.d/firewall restart
Section ns_defaults specifies unknown option 'rule_log_limit'
Section ns_defaults specifies unknown option 'zone_log_limit'
Section ns_defaults specifies unknown option 'redirect_log_limit'

[filippocarletti]

Test case 7 ok:

 config zone 'ns_wan'
 	option name 'wan'
 	option input 'REJECT'
 	option output 'ACCEPT'
 	option forward 'REJECT'
 	option masq '1'
 	option mtu_fix '1'
 	list network 'wan'
 	list network 'DMZ'
 	list network 'al_DMZ'
 	option log '1'
+	option log_limit '5/s'

 config rule 'ns_allow_https'
 	option name 'Allow-HTTPS-from-WAN'
 	option src 'wan'
 	option dest_port '443'
 	option target 'ACCEPT'
 	option ns_service 'custom'
 	list proto 'tcp'
 	option enabled '1'
 	option log '1'
+	option log_limit '1/s'

[Tbaile]

Test case 3 has some concerns: when removing the log option through the UI, the log config is not set to 0, but deleted entirely. If this is intended, carry on.

Test case 4 fails:

root@NethSec:~# uci show firewall.ns_141e492f.log_limit
firewall.ns_141e492f.log_limit='30/s'

When i change the name of the port forward:

root@NethSec:~# uci changes
firewall.ns_141e492f.log_limit='1/s'
firewall.ns_141e492f.name='Test 2'
-firewall.ns_141e492f.proto
firewall.ns_141e492f.proto+='tcp'
firewall.ns_141e492f.proto+='udp'

Case 1,2,5,6 are verified.