24.7.8: block rules logged twice

Started by wernerk, October 15, 2024, 08:53:12 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 15, 2024, 08:53:12 PM
Hello!

With latest release I noticed that all logs about block-rules are doubled and appear twice on the live-view and also in the plain-view. Anyone any idea why this can happen in general (without the need to post my complete config ;))? Pass-rules btw are logged fine, without creating duplicates.

Br Werner
October 25, 2024, 01:50:15 PM #1
I'm seeing the same issue on 24.7.7.
Moved to the latest development release to see if that helped but did not so now back on 24.7.7 with duplicate blocks.
I'm glad it isn't only me!
October 27, 2024, 12:37:25 PM #2
very nice - thx for sharing!
now i can stop trying to find some misconfiguration on my side...  ;D
January 13, 2025, 01:44:58 PM #3
Hello!
thank you very much for sharing. I thought i had an misconfiguration. My OPNsense is running on version 24.7.11_2 and it's the same issue. Hope an update will fix this soon. Or does anybody know how to fix it?

Best regards
Andy
January 14, 2025, 01:25:03 AM #4
Well I'll be damned. I didn't notice that at all. Go figure. I'll dig around a bit and see if I can see this on github. Y'all may want to do the same, and post if you find something or open a bug.
January 14, 2025, 04:09:49 PM #5
January 15, 2025, 04:21:56 PM #6
Thank you. I think this is the same bug you've posted. I will check the doubled logs after the next updates. Hope it will be fixed.
January 15, 2025, 05:54:32 PM #7
I wouldn't bet on that. Franco said it'd require a rework of pf's logging - not a small task, and (unless the existing behavior is preserved as default) a potential political PITA. And to avoid breaking folks' UI familiarity and log parsers, the default logging would really have to remain... the default.

That being said, more complete session logging would be nice... Heh.
January 21, 2025, 03:27:14 AM #8
Just a note on wacky logs: Multicast packets entering bridge member interfaces that hit block rules are logged six times, e.g. (one packet):

Code Select
vlan106      in    2025-01-20T18:24:48-06:00    172.22.77.161:138    172.22.77.255:138    udp    Default deny / state violation rule
vlan106      in    2025-01-20T18:24:48-06:00    172.22.77.161:138    172.22.77.255:138    udp    Default deny / state violation rule
GUEST        in    2025-01-20T18:24:48-06:00    172.22.77.161:138    172.22.77.255:138    udp    GUEST: Reject Windows from any to any
GUEST        in    2025-01-20T18:24:48-06:00    172.22.77.161:138    172.22.77.255:138    udp    GUEST: Reject Windows from any to any
GUEST        in    2025-01-20T18:24:48-06:00    172.22.77.161:138    172.22.77.255:138    udp    GUEST: Reject Windows from any to any
GUEST        in    2025-01-20T18:24:48-06:00    172.22.77.161:138    172.22.77.255:138    udp    GUEST: Reject Windows from any to any

Ones that hit pass rules are logged correctly. Both cases are actually handled correctly (packets are either blocked or forwarded to other bridge members). Yes, I tested them with both physical and VLAN interfaces. I originally thought I'd run into another entrance interface mapping error, but no, it's just cosmetic. Oh, and I found out that Linksys WRT1900AC factory firmware is stupidly chatty, making it an excellent test article - plug it in and off it goes.
Print
Go Up Pages1
User actions