Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
firewall: default pass all loopback without state tracking; closes #5367
Idea by @kulikov-a. While arguably not addressing the issue with unbound-control directly but we can't wait for upstream to do this.
- Loading branch information
a9a67b4
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fichtner Hi! one side effect noticed: with "Log packets matched from the default pass rules put in the ruleset" in System: Settings: Logging this may lead to an explosive growth of the filter log size (and load on filterlog) due to stream logging of all internal communications.
for example, restarting an unbound with a large block-list can lead to the creation of a 150MB log due to the unbound-control operations
maybe it makes sense to add a separate flag to System: Settings: Logging (something like "Log packets matched from the default localhost pass rule put in the ruleset")? (or just disable the logging of this rule, although this is not entirely correct imho)
a9a67b4
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kulikov-a meh, further evidence unbound-control should be fixed instead. We could drop the logging. It'll match all packets and that is not really helpful anyway. Not sure what @AdSchellevis thinks about it
a9a67b4
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
using
set skip on lo0
is not considered? )a9a67b4
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fichtner @kulikov-a the easiest step forward would probably be to disable logging for this single
lo0
rule, if it turns out there is a valid use-case for wanting to log this traffic, we can add a toggle later on. (in which case log flooding wouldn't be an issue).a9a67b4
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@AdSchellevis @fichtner got it. thanks)