Bug ID 1268433: Some firewall rules do not generate denial logs

Last Modified: May 29, 2024

Affected Product(s):
F5OS Velos(all modules)

Known Affected Versions:
F5OS-A 1.3.0, F5OS-A 1.3.1, F5OS-A 1.3.2, F5OS-A 1.4.0, F5OS-A 1.5.0, F5OS-A 1.5.1, F5OS-A 1.5.2, F5OS-C 1.3.0, F5OS-C 1.3.1, F5OS-C 1.3.2, F5OS-C 1.5.0, F5OS-C 1.5.1, F5OS-C 1.6.0, F5OS-C 1.6.1, F5OS-C 1.6.2

Opened: Mar 09, 2023

Severity: 3-Major

Symptoms

system_latest_vers network namespaces are disabled by default to prevent host kernel log flooding from inside a container.

Impact

When traffic is denied from an IP, we do not get a message saying traffic from a particular IP is denied.

Conditions

By default, all network namespace logs are disabled except for init namespace.

Workaround

Command to enable system_latest_vers network namespace denial logs: sysctl -w net.netfilter.nf_log_all_netns=1 (not-persistent) Persistent solution: 1) Create a file: /etc/sysctl.conf 2) Run the command: echo "net.netfilter.nf_log_all_netns = 1" >> /etc/sysctl.conf

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips