add config option to enable the firewall log

Author: cremesk

CHANGELOG.md

@@ -2,7 +2,8 @@
 `current version:` ![calver](https://img.shields.io/github/v/release/freifunk-dresden/ffdd-server?include_prereleases)
 
 ## version 1.5.0rc3
-	- switch to new sysinfo.json version that combines network statistics and makes it interface independent
+	- switch to new sysinfo.json version 18 that combines network statistics and makes it interface independent
+	- add config option to enable the firewall log
 
 ## version 1.5.0rc2
 	- remove support for debian 10

salt/freifunk/base/iptables/etc/init.d/S41firewall

@@ -19,9 +19,10 @@ WAN_DEV="$(uci -qX get ffdd.sys.ifname)"
 # see S53batman for more info.
 FFGW_IF='ffgw'
 
+eval "$(ddmesh-ipcalc.sh -n "$(uci -qX get ffdd.sys.ddmesh_node)")"
 
+LOG="$(uci -qX get ffdd.sys.firewall_log)"
 
-eval "$(ddmesh-ipcalc.sh -n "$(uci -qX get ffdd.sys.ddmesh_node)")"
 
 # iptables command
 IPT="$(command -v iptables)"
@@ -50,7 +51,7 @@ if [ "$1" = "start" ]; then
 
 	#masquerade all to vpn tunnel: rules are set by openvpn/wireguard scripts
 
-	# allow local internet 
+	# allow local internet
 	if [ "$(uci -qX get ffdd.sys.announce_gateway)" = "1" ]; then
 		$IPT -w -t nat -A POSTROUTING -o ${WAN_DEV} -j MASQUERADE
 	fi
@@ -118,7 +119,9 @@ if [ "$1" = "start" ]; then
 	#drop packages before logging
 	$IPT -w -A INPUT -i "$WAN_DEV" -p udp --dport 137 -j DROP
 
-	$IPT -w -A INPUT -j LOG --log-prefix "DROP IPv4 INPUT: "
+	if [ "$LOG" = '1' ]; then
+		$IPT -w -A INPUT -j LOG --log-prefix "DROP IPv4 INPUT: "
+	fi
 	$IPT -w -A INPUT -j DROP
 
 #----- setup FORWARD rules -----
@@ -157,13 +160,15 @@ if [ "$1" = "start" ]; then
 	$IPT -w -A FORWARD -i ${FFGW_IF} ! -s ${_ddmesh_meshnet} -j DROP
 	$IPT -w -A FORWARD -i ${FFGW_IF} -o vpn+ -j ACCEPT
 
-	# allow local internet 
+	# allow local internet
 	if [ "$(uci -qX get ffdd.sys.announce_gateway)" = "1" ]; then
 		$IPT -w -A FORWARD -i ${FFGW_IF} -o ${WAN_DEV} -j ACCEPT
 	fi
 
 	#block any other
-	$IPT -w -A FORWARD -j LOG --log-prefix "DROP IPv4 FORWARD: "
+	if [ "$LOG" = '1' ]; then
+		$IPT -w -A FORWARD -j LOG --log-prefix "DROP IPv4 FORWARD: "
+	fi
 	$IPT -w -A FORWARD -j DROP
 
 #----- setup OUTPUT rules -----

salt/freifunk/base/iptables/etc/init.d/S42firewall6

@@ -16,6 +16,8 @@ WAN_DEV="$(uci -qX get ffdd.sys.ifname)"
 
 eval "$(ddmesh-ipcalc.sh -n $(uci -qX get ffdd.sys.ddmesh_node))"
 
+LOG="$(uci -qX get ffdd.sys.firewall_log)"
+
 
 if [ "$1" = "start" ]; then
 
@@ -99,7 +101,9 @@ if [ "$1" = "start" ]; then
 	ip6tables -w -A INPUT -i "$BACKBONE_DEV" -p 4 -j ACCEPT
 	ip6tables -w -A INPUT -i "$BACKBONE_DEV" -p 41 -j ACCEPT
 
-	ip6tables -w -A INPUT -j LOG --log-prefix "DROP IPv6 INPUT: "
+	if [ "$LOG" = '1' ]; then
+		ip6tables -w -A INPUT -j LOG --log-prefix "DROP IPv6 INPUT: "
+	fi
 	ip6tables -w -A INPUT -j DROP
 
 
@@ -119,7 +123,9 @@ if [ "$1" = "start" ]; then
 	ip6tables -w -A FORWARD -i bmx+ -o vpn+ -j ACCEPT
 
 	#block any other
-	ip6tables -w -A FORWARD -j LOG --log-prefix "DROP IPv6 FORWARD: "
+	if [ "$LOG" = '1' ]; then
+		ip6tables -w -A FORWARD -j LOG --log-prefix "DROP IPv6 FORWARD: "
+	fi
 	ip6tables -w -A FORWARD -j DROP
 
 #----- setup OUTPUT rules -----

salt/freifunk/base/uci/etc/config/ffdd

@@ -74,6 +74,9 @@ config 'ffdd' 'sys'
 	# so that any other may use it in for instance in maps or hotspot lists (leipzig does uses this)
 	option 'group_id' '0'
 
+	# firewall log enabled (1) or disabled (0)
+	option 'firewall_log' '0'
+
 config fastd 'fastd'
 	# this is the secret key which is used to decrypt secured backbone connection
 	# the corresponding public key should be given to the peers, so those can encrpyt/connect to this server

salt/freifunk/base/uci/usr/local/bin/uci_check_config_options.sh

@@ -14,6 +14,7 @@
 	test -n "$(uci -qX get ffdd.sys.ddmesh_disable_gateway)" && uci -q delete ffdd.sys.ddmesh_disable_gateway
 	test -z "$(uci -qX get ffdd.sys.announce_gateway)" && uci -q set ffdd.sys.announce_gateway=0
 	test -z "$(uci -qX get ffdd.sys.group_id)" && uci -q set ffdd.sys.group_id=0
+	test -z "$(uci -qX get ffdd.sys.firewall_log)" && uci -q set ffdd.sys.firewall_log=0
 
 
 ## ffdd.wireguard