From 4fbf6d75a4a9e523d1848a28d8a3ea095e870195 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Fri, 14 Oct 2022 17:56:27 +0200
Subject: [PATCH] ruleset.uc: log forwarded traffic not matched by zone
 policies

When zone logging is enabled and the global forward policy set to drop or
reject, then stage an extra logging rule to log traffic that will be
dropped by subsequent rules or the global reject policy.

Ref: https://forum.openwrt.org/t/x/137182/4
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 root/usr/share/firewall4/templates/ruleset.uc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index 2e33d5d..d6333f1 100644
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -240,6 +240,9 @@ table inet fw4 {
 {%  endif %}
 {%  fw4.includes('chain-append', `forward_${zone.name}`) %}
 		jump {{ zone.forward }}_to_{{ zone.name }}
+{%  if (fw4.forward_policy() != "accept" && (zone.log & 1)): %}
+		log prefix "{{ fw4.forward_policy() }} {{ zone.name }} forward: "
+{%  endif %}
 	}
 
 {%  if (zone.dflags.helper): %}
-- 
2.30.2