File 0003-logging-don-t-flood-log-with-dropped-IPv6-multicast-bnc-847193.patch of Package SuSEfirewall2.5243

From 6ca6b1b0912b1f44eafa0b3bc23f8b8283e8c46c Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Fri, 3 Mar 2017 16:35:30 +0100
Subject: [PATCH] logging: don't flood log with dropped IPv6 multicast packets (bnc#847193)

turns out there was already some logic to not log broadcast and
multicast by default, but it only covered IPv4. This commit merges
handling for IPv4/IPv6 and multicast/broadcast packets regarding
logging.
---
 SuSEfirewall2           | 18 ++++++++++--------
 SuSEfirewall2.sysconfig |  8 ++++++--
 2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/SuSEfirewall2 b/SuSEfirewall2
index 7753c5b..d82875e 100755
--- a/SuSEfirewall2
+++ b/SuSEfirewall2
@@ -1410,7 +1410,7 @@ drop_broadcast()
 	    $IPTABLES $match -p udp --dport $port -j "$ACCEPT"
 	done
 
-	if [ "$ignore" != yes ]; then
+	if [ "$ignore" != 'yes' ]; then
 	    for port in $ignore; do
 		[ $port = no ] && continue
 		$IPTABLES $match -p udp --dport $port -j "$DROP"
@@ -2337,16 +2337,18 @@ drop_all()
 	    drop="$DROP"
 	fi
 
-	# log and drop multicast packets separately to not flood
-	# other log targets (#155326, #538053)
-	$LDA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-DROP-DEFLT " -m pkttype --pkt-type multicast
-	$IPTABLES -A $chain -j "$DROP" -m pkttype --pkt-type multicast
-
 	eval local ignore="\$FW_IGNORE_FW_BROADCAST_`cibiz $zone`"
+
+	# log and drop broadcast/multicast packets separately, only if not
+	# ignored, to not flood other log targets (#155326, #538053, #847193)
+
 	if [ "$ignore" != 'yes' ]; then
-	    $LDA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-DROP-DEFLT " -m pkttype --pkt-type broadcast
+	    $LDA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-DROP-DEFLT " -m pkttype \! --pkt-type unicast
+	    $LDA $IP6TABLES -A $chain ${LOG}"-`rulelog $chain`-DROP-DEFLT " -m pkttype \! --pkt-type unicast
 	fi
-	$IPTABLES -A $chain -j "$DROP" -m pkttype --pkt-type broadcast
+	$IPTABLES -A $chain -j "$DROP" -m pkttype \! --pkt-type unicast
+	$IP6TABLES -A $chain -j "$DROP" -m pkttype \! --pkt-type unicast
+
 	# some packet types are considered critical
 	if [ -z "$LDC" ]; then
 	    local log=${LOG}"-`rulelog $chain`-DROP-DEFLT"
diff --git a/SuSEfirewall2.sysconfig b/SuSEfirewall2.sysconfig
index df874eb..8e8f565 100644
--- a/SuSEfirewall2.sysconfig
+++ b/SuSEfirewall2.sysconfig
@@ -647,7 +647,7 @@ FW_LOG_DROP_CRIT=""
 #
 # whether all dropped packets should be logged
 #
-# Note: for broadcasts to be logged you also need to set
+# Note: for broadcasts or multicasts to be logged you also need to set
 # FW_IGNORE_FW_BROADCAST_* to 'no'
 #
 # defaults to "no" if not set
@@ -822,6 +822,8 @@ FW_ALLOW_FW_BROADCAST_DMZ=""
 # Suppress logging of dropped broadcast packets. Useful if you don't allow
 # broadcasts on a LAN interface.
 #
+# This affects both broadcast and multicast packets for both IPv4 and IPv6
+#
 # This setting only affects packets that are not allowed according
 # to FW_ALLOW_FW_BROADCAST_*
 #
@@ -834,17 +836,19 @@ FW_ALLOW_FW_BROADCAST_DMZ=""
 #           - "no" log all dropped broadcast packets
 #
 #
-# defaults to "no" if not set
+# defaults to "yes"
 FW_IGNORE_FW_BROADCAST_EXT=""
 
 ## Type:	string
 #
 # see comments for FW_IGNORE_FW_BROADCAST_EXT
+# defaults to "no"
 FW_IGNORE_FW_BROADCAST_INT=""
 
 ## Type:	string
 #
 # see comments for FW_IGNORE_FW_BROADCAST_EXT
+# defaults to "no"
 FW_IGNORE_FW_BROADCAST_DMZ=""
 
 ## Type:	list(yes,no,int,ext,dmz,)
-- 
2.10.2