Reviewed-by: Bernhard Bitsch <bbitsch(a)ipfire.org>

Am 21.01.2024 um 12:45 schrieb Adolf Belka:
> - This v3 version now has two if loops allowing logging of incoming drop hostile or
>     outgoing drop hostile or both or neither.
> - Dependent on the choice in optionsfw.cgi this loop will either log or not log the
>     dropped hostile traffic.
> 
> Fixes: bug12981
> Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
>   src/initscripts/system/firewall | 15 ++++++++++++---
>   1 file changed, 12 insertions(+), 3 deletions(-)
> 
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index 50f2b3e02..840ae3150 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -176,9 +176,18 @@ iptables_init() {
>   	iptables -A FORWARD -j HOSTILE
>   	iptables -A OUTPUT -j HOSTILE
>   
> -	iptables -N HOSTILE_DROP
> -	iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
> -	iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
> +	iptables -N HOSTILE_DROP_IN
> +	if [ "$LOGDROPHOSTILEIN" == "on" ]; then
> +		iptables -A HOSTILE_DROP_IN -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
> +	fi
> +	iptables -A HOSTILE_DROP_IN -j DROP -m comment --comment "DROP_HOSTILE"
> +
> +	iptables -N HOSTILE_DROP_OUT
> +	if [ "$LOGDROPHOSTILEOUT" == "on" ]; then
> +		iptables -A HOSTILE_DROP_OUT -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
> +	fi
> +	iptables -A HOSTILE_DROP_OUT -j DROP -m comment --comment "DROP_HOSTILE"
> +
>   
>   	# IP Address Blocklist chains
>   	iptables -N BLOCKLISTIN