[pve-devel] better firewall logging possible?

Alexandre DERUMIER aderumier at odiso.com
Thu Sep 7 03:24:14 CEST 2017


Hi Tom,

I just send a patch for for logging ipfilter, mac filter && ipv6 advertisement.

can you test it ?

(Works fine on my side)


----- Mail original -----
De: "Tom Weber" <pve at junkyard.4t2.com>
À: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Mercredi 6 Septembre 2017 22:18:39
Objet: Re: [pve-devel] better firewall logging possible?

Attached patch works for me regarding and tested with ipfilter Option. 
I also added logging for the 2 other silent DROPs above - untested 
though. 

Maybe someone could verify and even commit (no git repository for pve 
over here - yet) 

Tom 


Am Mittwoch, den 06.09.2017, 16:24 +0200 schrieb Tom Weber: 
> 
> 
> Hi, 
> 
> this patch compiles, but it won't work. 
> 
> it still DROPs without logging. 
> 
> Now it logs the packets that don't get dropped. 
> The first DROP stops the evaluation of the chain. Everything else 
> gets 
> logged. 
> 
> Chain veth144010i2-OUT (1 references) 
> pkts bytes target prot opt 
> in out source destination 
> 0 0 DROP all 
> -- any any anywhere anywhere ! match- 
> set PVEFW-1DB4EE2A src 
> 0 0 NFLOG all 
> -- any any anywhere anywhere nflog- 
> prefix ":144010:4:veth144010i2-OUT: policyXXX: DROP" 
> 
> changing the order will make it log everything. 
> 
> I think the blacklist Option does it right: 
> 
> sub ruleset_chain_add_input_filters { 
> my ($ruleset, $chain, $ipversion, $options, $cluster_conf, 
> $loglevel) = @_; 
> 
> if ($cluster_conf->{ipset}->{blacklist}){ 
> if (!ruleset_chain_exist($ruleset, "PVEFW-blacklist")) { 
> ruleset_create_chain($ruleset, "PVEFW-blacklist"); 
> ruleset_addlog($ruleset, "PVEFW-blacklist", 0, "DROP: ", 
> $loglevel) if $loglevel; 
> ruleset_addrule($ruleset, "PVEFW-blacklist", "-j DROP"); 
> } 
> my $ipset_chain = compute_ipset_chain_name(0, 'blacklist', 
> $ipversion); 
> ruleset_addrule($ruleset, $chain, "-m set --match-set 
> ${ipset_chain} src -j PVEFW-blacklist"); 
> } 
[...] 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 




More information about the pve-devel mailing list