[pve-devel] pve-firewall: default loglevel behaviour change

Thomas Lamprecht t.lamprecht at proxmox.com
Thu May 16 09:19:00 CEST 2019 

On 5/16/19 9:04 AM, Alexandre DERUMIER wrote:
>>> When we added this we had some discussion about the sensible default, IIRC,
>>> I initially was for no ratelimit per default, but Christian argued that with
>>> the bucket burst limit we have a sensible balance between spamming the logs
>>> (if something is off, and a lot of packets get generated) but still seeing
>>> bursts. FYI, you can also just set log_ratelimit to 0 (enabled is the default
>>> key), but not sure if we want tot change this to opt-out, I mean either way
>>> one only needs to change it once per cluster...
> 
> yes, no problem. 
> 
> But the GUI is a little bit strange.
> 
> if log_ratelimit is undefined, the GUI show "log rate limit: enable=0"  (and rate limit is a default 1/sec).
> then, you need to click the checkbox to enable ratelimit, then click again to disable it to finally
> have the value "log_ratelimit: enable=0"

yeah, true, that's a bug, I'm onto it.

> 
> 
> 
> ----- Mail original -----
> De: "Thomas Lamprecht" <t.lamprecht at proxmox.com>
> À: "pve-devel" <pve-devel at pve.proxmox.com>, "aderumier" <aderumier at odiso.com>, "Christian Ebner" <c.ebner at proxmox.com>
> Envoyé: Jeudi 16 Mai 2019 08:53:37
> Objet: Re: [pve-devel] pve-firewall: default loglevel behaviour change
> 
> On 5/16/19 1:18 AM, Alexandre DERUMIER wrote: 
>> Thanks ! 
>>
>> Also, 
>> about new log ratelimit 
>> https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff;f=src/PVE/Firewall.pm;h=48e630004bf424c2db578aad3e60eb61db42f8e6;hp=ba1cb5f5924af094fe647f98d40e2703eca96ff4;hb=cc37e0005d0617e405883fd12b80faf65cedb153;hpb=95ed90a9a8418173ab7cac2d0c1f6ddd04c376cc 
>>
>> it's seem that the default is now 
>> +my $global_log_ratelimit = '--limit 1/sec'; 
>>
>>
>> (If don't have the option "log_ratelimit" in cluster.fw) 
>>
>>
>>
>> +my $set_global_log_ratelimit = sub { 
>> + my $cluster_opts = shift; 
>> + 
>> + $global_log_ratelimit = '--limit 1/sec'; 
>> + if (defined(my $log_rlimit = $cluster_opts->{log_ratelimit})) { 
>> + my $ll_format = $cluster_option_properties->{log_ratelimit}->{format}; 
>> + my $limit = PVE::JSONSchema::parse_property_string($ll_format, $log_rlimit); 
>> + 
>> + if ($limit->{enable}) { 
>> + if (my $rate = $limit->{rate}) { 
>> + $global_log_ratelimit = "--limit $rate"; 
>> + } 
>> + if (my $burst = $limit->{burst}) { 
>> + $global_log_ratelimit .= " --limit-burst $burst"; 
>> + } 
>> + } else { 
>> + $global_log_ratelimit = undef; 
>> + } 
>> + } 
>> +}; 
>>
>>
>> but it's correctly disabled with 
>> "log_ratelimit: enable=0" in cluster.fw 
>>
>> I think the behaviour should be also the same when option is not defined. 
> 
> When we added this we had some discussion about the sensible default, IIRC, 
> I initially was for no ratelimit per default, but Christian argued that with 
> the bucket burst limit we have a sensible balance between spamming the logs 
> (if something is off, and a lot of packets get generated) but still seeing 
> bursts. FYI, you can also just set log_ratelimit to 0 (enabled is the default 
> key), but not sure if we want tot change this to opt-out, I mean either way 
> one only needs to change it once per cluster... 
> 
>>
>>
>> ----- Mail original ----- 
>> De: "Christian Ebner" <c.ebner at proxmox.com> 
>> À: "pve-devel" <pve-devel at pve.proxmox.com>, "aderumier" <aderumier at odiso.com> 
>> Envoyé: Mercredi 15 Mai 2019 17:03:13 
>> Objet: Re: [pve-devel] pve-firewall: default loglevel behaviour change 
>>
>> Hi Alexandre, 
>>
>> you are right, logging the packets passing the firewall bridge seems a bit overkill and redundant. 
>>
>> Will send a patch to fix this. 
>>
>>> On May 15, 2019 at 4:08 PM Alexandre DERUMIER <aderumier at odiso.com> wrote: 
>>>
>>>
>>> Hi, 
>>>
>>> since this commit 
>>>
>>>
>>> https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff;f=src/PVE/Firewall.pm;h=ccc5d7ffb62f1ef4c4d59e363192f512c88742c9;hp=6ac303831a62f630d437ef0e0508decd2b72f5ac;hb=3489f8a2b9597201fe8e42fa5832507f96169619;hpb=33efd363ab32d3f8f6a9c49e481cb62a8da40b5d 
>>>
>>> @@ -2341,10 +2348,10 @@ sub generate_tap_rules_direction { 
>>> # plug the tap chain to bridge chain 
>>> if ($direction eq 'IN') { 
>>> ruleset_addrule($ruleset, "PVEFW-FWBR-IN", 
>>> - "-m physdev --physdev-is-bridged --physdev-out $iface", "-j $tapchain"); 
>>> + "-m physdev --physdev-is-bridged --physdev-out $iface", "-j $tapchain", $loglevel, 'FWBR-IN: ', $vmid); 
>>> } else { 
>>> ruleset_addrule($ruleset, "PVEFW-FWBR-OUT", 
>>> - "-m physdev --physdev-is-bridged --physdev-in $iface", "-j $tapchain"); 
>>> + "-m physdev --physdev-is-bridged --physdev-in $iface", "-j $tapchain", $loglevel, 'FWBR-OUT: ', $vmid); 
>>> } 
>>> } 
>>>
>>>
>>>
>>> The default loglevel of a vm is logging all packets comming to the tap chain 
>>> ex: 
>>> -A PVEFW-FWBR-IN -m physdev --physdev-out tap135i0 --physdev-is-bridged -m limit --limit 1/sec -j NFLOG --nflog-prefix ":135:6:PVEFW-FWBR-IN: FWBR-IN: " 
>>>
>>> Previously, it was only for the final DROP/REJECT/ACCEPT action 
>>>
>>>
>>> Here a example with a connection to port 53, with default action input/output policy = reject, loglevelin:info, and no rule to allow port 
>>> [OPTIONS] 
>>>
>>> log_level_out: info 
>>> macfilter: 1 
>>> policy_out: REJECT 
>>> enable: 1 
>>> policy_in: REJECT 
>>> dhcp: 0 
>>> log_level_in: info 
>>>
>>> [RULES] 
>>>
>>>
>>>
>>>
>>>
>>> 135 6 PVEFW-FWBR-IN 15/May/2019:15:53:23 +0200 FWBR-IN: IN=fwbr135i0 OUT=fwbr135i0 PHYSIN=fwln135i0 PHYSOUT=tap135i0 MAC=56:af:a2:0d:53:9b:58:49:3b:80:fb:24:08:00 SRC=10.11.53.33 DST=10.3.95.29 LEN=283 TOS=0x00 PREC=0x00 TTL=127 ID=20498 PROTO=UDP SPT=54689 DPT=389 LEN=263 
>>> 135 6 tap135i0-IN 15/May/2019:15:53:23 +0200 policy REJECT: IN=fwbr135i0 OUT=fwbr135i0 PHYSIN=fwln135i0 PHYSOUT=tap135i0 MAC=56:af:a2:0d:53:9b:58:49:3b:80:fb:24:08:00 SRC=10.11.53.33 DST=10.3.95.29 LEN=283 TOS=0x00 PREC=0x00 TTL=127 ID=20498 PROTO=UDP SPT=54689 DPT=389 LEN=263 
>>>
>>>
>>> As you see, it's logged twice. (once when coming to tap chain, one when final action is reject) 
>>>
>>> Same if you make a rule in the vm, activating log on the rule, it's loggued twice. 
>>>
>>> I would like to be able to remove this logging in FWBR-IN, and only log on rules or default input/output policy action. 
>>> But currently, if I disable the loglevel=nolog, it's disabling too the log for default action. 
>>>
>>>
>>> I'm not sure, but do we really need this log on FWBR-IN ? (I mean, we don't have any info if it's drop/accept/reject, so it's pretty useless, we only now that a packet is coming). 
>>> Or maybe could we have a different loglevel option for default input/output policy ? 
>>>
>>> _______________________________________________ 
>>> pve-devel mailing list 
>>> pve-devel at pve.proxmox.com 
>>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>>
>> _______________________________________________ 
>> pve-devel mailing list 
>> pve-devel at pve.proxmox.com 
>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>>
> 
>

More information about the pve-devel mailing list