[pve-devel] better firewall logging possible?
Alexandre DERUMIER
aderumier at odiso.com
Wed Sep 6 08:07:37 CEST 2017
Hi,
in
/usr/share/perl5/PVE/Firewall.pm
find
if ($ipfilter_ipset) {
ruleset_addrule($ruleset, $chain, "-m set ! --match-set $ipfilter_ipset src -j DROP");
}
and try to add
if ($ipfilter_ipset) {
ruleset_addrule($ruleset, $chain, "-m set ! --match-set $ipfilter_ipset src -j DROP");
my $lc_direction = lc($direction);
my $loglevel = get_option_log_level($options, "log_level_${lc_direction}");
ruleset_addlog($ruleset, $chain, $vmid, "policy $policy: ", $loglevel);
}
and restart pve-firewall service
Tell me if it's works and I'll send a patch
----- Mail original -----
De: "Tom Weber" <pve at junkyard.4t2.com>
À: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Mardi 5 Septembre 2017 17:30:07
Objet: [pve-devel] better firewall logging possible?
Hi there,
today I had to figure the hard way that the Firewall Option 'IP filter'
(at least in PVE 5.0 for Containers) drops packets silently without any
logging at all, even if the log_level_* is set.
If I set the log_level, I'd expect to see _all_ dropped packets in the
Log. (This gave me a hell of a time today with a DHCP Server inside a
container).
Regards,
Tom
ps: is this the right place for such a feature request?
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list