[pve-devel] better firewall logging possible?

Alexandre DERUMIER aderumier at odiso.com
Wed Sep 6 08:07:37 CEST 2017


Hi,

in
 /usr/share/perl5/PVE/Firewall.pm 

find

        if ($ipfilter_ipset) {
            ruleset_addrule($ruleset, $chain, "-m set ! --match-set $ipfilter_ipset src -j DROP");
        }


and try to add

        if ($ipfilter_ipset) {
            ruleset_addrule($ruleset, $chain, "-m set ! --match-set $ipfilter_ipset src -j DROP");
            my $lc_direction = lc($direction);
            my $loglevel = get_option_log_level($options, "log_level_${lc_direction}");
            ruleset_addlog($ruleset, $chain, $vmid, "policy $policy: ", $loglevel);

        }

and restart pve-firewall service


Tell me if it's works and I'll send a patch

----- Mail original -----
De: "Tom Weber" <pve at junkyard.4t2.com>
À: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Mardi 5 Septembre 2017 17:30:07
Objet: [pve-devel] better firewall logging possible?

Hi there, 

today I had to figure the hard way that the Firewall Option 'IP filter' 
(at least in PVE 5.0 for Containers) drops packets silently without any 
logging at all, even if the log_level_* is set. 

If I set the log_level, I'd expect to see _all_ dropped packets in the 
Log. (This gave me a hell of a time today with a DHCP Server inside a 
container). 

Regards, 
Tom 

ps: is this the right place for such a feature request? 


_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 




More information about the pve-devel mailing list