[pve-devel] better firewall logging possible?

Wed Sep 6 12:01:14 CEST 2017

Hi, 

thanks for the quick reply.
it doesn't seem to be that easy though.

this one compiles:

--- Firewall.pm.ORIG	2017-09-06 11:27:00.158674622 +0200
+++ Firewall.pm	2017-09-06 11:39:07.801620128 +0200
@@ -2119,8 +2119,13 @@
 	if ($ipversion == 6 && !$options->{radv}) {
 	    ruleset_addrule($ruleset, $chain, '-p icmpv6 --icmpv6-type router-advertisement -j DROP');
 	}
+# XXX
 	if ($ipfilter_ipset) {
 	    ruleset_addrule($ruleset, $chain, "-m set ! --match-set $ipfilter_ipset src -j DROP");
+	    my $lc_direction = lc($direction);
+	    my $loglevel = get_option_log_level($options, "log_level_${lc_direction}");
+	    #ruleset_addlog($ruleset, $chain, $vmid, "policy $policy: ", $loglevel);
+	    ruleset_addlog($ruleset, $chain, "FIXME-vmid", "policy: FIXME-policy", $loglevel);
 	}
 	ruleset_addrule($ruleset, $chain, "-j MARK --set-mark $FWACCEPTMARK_OFF"); # clear mark
     }


- $vmid and $policy are not (yet) available in ruleset_create_vm_chain
- $direction is always OUT in this block
- It doesn't produce anything in the log (doesn't it stop processing
after the DROP?) 

this is the generated chain:

Chain veth144010i2-OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere             ! match-set PVEFW-1DB4EE2A src
    0     0 NFLOG      all  --  any    any     anywhere             anywhere             nflog-prefix  ":FIXME-vmid:4:veth144010i2-OUT: policy: FIXME-policy"
    0     0 MARK       all  --  any    any     anywhere             anywhere             MARK and 0x7fffffff
    0     0 GROUP-dns-server-OUT  all  --  any    any     anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere             mark match 0x80000000/0x80000000
    0     0 GROUP-default-guests-OUT  all  --  any    any     anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere             mark match 0x80000000/0x80000000
    0     0 GROUP-dhcp-server-OUT  all  --  any    any     anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere             mark match 0x80000000/0x80000000
    0     0 GROUP-mail-sender-OUT  all  --  any    any     anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere             mark match 0x80000000/0x80000000
    0     0 PVEFW-SET-ACCEPT-MARK  udp  --  any    any     anywhere             anywhere            [goto]  udp dpt:discard
    0     0 PVEFW-Reject  all  --  any    any     anywhere             anywhere            
    0     0 NFLOG      all  --  any    any     anywhere             anywhere             nflog-prefix  ":144010:4:veth144010i2-OUT: policy REJECT: "
    0     0 PVEFW-reject  all  --  any    any     anywhere             anywhere            [goto] 
    0     0            all  --  any    any     anywhere             anywhere             /* PVESIG:j/bfq13umaUL2xMG35f2FLY+hPU */



  Tom


