[pve-devel] better firewall logging possible?

Alexandre DERUMIER aderumier at odiso.com
Wed Sep 6 13:39:43 CEST 2017


>>- $vmid and $policy are not (yet) available in ruleset_create_vm_chain 

for $vmid,
----------
edit

    # create chain with mac and ip filter
    ruleset_create_vm_chain($ruleset, $tapchain, $ipversion, $options, $macaddr, $ipfilter_ipset, $direction);

->

    # create chain with mac and ip filter
    ruleset_create_vm_chain($ruleset, $tapchain, $ipversion, $options, $macaddr, $ipfilter_ipset, $direction, $vmid);




then

sub ruleset_create_vm_chain {
    my ($ruleset, $chain, $ipversion, $options, $macaddr, $ipfilter_ipset, $direction) = @_;


->

sub ruleset_create_vm_chain {
    my ($ruleset, $chain, $ipversion, $options, $macaddr, $ipfilter_ipset, $direction, $vmid) = @_;





for
"policy $policy: "
-------------------
it's just a string, keep it empty for now, or "policy DROP"




>>- $direction is always OUT in this block 
yes, but it need to be use lowercase for the rule

I think this should be ok
+ my $lc_direction = lc($direction); 
+ my $loglevel = get_option_log_level($options, "log_level_${lc_direction}"); 


or

my $loglevel = "log_level_out";


>>- It doesn't produce anything in the log (doesn't it stop processing 
>>after the DROP?) 

in others rules it's added after the DROP.
try to add it before to test.  (but I think that the missing $vmid was the problem, to log in correct logfile)




----- Mail original -----
De: "Tom Weber" <pve at junkyard.4t2.com>
À: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Mercredi 6 Septembre 2017 12:01:14
Objet: Re: [pve-devel] better firewall logging possible?

Hi, 

thanks for the quick reply. 
it doesn't seem to be that easy though. 

this one compiles: 

--- Firewall.pm.ORIG 2017-09-06 11:27:00.158674622 +0200 
+++ Firewall.pm 2017-09-06 11:39:07.801620128 +0200 
@@ -2119,8 +2119,13 @@ 
if ($ipversion == 6 && !$options->{radv}) { 
ruleset_addrule($ruleset, $chain, '-p icmpv6 --icmpv6-type router-advertisement -j DROP'); 
} 
+# XXX 
if ($ipfilter_ipset) { 
ruleset_addrule($ruleset, $chain, "-m set ! --match-set $ipfilter_ipset src -j DROP"); 
+ my $lc_direction = lc($direction); 
+ my $loglevel = get_option_log_level($options, "log_level_${lc_direction}"); 
+ #ruleset_addlog($ruleset, $chain, $vmid, "policy $policy: ", $loglevel); 
+ ruleset_addlog($ruleset, $chain, "FIXME-vmid", "policy: FIXME-policy", $loglevel); 
} 
ruleset_addrule($ruleset, $chain, "-j MARK --set-mark $FWACCEPTMARK_OFF"); # clear mark 
} 


- $vmid and $policy are not (yet) available in ruleset_create_vm_chain 
- $direction is always OUT in this block 
- It doesn't produce anything in the log (doesn't it stop processing 
after the DROP?) 

this is the generated chain: 

Chain veth144010i2-OUT (1 references) 
pkts bytes target prot opt in out source destination 
0 0 DROP all -- any any anywhere anywhere ! match-set PVEFW-1DB4EE2A src 
0 0 NFLOG all -- any any anywhere anywhere nflog-prefix ":FIXME-vmid:4:veth144010i2-OUT: policy: FIXME-policy" 
0 0 MARK all -- any any anywhere anywhere MARK and 0x7fffffff 
0 0 GROUP-dns-server-OUT all -- any any anywhere anywhere 
0 0 RETURN all -- any any anywhere anywhere mark match 0x80000000/0x80000000 
0 0 GROUP-default-guests-OUT all -- any any anywhere anywhere 
0 0 RETURN all -- any any anywhere anywhere mark match 0x80000000/0x80000000 
0 0 GROUP-dhcp-server-OUT all -- any any anywhere anywhere 
0 0 RETURN all -- any any anywhere anywhere mark match 0x80000000/0x80000000 
0 0 GROUP-mail-sender-OUT all -- any any anywhere anywhere 
0 0 RETURN all -- any any anywhere anywhere mark match 0x80000000/0x80000000 
0 0 PVEFW-SET-ACCEPT-MARK udp -- any any anywhere anywhere [goto] udp dpt:discard 
0 0 PVEFW-Reject all -- any any anywhere anywhere 
0 0 NFLOG all -- any any anywhere anywhere nflog-prefix ":144010:4:veth144010i2-OUT: policy REJECT: " 
0 0 PVEFW-reject all -- any any anywhere anywhere [goto] 
0 0 all -- any any anywhere anywhere /* PVESIG:j/bfq13umaUL2xMG35f2FLY+hPU */ 



Tom 

_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 




More information about the pve-devel mailing list