[pve-devel] better firewall logging possible?

Tom Weber pve at junkyard.4t2.com
Wed Sep 6 16:24:15 CEST 2017 

Hi,

this patch compiles, but it won't work.

it still DROPs without logging.

Now it logs the packets that don't get dropped.
The first DROP stops the evaluation of the chain. Everything else gets
logged.

Chain veth144010i2-OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere             ! match-set PVEFW-1DB4EE2A src
    0     0 NFLOG      all  --  any    any     anywhere             anywhere             nflog-prefix  ":144010:4:veth144010i2-OUT: policyXXX: DROP"

changing the order will make it log everything.

I think the blacklist Option does it right:

sub ruleset_chain_add_input_filters {
    my ($ruleset, $chain, $ipversion, $options, $cluster_conf, $loglevel) = @_;

    if ($cluster_conf->{ipset}->{blacklist}){
        if (!ruleset_chain_exist($ruleset, "PVEFW-blacklist")) {
            ruleset_create_chain($ruleset, "PVEFW-blacklist");
            ruleset_addlog($ruleset, "PVEFW-blacklist", 0, "DROP: ", $loglevel) if $loglevel;
            ruleset_addrule($ruleset, "PVEFW-blacklist", "-j DROP");
        }
        my $ipset_chain = compute_ipset_chain_name(0, 'blacklist', $ipversion);
        ruleset_addrule($ruleset, $chain, "-m set --match-set ${ipset_chain} src -j PVEFW-blacklist");
    }

Unfortunately I'm too short on time right now to create a proper patch
myself. 


this is the non working version so far:

--- Firewall.pm.ORIG	2017-09-06 11:27:00.158674622 +0200
+++ Firewall.pm	2017-09-06 15:51:27.850452259 +0200
@@ -2081,8 +2081,9 @@
     }
 }
 
+#XXX
 sub ruleset_create_vm_chain {
-    my ($ruleset, $chain, $ipversion, $options, $macaddr,
$ipfilter_ipset, $direction) = @_;
+    my ($ruleset, $chain, $ipversion, $options, $macaddr,
$ipfilter_ipset, $direction, $vmid) = @_;
 
     ruleset_create_chain($ruleset, $chain);
     my $accept = generate_nfqueue($options);
@@ -2119,8 +2120,11 @@
 	if ($ipversion == 6 && !$options->{radv}) {
 	    ruleset_addrule($ruleset, $chain, '-p icmpv6 --icmpv6-type 
router-advertisement -j DROP');
 	}
+# XXX
 	if ($ipfilter_ipset) {
 	    ruleset_addrule($ruleset, $chain, "-m set ! --match-set
$ipfilter_ipset src -j DROP");
+	    my $loglevel = get_option_log_level($options,
"log_level_out");
+	    ruleset_addlog($ruleset, $chain, $vmid, "policyXXX: DROP",
$loglevel);
 	}
 	ruleset_addrule($ruleset, $chain, "-j MARK --set-mark
$FWACCEPTMARK_OFF"); # clear mark
     }
@@ -2232,7 +2236,8 @@
 	if $options->{ipfilter} || $vmfw_conf->{ipset}-
>{$ipfilter_name};
 
     # create chain with mac and ip filter
-    ruleset_create_vm_chain($ruleset, $tapchain, $ipversion, $options,
$macaddr, $ipfilter_ipset, $direction);
+#XXX
+    ruleset_create_vm_chain($ruleset, $tapchain, $ipversion, $options,
$macaddr, $ipfilter_ipset, $direction, $vmid);
 
     if ($options->{enable}) {
 	ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf,
$vmfw_conf, $tapchain, $netid, $direction, $options, $ipversion);


Am Mittwoch, den 06.09.2017, 13:39 +0200 schrieb Alexandre DERUMIER:
> > 
> > > 
> > > - $vmid and $policy are not (yet) available in
> > > ruleset_create_vm_chain 
> for $vmid,
> ----------
> edit
> 
>     # create chain with mac and ip filter
>     ruleset_create_vm_chain($ruleset, $tapchain, $ipversion,
> $options, $macaddr, $ipfilter_ipset, $direction);
> 
> ->
> 
>     # create chain with mac and ip filter
>     ruleset_create_vm_chain($ruleset, $tapchain, $ipversion,
> $options, $macaddr, $ipfilter_ipset, $direction, $vmid);
> 
> 
> 
> 
> then
> 
> sub ruleset_create_vm_chain {
>     my ($ruleset, $chain, $ipversion, $options, $macaddr,
> $ipfilter_ipset, $direction) = @_;
> 
> 
> ->
> 
> sub ruleset_create_vm_chain {
>     my ($ruleset, $chain, $ipversion, $options, $macaddr,
> $ipfilter_ipset, $direction, $vmid) = @_;
> 
> 
> 
> 
> 
> for
> "policy $policy: "
> -------------------
> it's just a string, keep it empty for now, or "policy DROP"
> 
> 
> 
> 
> > 
> > > 
> > > - $direction is always OUT in this block 
> yes, but it need to be use lowercase for the rule
> 
> I think this should be ok
> + my $lc_direction = lc($direction); 
> + my $loglevel = get_option_log_level($options,
> "log_level_${lc_direction}"); 
> 
> 
> or
> 
> my $loglevel = "log_level_out";
> 
> 
> > 
> > > 
> > > - It doesn't produce anything in the log (doesn't it stop
> > > processing 
> > > after the DROP?) 
> in others rules it's added after the DROP.
> try to add it before to test.  (but I think that the missing $vmid
> was the problem, to log in correct logfile)
>

More information about the pve-devel mailing list