[pve-devel] better firewall logging possible?
Tom Weber
pve at junkyard.4t2.com
Wed Sep 6 22:18:39 CEST 2017
Attached patch works for me regarding and tested with ipfilter Option.
I also added logging for the 2 other silent DROPs above - untested
though.
Maybe someone could verify and even commit (no git repository for pve
over here - yet)
Tom
Am Mittwoch, den 06.09.2017, 16:24 +0200 schrieb Tom Weber:
>
>
> Hi,
>
> this patch compiles, but it won't work.
>
> it still DROPs without logging.
>
> Now it logs the packets that don't get dropped.
> The first DROP stops the evaluation of the chain. Everything else
> gets
> logged.
>
> Chain veth144010i2-OUT (1 references)
> pkts bytes target prot opt
> in out source destination
> 0 0 DROP all
> -- any any anywhere anywhere ! match-
> set PVEFW-1DB4EE2A src
> 0 0 NFLOG all
> -- any any anywhere anywhere nflog-
> prefix ":144010:4:veth144010i2-OUT: policyXXX: DROP"
>
> changing the order will make it log everything.
>
> I think the blacklist Option does it right:
>
> sub ruleset_chain_add_input_filters {
> my ($ruleset, $chain, $ipversion, $options, $cluster_conf,
> $loglevel) = @_;
>
> if ($cluster_conf->{ipset}->{blacklist}){
> if (!ruleset_chain_exist($ruleset, "PVEFW-blacklist")) {
> ruleset_create_chain($ruleset, "PVEFW-blacklist");
> ruleset_addlog($ruleset, "PVEFW-blacklist", 0, "DROP: ",
> $loglevel) if $loglevel;
> ruleset_addrule($ruleset, "PVEFW-blacklist", "-j DROP");
> }
> my $ipset_chain = compute_ipset_chain_name(0, 'blacklist',
> $ipversion);
> ruleset_addrule($ruleset, $chain, "-m set --match-set
> ${ipset_chain} src -j PVEFW-blacklist");
> }
[...]
More information about the pve-devel
mailing list