[pve-devel] better firewall logging possible?

Tom Weber pve at junkyard.4t2.com
Wed Sep 6 22:18:39 CEST 2017


Attached patch works for me regarding and tested with ipfilter Option.
I also added logging for the 2 other silent DROPs above - untested
though.

Maybe someone could verify and even commit (no git repository for pve
over here - yet)

  Tom


Am Mittwoch, den 06.09.2017, 16:24 +0200 schrieb Tom Weber:
> 
> 
> Hi,
> 
> this patch compiles, but it won't work.
> 
> it still DROPs without logging.
> 
> Now it logs the packets that don't get dropped.
> The first DROP stops the evaluation of the chain. Everything else
> gets
> logged.
> 
> Chain veth144010i2-OUT (1 references)
>  pkts bytes target     prot opt
> in     out     source               destination         
>     0     0 DROP       all  
> --  any    any     anywhere             anywhere             ! match-
> set PVEFW-1DB4EE2A src
>     0     0 NFLOG      all  
> --  any    any     anywhere             anywhere             nflog-
> prefix  ":144010:4:veth144010i2-OUT: policyXXX: DROP"
> 
> changing the order will make it log everything.
> 
> I think the blacklist Option does it right:
> 
> sub ruleset_chain_add_input_filters {
>     my ($ruleset, $chain, $ipversion, $options, $cluster_conf,
> $loglevel) = @_;
> 
>     if ($cluster_conf->{ipset}->{blacklist}){
>         if (!ruleset_chain_exist($ruleset, "PVEFW-blacklist")) {
>             ruleset_create_chain($ruleset, "PVEFW-blacklist");
>             ruleset_addlog($ruleset, "PVEFW-blacklist", 0, "DROP: ",
> $loglevel) if $loglevel;
>             ruleset_addrule($ruleset, "PVEFW-blacklist", "-j DROP");
>         }
>         my $ipset_chain = compute_ipset_chain_name(0, 'blacklist',
> $ipversion);
>         ruleset_addrule($ruleset, $chain, "-m set --match-set
> ${ipset_chain} src -j PVEFW-blacklist");
>     }
[...]


More information about the pve-devel mailing list