[pve-devel] [PATCH] add log for ipfilter, macfilter && ipv6 router-advertisement

Thu Sep 7 03:22:22 CEST 2017

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 src/PVE/Firewall.pm | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index cc81325..43052b1 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2082,7 +2082,10 @@ sub ruleset_chain_add_input_filters {
 }
 
 sub ruleset_create_vm_chain {
-    my ($ruleset, $chain, $ipversion, $options, $macaddr, $ipfilter_ipset, $direction) = @_;
+    my ($ruleset, $chain, $ipversion, $options, $macaddr, $ipfilter_ipset, $direction, $vmid) = @_;
+
+    my $lc_direction = lc($direction);
+    my $loglevel = get_option_log_level($options, "log_level_${lc_direction}");
 
     ruleset_create_chain($ruleset, $chain);
     my $accept = generate_nfqueue($options);
@@ -2114,13 +2117,19 @@ sub ruleset_create_vm_chain {
 
     if ($direction eq 'OUT') {
 	if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
-	    ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr -j DROP");
+	    my $rule = "-m mac ! --mac-source $macaddr";
+	    ruleset_addlog($ruleset, $chain, $vmid, "policy DROP: ", $loglevel, $rule);
+	    ruleset_addrule($ruleset, $chain, "$rule -j DROP");
 	}
 	if ($ipversion == 6 && !$options->{radv}) {
-	    ruleset_addrule($ruleset, $chain, '-p icmpv6 --icmpv6-type router-advertisement -j DROP');
+	    my $rule = "-p icmpv6 --icmpv6-type router-advertisement";
+	    ruleset_addlog($ruleset, $chain, $vmid, "policy DROP: ", $loglevel, $rule);
+	    ruleset_addrule($ruleset, $chain, "$rule -j DROP");
 	}
 	if ($ipfilter_ipset) {
-	    ruleset_addrule($ruleset, $chain, "-m set ! --match-set $ipfilter_ipset src -j DROP");
+	    my $rule = "-m set ! --match-set $ipfilter_ipset src";
+	    ruleset_addlog($ruleset, $chain, $vmid, "policy DROP: ", $loglevel, $rule);
+	    ruleset_addrule($ruleset, $chain, "$rule -j DROP");
 	}
 	ruleset_addrule($ruleset, $chain, "-j MARK --set-mark $FWACCEPTMARK_OFF"); # clear mark
     }
@@ -2232,7 +2241,7 @@ sub generate_tap_rules_direction {
 	if $options->{ipfilter} || $vmfw_conf->{ipset}->{$ipfilter_name};
 
     # create chain with mac and ip filter
-    ruleset_create_vm_chain($ruleset, $tapchain, $ipversion, $options, $macaddr, $ipfilter_ipset, $direction);
+    ruleset_create_vm_chain($ruleset, $tapchain, $ipversion, $options, $macaddr, $ipfilter_ipset, $direction, $vmid);
 
     if ($options->{enable}) {
 	ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $tapchain, $netid, $direction, $options, $ipversion);
-- 
2.11.0


