[pve-devel] [PATCH] add log for ipfilter, macfilter && ipv6 router-advertisement

[Alexandre DERUMIER]

>>you are aware that $rule is used elsewhere and in a totally different 
>>way? just look in ruleset_add_group_rule. Thats why I named it 
>>$matchrule initially to avoid confusion. 

we already used it  like this in:



sub ruleset_addlog {
     ...
    $logrule = "$rule $logrule" if defined($rule);
}

so I think it's fine.

(sorry, but I don't have seen your patch)




----- Mail original -----
De: "Tom Weber" <pve at junkyard.4t2.com>
À: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Jeudi 7 Septembre 2017 09:12:49
Objet: Re: [pve-devel] [PATCH] add log for ipfilter, macfilter && ipv6 router-advertisement

Hi Alexandre, 

i can test it later, thanks. 2 comments though. 

Am Donnerstag, den 07.09.2017, 03:22 +0200 schrieb Alexandre Derumier: 
> + my ($ruleset, $chain, $ipversion, $options, $macaddr, 
> $ipfilter_ipset, $direction, $vmid) = @_; 
> + 
> + my $lc_direction = lc($direction); 
> + my $loglevel = get_option_log_level($options, 
> "log_level_${lc_direction}"); 

in this function we're only logging for outgoing. it's always 
log_level_out if we need it. 

> - ruleset_addrule($ruleset, $chain, "-m mac ! --mac- 
> source 
> $macaddr -j DROP"); 
> + my $rule = "-m mac ! --mac-source $macaddr"; 
> + ruleset_addlog($ruleset, $chain, $vmid, "policy DROP: ", 
> $loglevel, $rule); 
> + ruleset_addrule($ruleset, $chain, "$rule -j DROP"); 

you are aware that $rule is used elsewhere and in a totally different 
way? just look in ruleset_add_group_rule. Thats why I named it 
$matchrule initially to avoid confusion. 

Tom 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel