[pve-devel] [PATCH v2 firewall 3/4] integrate logging into ruleset_addrule
Tom Weber
pve at junkyard.4t2.com
Wed Sep 27 00:02:32 CEST 2017
---
src/PVE/Firewall.pm | 33 ++++++++++-----------------------
1 file changed, 10 insertions(+), 23 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index f1aecef..f8a9300 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2002,10 +2002,14 @@ sub ruleset_addrule_old {
}
sub ruleset_addrule {
- my ($ruleset, $chain, $match, $action, $log) = @_;
+ my ($ruleset, $chain, $match, $action, $log, $logmsg, $vmid) = @_;
die "no such chain '$chain'\n" if !$ruleset->{$chain};
+ if (defined($log) && $log) {
+ my $logaction = get_log_rule_base($chain, $vmid, $logmsg, $log);
+ push @{$ruleset->{$chain}}, "-A $chain $match $logaction";
+ }
push @{$ruleset->{$chain}}, "-A $chain $match $action";
}
@@ -2020,27 +2024,15 @@ sub ruleset_insertrule {
sub get_log_rule_base {
my ($chain, $vmid, $msg, $loglevel) = @_;
- die "internal error - no log level" if !defined($loglevel);
-
$vmid = 0 if !defined($vmid);
+ $msg = "" if !defined($msg);
# Note: we use special format for prefix to pass further
- # info to log daemon (VMID, LOGVELEL and CHAIN)
+ # info to log daemon (VMID, LOGLEVEL and CHAIN)
return "-j NFLOG --nflog-prefix \":$vmid:$loglevel:$chain: $msg\"";
}
-sub ruleset_addlog {
- my ($ruleset, $chain, $vmid, $msg, $loglevel, $match) = @_;
-
- return if !defined($loglevel);
-
- my $logaction = get_log_rule_base($chain, $vmid, $msg, $loglevel);
-
- $match = "" if !defined $match;
- ruleset_addrule($ruleset, $chain, $match, $logaction);
-}
-
sub ruleset_add_chain_policy {
my ($ruleset, $chain, $ipversion, $vmid, $policy, $loglevel, $accept_action) = @_;
@@ -2053,15 +2045,11 @@ sub ruleset_add_chain_policy {
ruleset_addrule($ruleset, $chain, "", "-j PVEFW-Drop");
- ruleset_addlog($ruleset, $chain, $vmid, "policy $policy: ", $loglevel);
-
- ruleset_addrule($ruleset, $chain, "", "-j DROP");
+ ruleset_addrule($ruleset, $chain, "", "-j DROP", $loglevel, "policy $policy: ", $vmid);
} elsif ($policy eq 'REJECT') {
ruleset_addrule($ruleset, $chain, "", "-j PVEFW-Reject");
- ruleset_addlog($ruleset, $chain, $vmid, "policy $policy: ", $loglevel);
-
- ruleset_addrule($ruleset, $chain, "", "-g PVEFW-reject");
+ ruleset_addrule($ruleset, $chain, "", "-g PVEFW-reject", $loglevel, "policy: $policy", $vmid);
} else {
# should not happen
die "internal error: unknown policy '$policy'";
@@ -2093,8 +2081,7 @@ sub ruleset_chain_add_input_filters {
if ($cluster_conf->{ipset}->{blacklist}){
if (!ruleset_chain_exist($ruleset, "PVEFW-blacklist")) {
ruleset_create_chain($ruleset, "PVEFW-blacklist");
- ruleset_addlog($ruleset, "PVEFW-blacklist", 0, "DROP: ", $loglevel) if $loglevel;
- ruleset_addrule($ruleset, "PVEFW-blacklist", "", "-j DROP");
+ ruleset_addrule($ruleset, "PVEFW-blacklist", "", "-j DROP", $loglevel, "DROP: ");
}
my $ipset_chain = compute_ipset_chain_name(0, 'blacklist', $ipversion);
ruleset_addrule($ruleset, $chain, "-m set --match-set ${ipset_chain} src", "-j PVEFW-blacklist");
--
2.7.4
More information about the pve-devel
mailing list