[pve-devel] [PATCH v2 firewall 2/2] add log_nf_conntrack host firewall option

Wolfgang Bumiller w.bumiller at proxmox.com
Tue Dec 11 11:24:28 CET 2018


On Fri, Dec 07, 2018 at 03:08:21PM +0100, David Limbeck wrote:
> add log_nf_conntrack host firewall option to enable or disable logging
> of connections. restarts pvefw-logger if the option changes in the
> config. the pvefw-logger is always restarted in the beginning to make
> sure the current config is applied.
> 
> Signed-off-by: David Limbeck <d.limbeck at proxmox.com>
> ---
>  src/PVE/Firewall.pm | 19 ++++++++++++++++++-
>  1 file changed, 18 insertions(+), 1 deletion(-)
> 
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> index db1eae3..d9d8e26 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -2638,7 +2638,7 @@ sub parse_hostfw_option {
>  
>      my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog";
>  
> -    if ($line =~ m/^(enable|nosmurfs|tcpflags|ndp):\s*(0|1)\s*$/i) {
> +    if ($line =~ m/^(enable|nosmurfs|tcpflags|ndp|log_nf_conntrack):\s*(0|1)\s*$/i) {
>  	$opt = lc($1);
>  	$value = int($2);
>      } elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
> @@ -4069,6 +4069,7 @@ sub apply_ruleset {
>  
>      update_nf_conntrack_tcp_timeout_established($hostfw_conf);
>  
> +    update_nf_conntrack_logging($hostfw_conf);
>  }
>  
>  sub update_nf_conntrack_max {
> @@ -4105,6 +4106,22 @@ sub update_nf_conntrack_tcp_timeout_established {
>      PVE::ProcFSTools::write_proc_entry("/proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established", $value);
>  }
>  
> +my $log_nf_conntrack_enabled = undef;
> +sub update_nf_conntrack_logging {
> +    my ($hostfw_conf) = @_;
> +
> +    my $options = $hostfw_conf->{options} || {};
> +    my $value = $options->{log_nf_conntrack} || 0;
> +    if (!defined($log_nf_conntrack_enabled)
> +	|| $value != $log_nf_conntrack_enabled) {
> +	my $tmpfile = "$pve_fw_status_dir/log_nf_conntrack";
> +	PVE::Tools::file_set_contents($tmpfile, $value);
> +
> +	PVE::Tools::run_command(['systemctl restart pvefw-logger.service']);

This will start the service regardless of its previous state.
Use 'try-reload-or-restart' instead of 'restart'
Also, please separate the parameters properly
    PVE::Tools::run_command(['systemctl', 'try-reload-or-restart', 'pvefw-logger.service']);
Or shorter:
    PVE::Tools::run_command([qw(systemctl try-reload-or-restart pvefw-logger.service)]);


> +	$log_nf_conntrack_enabled = $value;
> +    }
> +}
> +
>  sub remove_pvefw_chains {
>  
>      PVE::Firewall::remove_pvefw_chains_iptables("iptables");
> -- 
> 2.11.0




More information about the pve-devel mailing list