[pve-devel] [PATCH v4 firewall 0/2] firewall conntrack logging

David Limbeck d.limbeck at proxmox.com
Thu Dec 13 13:08:50 CET 2018


Adds optional conntrack logging. pvefw-logger is restarted whenever the
config changes.

To enable conntrack logging set 'log_nf_conntrack: 1' in
/etc/pve/nodes/{node}/host.fw
To enable timestamps (start and end time in [DESTROY] messages) set
/proc/sys/net/netfilter/nf_conntrack_timestamp to 1

v3 ->v4:
  fixed cover letter version
  fixed check for ENOENT

v2->v3:
  incorporated Wolfgang's suggestions
  pvefw-logger:
  - file path as DEFINE
  - check for ENOENT
  - conntrack: everything other than '1' is false

  Firewall.pm:
  - changed command to 'try-reload-or-restart'
  - separated parts of command
  - brace placement

David Limbeck (2):
  add conntrack logging via libnetfilter_conntrack
  add log_nf_conntrack host firewall option

 debian/control      |  1 +
 src/Makefile        |  2 +-
 src/PVE/Firewall.pm | 20 +++++++++++++-
 src/pvefw-logger.c  | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 98 insertions(+), 2 deletions(-)

-- 
2.11.0





More information about the pve-devel mailing list