[pve-devel] applied: [PATCH v4 firewall 0/2] firewall conntrack logging

Alexandre DERUMIER aderumier at odiso.com
Fri Jan 4 15:22:38 CET 2019


Hi David,

I haved tested with real production traffic,
and I have log hanf with  "error catching nfct"

example:

[DESTROY] ipv4     2 tcp      6 src=78.130.61.209 dst=10.11.1.11 sport=62386 dport=443 packets=15 bytes=2283 src=10.11.1.11 dst=78.130.61.209 sport=443 dport=62386 packets=9 bytes=1703 [ASSURED] delta-time=18 [start=Fri Jan  4 15:16:33 2019] [stop=Fri Jan  4 15:16:51 2019]
[DESTROY] ipv4     2 tcp      6 src=10.11.53.13 dst=10.11.53.22 sport=25993 dport=6379 src=10.11.53.22 dst=10.11.53.13 sport=6379 dport=25993 [ASSURED] delta-time=13 [start=Fri Jan  4 15:16:38 2019] [stop=Fri Jan  4 15:16:51 2019]
[DESTROY] ipv4     2 tcp      6 src=10.11.1.13 dst=10.11.1.32 sport=34468 dport=8886 packets=4 bytes=639 src=10.11.1.32 dst=10.11.1.13 sport=8886 dport=34468 packets=4 bytes=216 [ASSURED] delta-time=121 [start=Fri Jan  4 15:14:50 2019] [stop=Fri Jan  4 15:16:51 2019]
[DESTROY] ipv4     2 tcp      6 src=10.11.1.13 dst=10.11.1.32 sport=58982 dport=80 packets=5 bytes=287 src=10.11.1.32 dst=10.11.1.13 sport=80 dport=58982 packets=5 bytes=517 [ASSURED] delta-time=124 [start=Fri Jan  4 15:14:47 2019] [stop=Fri Jan  4 15:16:51 2019]
[DESTROY] ipv4     2 tcp      6 src=10.11.1.13 dst=10.11.1.33 sport=29908 dport=8883 src=10.11.1.33 dst=10.11.1.13 sport=8883 dport=29908 [ASSURED] delta-time=11 [start=Fri Jan  4 15:16:40 2019] [stop=Fri Jan  4 15:16:51 2019]
[DESTROY] ipv4     2 tcp      6 src=10.11.1.13 dst=10.11.1.33 sport=59772 dport=8881 packets=2 bytes=112 src=10.11.1.33 dst=10.11.1.13 sport=8881 dport=59772 packets=1 bytes=60 delta-time=26 [start=Fri Jan  4 15:16:25 2019] [stop=Fri Jan  4 15:16:51 2019]
[DESTROY] ipv4     2 tcp      6 src=10.11.53.14 dst=10.11.53.22 sport=32590 dport=6379 src=10.11.53.22 dst=10.11.53.14 sport=6379 dport=32590 [ASSURED] delta-time=13 [start=Fri Jan  4 15:16:38 2019] [stop=Fri Jan  4 15:16:51 2019]
[DESTROY] ipv4     2 tcp      6 src=10.11.1.13 dst=10.11.1.25 sport=4198 dport=8883 packets=2 bytes=112 src=10.11.1.25 dst=10.11.1.13 sport=8883 dport=4198 packets=1 bytes=60 delta-time=18 [start=Fri Jan  4 15:16:33 2019] [stop=Fri Jan  4 15:16:51 2019]
[DESTROY] ipv4     2 tcp      6 src=10.11.1.13 dst=10.11.1.25 sport=34062 dport=8886 src=10.11.1.25 dst=10.11.1.13 sport=8886 dport=34062 delta-time=12 [start=Fri Jan  4 15:16:39 2019] [stop=Fri Jan  4 15:16:51 2019]
[DESTROY] ipv4     2 tcp      6 src=82.225.78.17 dst=10.11.1.11 sport=57860 dport=443 src=10.11.1.11 dst=82.225.78.17 sport=443 dport=57860 [ASSURED] delta-time=13 [start=Fri Jan  4 15:16:38 2019] [stop=Fri Jan  4 15:16:51 2019]
0 3 - 04/Jan/2019:15:16:51 +0100 error catching nfct


after that, no more log for conntrack logging. (vm reject/drop logs still working fine)

can reproduce 100% after 1 or 2 seconds.



----- Mail original -----
De: "aderumier" <aderumier at odiso.com>
À: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Jeudi 13 Décembre 2018 15:58:51
Objet: Re: [pve-devel] applied: [PATCH v4 firewall 0/2] firewall conntrack logging

Thanks you very much ! 

Just tested, works fine. 

If somebody is interested, I have build logstash parser + elastic template + kibana dashboards 


----- Mail original ----- 
De: "Wolfgang Bumiller" <w.bumiller at proxmox.com> 
À: "David Limbeck" <d.limbeck at proxmox.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Jeudi 13 Décembre 2018 14:34:32 
Objet: [pve-devel] applied: [PATCH v4 firewall 0/2] firewall conntrack logging 

applied 

On Thu, Dec 13, 2018 at 01:08:50PM +0100, David Limbeck wrote: 
> Adds optional conntrack logging. pvefw-logger is restarted whenever the 
> config changes. 
> 
> To enable conntrack logging set 'log_nf_conntrack: 1' in 
> /etc/pve/nodes/{node}/host.fw 
> To enable timestamps (start and end time in [DESTROY] messages) set 
> /proc/sys/net/netfilter/nf_conntrack_timestamp to 1 
> 
> v3 ->v4: 
> fixed cover letter version 
> fixed check for ENOENT 
> 
> v2->v3: 
> incorporated Wolfgang's suggestions 
> pvefw-logger: 
> - file path as DEFINE 
> - check for ENOENT 
> - conntrack: everything other than '1' is false 
> 
> Firewall.pm: 
> - changed command to 'try-reload-or-restart' 
> - separated parts of command 
> - brace placement 
> 
> David Limbeck (2): 
> add conntrack logging via libnetfilter_conntrack 
> add log_nf_conntrack host firewall option 
> 
> debian/control | 1 + 
> src/Makefile | 2 +- 
> src/PVE/Firewall.pm | 20 +++++++++++++- 
> src/pvefw-logger.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 
> 4 files changed, 98 insertions(+), 2 deletions(-) 
> 
> -- 
> 2.11.0 

_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 

_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 




More information about the pve-devel mailing list