[pve-devel] pve-firewall : log for default accept action and action format consistency in logs

Dietmar Maurer dietmar at proxmox.com
Sun Jun 30 07:35:09 CEST 2019


I always tried to minimize log overhead. If you log ACCEPT, that will
generate very large amounts of logs?

> On 29 June 2019 19:15 Alexandre DERUMIER <aderumier at odiso.com> wrote:
> 
>  
> Hi,
> 
> 
> I have noticed that when default action is accept, no log are currently generated.
> 
> 
> They are no log for ACCEPT in ruleset_add_chain_policy(). can we add it ?
> 
> 
> sub ruleset_add_chain_policy {
>     my ($ruleset, $chain, $ipversion, $vmid, $policy, $loglevel, $accept_action) = @_;
> 
>     if ($policy eq 'ACCEPT') {
> 
>         my $rule = { action => 'ACCEPT' };
>         rule_substitude_action($rule, { ACCEPT =>  $accept_action});
>         ruleset_generate_rule($ruleset, $chain, $ipversion, $rule);
> 
>     } elsif ($policy eq 'DROP') {
> 
>         ruleset_addrule($ruleset, $chain, "", "-j PVEFW-Drop");
> 
>         ruleset_addrule($ruleset, $chain, "", "-j DROP", $loglevel, "policy $policy: ", $vmid);
>     } elsif ($policy eq 'REJECT') {
>         ruleset_addrule($ruleset, $chain, "", "-j PVEFW-Reject");
> 
>         ruleset_addrule($ruleset, $chain, "", "-g PVEFW-reject", $loglevel, "policy $policy: ", $vmid);
>     } else {
>         # should not happen
>         die "internal error: unknown policy '$policy'";
>     }
> }
> 
> 
> 
> 
> Another thing is thats actions ACCEPT/REJECT/DROP  for a rule log, are replaced by
> 
> if ($direction eq 'OUT') {
>                     rule_substitude_action($rule, { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" });
>                     ruleset_generate_rule($ruleset, $chain, $ipversion, $rule, $cluster_conf, $vmfw_conf, $vmid);
>                 } else {
>                     rule_substitude_action($rule, { ACCEPT => $in_accept , REJECT => "PVEFW-reject" });
>                     ruleset_generate_rule($ruleset, $chain, $ipversion, $rule, $cluster_conf, $vmfw_conf, $vmid);
>                 }
> 
> 
> This is need for iptables rules, but in log, it's really strange to in "PVEFW-SET-ACCEPT-MARK"  instead "accept" for accept out rules.
> I think we should keep ACCEPT/REJECT/DROP in the log, like for default rules.
> 
> What do you think about this ?
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel




More information about the pve-devel mailing list