[pve-devel] [RFC docs 1/1] fix: #2123 Logging of user defined firewall rules

Thomas Lamprecht t.lamprecht at proxmox.com
Tue Mar 19 06:47:27 CET 2019

On 3/18/19 5:05 PM, Christian Ebner wrote:
> Extends the documentation to mention the additional option to define a per-rule
> log level for user-defined rules.
> Signed-off-by: Christian Ebner <c.ebner at proxmox.com>
> ---
>  pve-firewall.adoc | 43 +++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 43 insertions(+)
> diff --git a/pve-firewall.adoc b/pve-firewall.adoc
> index acaca95..555e90e 100644
> --- a/pve-firewall.adoc
> +++ b/pve-firewall.adoc
> @@ -404,6 +404,49 @@ If you want to see the generated iptables rules you can use:
>   # iptables-save
> +Logging of firewall rules
> +-------------------------
> +
> +By default, logging of traffic filtered by the firewall rules is disabled. To
> +enable logging for the default firewall rules, the log-level for incommig and
> +outgoing traffic has to be set in the firewall `Options` tab for the host and/or
> +the VM/CT firewall.
> +Logging of dropped packets is rate limited to 1 packet per second in order to
> +reduce output to the log file.

with the bucket algorithm this is not the full truth, maybe a:
> After a initial burst of five packets logging of dropped packets is rate lim...

would be better? I can fix this up though.

> +Further, only some dropped or rejected packets are logged for the standard rules.

huh? maybe:

> Per default only the packets dropped or reject by {pve}'s implicit standard rules
> are logged.

Else, it sound like that only some of the standard rules lead to logging, and if that'd
be true I'm really asking me if this is done out of spite to confuse users? :D

> +
> +In order to log packets filtered by user-defined firewall rules, it is possible
> +to set a log-level parameter for each rule individually.
> +This allows to log in a fine grained manner and independent of the log-level
> +defined for the standard rules.
> +In particular, each rule is logged independently from the log-level set for the
> +standard rules in the firewall `Options`.

the last two sentences have some redundancy? And IMO this still a bit confusing,
you have "in" and "out" rules, "log_level_in" and "log_level_out", but they are
not related to each other. Not 100% sure yet...

> +
> +The log level for the rule can also be set via the firewall configuration file by
> +appending a `-log <loglevel>` to the selected rule.
> +Here, `<loglevel>` is one of the following flags, attached to the log output:
> +`nolog, emerg, alert, crit, err, warning, notice, info, debug`

but  the loglevel shows up as number in the log?

Some possibility for filtering could be nice here (as a separate addition to this)

> +
> +For example:
> +
> +----
> +IN REJECT -p icmp -log nolog
> +----
> +
> +is the same as
> +
> +----
> +IN REJECT -p icmp
> +----
> +
> +whereas
> +
> +----
> +IN REJECT -p icmp -log debug
> +----
> +
> +produces a log output flagged with the `debug` level.
> +
>  Tips and Tricks
>  ---------------

More information about the pve-devel mailing list