[pve-devel] applied: [RFC v2 firewall 1/1] fix: #2123 Logging of user defined firewall rules

Alexandre DERUMIER aderumier at odiso.com
Tue Mar 19 16:09:56 CET 2019


Nice work !

Could we have an option to disable rate limit or configure it (host option for example)

The patch change the current behaviour on default vm log action, where we don't have limit currently.

(and I really need to log all dropped/reject)

BTW, are you sure that's it's only limiting logging ?  What happen on an ACCEPT log for example ?


----- Mail original -----
De: "Thomas Lamprecht" <t.lamprecht at proxmox.com>
À: "pve-devel" <pve-devel at pve.proxmox.com>, "Christian Ebner" <c.ebner at proxmox.com>
Envoyé: Mardi 19 Mars 2019 14:40:22
Objet: [pve-devel] applied: [RFC v2 firewall 1/1] fix: #2123 Logging of user defined firewall rules

On 3/18/19 5:05 PM, Christian Ebner wrote: 
> This allows a user to log traffic filtered by a self defined firewall rule. 
> Therefore the API is extended to include a 'log' option allow to specify the 
> log level for each rule individually. 
> The 'log' option can also be specified in the fw config. In order to reduce the 
> log amount, logging is limited to 1 entry per second. 
> For now the rule has to be created or edited via the pvesh API call or via the 
> firewall config in order to set the log level. 
> Signed-off-by: Christian Ebner <c.ebner at proxmox.com> 
> --- 
> Version 2: 
> * Added missing $logmsg to PVEFW-FWBRR-IN and PVEFW-FWBR-OUT rules 
> * Added '--limit-burst 1' to rate limit NFLOG to 1 packet per second 
> src/PVE/API2/Firewall/Rules.pm | 3 ++ 
> src/PVE/Firewall.pm | 63 +++++++++++++++++++++++++----------------- 
> 2 files changed, 40 insertions(+), 26 deletions(-) 

applied, with a followup to change the burst limit back to the default of 5. 

pve-devel mailing list 
pve-devel at pve.proxmox.com 

More information about the pve-devel mailing list