[pve-devel] applied: [RFC v2 firewall 1/1] fix: #2123 Logging of user defined firewall rules

Christian Ebner c.ebner at proxmox.com
Tue Mar 19 16:54:50 CET 2019


Okay, I will send a patch to remove the hard coded rate limit.
Maybe we might introduce a host / datacenter level option to set such a limit in the future.

Thanks for the feedback!

> On March 19, 2019 at 4:22 PM Alexandre DERUMIER <aderumier at odiso.com> wrote:
> 
> 
> >>BTW, are you sure that's it's only limiting logging ?  What happen on an ACCEPT log for example ?
> sorry, respond to my myself, it's only applied on -j LOG, so it's ok.
> 
> 
> 
> ----- Mail original -----
> De: "aderumier" <aderumier at odiso.com>
> À: "pve-devel" <pve-devel at pve.proxmox.com>
> Envoyé: Mardi 19 Mars 2019 16:09:56
> Objet: Re: [pve-devel] applied: [RFC v2 firewall 1/1] fix: #2123 Logging of user defined firewall rules
> 
> Hi, 
> 
> Nice work ! 
> 
> 
> Could we have an option to disable rate limit or configure it (host option for example) 
> 
> The patch change the current behaviour on default vm log action, where we don't have limit currently. 
> 
> (and I really need to log all dropped/reject) 
> 
> 
> BTW, are you sure that's it's only limiting logging ? What happen on an ACCEPT log for example ? 
> 
> 
> Alexandre 
> 
> ----- Mail original ----- 
> De: "Thomas Lamprecht" <t.lamprecht at proxmox.com> 
> À: "pve-devel" <pve-devel at pve.proxmox.com>, "Christian Ebner" <c.ebner at proxmox.com> 
> Envoyé: Mardi 19 Mars 2019 14:40:22 
> Objet: [pve-devel] applied: [RFC v2 firewall 1/1] fix: #2123 Logging of user defined firewall rules 
> 
> On 3/18/19 5:05 PM, Christian Ebner wrote: 
> > This allows a user to log traffic filtered by a self defined firewall rule. 
> > Therefore the API is extended to include a 'log' option allow to specify the 
> > log level for each rule individually. 
> > 
> > The 'log' option can also be specified in the fw config. In order to reduce the 
> > log amount, logging is limited to 1 entry per second. 
> > 
> > For now the rule has to be created or edited via the pvesh API call or via the 
> > firewall config in order to set the log level. 
> > 
> > Signed-off-by: Christian Ebner <c.ebner at proxmox.com> 
> > --- 
> > 
> > Version 2: 
> > * Added missing $logmsg to PVEFW-FWBRR-IN and PVEFW-FWBR-OUT rules 
> > * Added '--limit-burst 1' to rate limit NFLOG to 1 packet per second 
> > 
> > src/PVE/API2/Firewall/Rules.pm | 3 ++ 
> > src/PVE/Firewall.pm | 63 +++++++++++++++++++++++++----------------- 
> > 2 files changed, 40 insertions(+), 26 deletions(-) 
> > 
> 
> applied, with a followup to change the burst limit back to the default of 5. 
> Thanks! 
> 
> 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel



More information about the pve-devel mailing list