Hi,
I have noticed that when default action is accept, no log are currently
generated.
They are no log for ACCEPT in ruleset_add_chain_policy(). can we add it ?
sub ruleset_add_chain_policy {
my ($ruleset, $chain, $ipversion, $vmid, $policy, $loglevel,
$accept_action) = @_;
if ($policy eq 'ACCEPT') {
my $rule = { action => 'ACCEPT' };
rule_substitude_action($rule, { ACCEPT => $accept_action});
ruleset_generate_rule($ruleset, $chain, $ipversion, $rule);
} elsif ($policy eq 'DROP') {
ruleset_addrule($ruleset, $chain, "", "-j PVEFW-Drop");
ruleset_addrule($ruleset, $chain, "", "-j DROP", $loglevel, "policy
$policy: ", $vmid);
} elsif ($policy eq 'REJECT') {
ruleset_addrule($ruleset, $chain, "", "-j PVEFW-Reject");
ruleset_addrule($ruleset, $chain, "", "-g PVEFW-reject", $loglevel,
"policy $policy: ", $vmid);
} else {
# should not happen
die "internal error: unknown policy '$policy'";
}
}
Another thing is thats actions ACCEPT/REJECT/DROP for a rule log, are replaced
by
if ($direction eq 'OUT') {
rule_substitude_action($rule, { ACCEPT =>
"PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" });
ruleset_generate_rule($ruleset, $chain, $ipversion, $rule,
$cluster_conf, $vmfw_conf, $vmid);
} else {
rule_substitude_action($rule, { ACCEPT => $in_accept ,
REJECT => "PVEFW-reject" });
ruleset_generate_rule($ruleset, $chain, $ipversion, $rule,
$cluster_conf, $vmfw_conf, $vmid);
}
This is need for iptables rules, but in log, it's really strange to in
"PVEFW-SET-ACCEPT-MARK" instead "accept" for accept out rules.
I think we should keep ACCEPT/REJECT/DROP in the log, like for default rules.
What do you think about this ?
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
