>>I always tried to minimize log overhead. If you log ACCEPT, that will >>generate very large amounts of logs?
yes sure, but we have the option to set nolog for in/out default rules. I have some server where customer want all accept out, but I need to log all access. (currently, only way is to add an extra rules ACCEPT at the end) ----- Mail original ----- De: "dietmar" <diet...@proxmox.com> À: "pve-devel" <pve-devel@pve.proxmox.com>, "Alexandre Derumier" <aderum...@odiso.com> Envoyé: Dimanche 30 Juin 2019 07:35:09 Objet: Re: [pve-devel] pve-firewall : log for default accept action and action format consistency in logs I always tried to minimize log overhead. If you log ACCEPT, that will generate very large amounts of logs? > On 29 June 2019 19:15 Alexandre DERUMIER <aderum...@odiso.com> wrote: > > > Hi, > > > I have noticed that when default action is accept, no log are currently > generated. > > > They are no log for ACCEPT in ruleset_add_chain_policy(). can we add it ? > > > sub ruleset_add_chain_policy { > my ($ruleset, $chain, $ipversion, $vmid, $policy, $loglevel, $accept_action) > = @_; > > if ($policy eq 'ACCEPT') { > > my $rule = { action => 'ACCEPT' }; > rule_substitude_action($rule, { ACCEPT => $accept_action}); > ruleset_generate_rule($ruleset, $chain, $ipversion, $rule); > > } elsif ($policy eq 'DROP') { > > ruleset_addrule($ruleset, $chain, "", "-j PVEFW-Drop"); > > ruleset_addrule($ruleset, $chain, "", "-j DROP", $loglevel, "policy $policy: > ", $vmid); > } elsif ($policy eq 'REJECT') { > ruleset_addrule($ruleset, $chain, "", "-j PVEFW-Reject"); > > ruleset_addrule($ruleset, $chain, "", "-g PVEFW-reject", $loglevel, "policy > $policy: ", $vmid); > } else { > # should not happen > die "internal error: unknown policy '$policy'"; > } > } > > > > > Another thing is thats actions ACCEPT/REJECT/DROP for a rule log, are > replaced by > > if ($direction eq 'OUT') { > rule_substitude_action($rule, { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => > "PVEFW-reject" }); > ruleset_generate_rule($ruleset, $chain, $ipversion, $rule, $cluster_conf, > $vmfw_conf, $vmid); > } else { > rule_substitude_action($rule, { ACCEPT => $in_accept , REJECT => > "PVEFW-reject" }); > ruleset_generate_rule($ruleset, $chain, $ipversion, $rule, $cluster_conf, > $vmfw_conf, $vmid); > } > > > This is need for iptables rules, but in log, it's really strange to in > "PVEFW-SET-ACCEPT-MARK" instead "accept" for accept out rules. > I think we should keep ACCEPT/REJECT/DROP in the log, like for default rules. > > What do you think about this ? > > _______________________________________________ > pve-devel mailing list > pve-devel@pve.proxmox.com > https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel