Re: [pve-devel] pve-firewall : log for default accept action and action format consistency in logs

2019-06-30 Thread Dietmar Maurer 

> On 1 July 2019 03:03 Alexandre DERUMIER  wrote:
> 
>  
> >>I always tried to minimize log overhead. If you log ACCEPT, that will
> >>generate very large amounts of logs?
> 
> yes sure, but we have the option to set nolog for in/out default rules.

Ah, good.

> I have some server where customer want all accept out, but I need to log all 
> access.
> (currently, only way is to add an extra rules ACCEPT at the end)

yes, you are right - thats clumsy...

___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] pve-firewall : log for default accept action and action format consistency in logs

2019-06-30 Thread Alexandre DERUMIER 
>>I always tried to minimize log overhead. If you log ACCEPT, that will
>>generate very large amounts of logs?

yes sure, but we have the option to set nolog for in/out default rules.


I have some server where customer want all accept out, but I need to log all 
access.
(currently, only way is to add an extra rules ACCEPT at the end)



- Mail original -
De: "dietmar" 
À: "pve-devel" , "Alexandre Derumier" 

Envoyé: Dimanche 30 Juin 2019 07:35:09
Objet: Re: [pve-devel] pve-firewall : log for default accept action and action 
format consistency in logs

I always tried to minimize log overhead. If you log ACCEPT, that will 
generate very large amounts of logs? 

> On 29 June 2019 19:15 Alexandre DERUMIER  wrote: 
> 
> 
> Hi, 
> 
> 
> I have noticed that when default action is accept, no log are currently 
> generated. 
> 
> 
> They are no log for ACCEPT in ruleset_add_chain_policy(). can we add it ? 
> 
> 
> sub ruleset_add_chain_policy { 
> my ($ruleset, $chain, $ipversion, $vmid, $policy, $loglevel, $accept_action) 
> = @_; 
> 
> if ($policy eq 'ACCEPT') { 
> 
> my $rule = { action => 'ACCEPT' }; 
> rule_substitude_action($rule, { ACCEPT => $accept_action}); 
> ruleset_generate_rule($ruleset, $chain, $ipversion, $rule); 
> 
> } elsif ($policy eq 'DROP') { 
> 
> ruleset_addrule($ruleset, $chain, "", "-j PVEFW-Drop"); 
> 
> ruleset_addrule($ruleset, $chain, "", "-j DROP", $loglevel, "policy $policy: 
> ", $vmid); 
> } elsif ($policy eq 'REJECT') { 
> ruleset_addrule($ruleset, $chain, "", "-j PVEFW-Reject"); 
> 
> ruleset_addrule($ruleset, $chain, "", "-g PVEFW-reject", $loglevel, "policy 
> $policy: ", $vmid); 
> } else { 
> # should not happen 
> die "internal error: unknown policy '$policy'"; 
> } 
> } 
> 
> 
> 
> 
> Another thing is thats actions ACCEPT/REJECT/DROP for a rule log, are 
> replaced by 
> 
> if ($direction eq 'OUT') { 
> rule_substitude_action($rule, { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => 
> "PVEFW-reject" }); 
> ruleset_generate_rule($ruleset, $chain, $ipversion, $rule, $cluster_conf, 
> $vmfw_conf, $vmid); 
> } else { 
> rule_substitude_action($rule, { ACCEPT => $in_accept , REJECT => 
> "PVEFW-reject" }); 
> ruleset_generate_rule($ruleset, $chain, $ipversion, $rule, $cluster_conf, 
> $vmfw_conf, $vmid); 
> } 
> 
> 
> This is need for iptables rules, but in log, it's really strange to in 
> "PVEFW-SET-ACCEPT-MARK" instead "accept" for accept out rules. 
> I think we should keep ACCEPT/REJECT/DROP in the log, like for default rules. 
> 
> What do you think about this ? 
> 
> ___ 
> pve-devel mailing list 
> pve-devel@pve.proxmox.com 
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 

___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel