Re: [pve-devel] [PATCH] prepare code for more generic firewall logging

2017-09-18 Thread Tom Weber
Am Montag, den 18.09.2017, 13:34 +0200 schrieb Dietmar Maurer: > > > > With that in mind, I have no objections to this patch (or a version > > of > > it, see the inline comments below). > But logging all Dropped package would produce an incredible amount of > logs? That's why I'd like to have a

Re: [pve-devel] [PATCH] prepare code for more generic firewall logging

2017-09-18 Thread Wolfgang Bumiller
> On September 18, 2017 at 1:34 PM Dietmar Maurer wrote: > > > > With that in mind, I have no objections to this patch (or a version of > > it, see the inline comments below). > > But logging all Dropped package would produce an incredible amount of logs? That's where

Re: [pve-devel] [PATCH] prepare code for more generic firewall logging

2017-09-18 Thread Tom Weber
Am Montag, den 18.09.2017, 12:21 +0200 schrieb Wolfgang Bumiller: > Improving logging makes sense, the current state might be confuse for > some (given that drop-rules simply generate a `-j DROP` iptables > rules > and therefore don't get logged). > This seems to be a good first step, although I'd

Re: [pve-devel] [PATCH] prepare code for more generic firewall logging

2017-09-18 Thread Dietmar Maurer
> With that in mind, I have no objections to this patch (or a version of > it, see the inline comments below). But logging all Dropped package would produce an incredible amount of logs? ___ pve-devel mailing list pve-devel@pve.proxmox.com

Re: [pve-devel] [PATCH] prepare code for more generic firewall logging

2017-09-18 Thread Wolfgang Bumiller
Improving logging makes sense, the current state might be confuse for some (given that drop-rules simply generate a `-j DROP` iptables rules and therefore don't get logged). This seems to be a good first step, although I'd be much happier if iptables would allow setting the log-prefix and

[pve-devel] [PATCH] prepare code for more generic firewall logging

2017-09-14 Thread Tom Weber
making ruleset generation aware of a match and action part in iptable rules. code will generate the same iptables as before! (except for a few additional spaces between match and action). ---  src/PVE/Firewall.pm | 168 +++-  1 file changed, 99