Migrating proxmox-firewall to the proxmox_log crate has removed the RUST_LOG environment variable, among other things. Additionally, the proxmox-firewall binary now has subcommands for dumping the generated firewall ruleset. Update the documentation to provide information on how to use the new subcommands for debugging proxmox-firewall.
Signed-off-by: Stefan Hanreich <s.hanre...@proxmox.com> --- pve-firewall.adoc | 38 ++++++++++++++++++++++++-------------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/pve-firewall.adoc b/pve-firewall.adoc index 47ab3d3..ccf0cb3 100644 --- a/pve-firewall.adoc +++ b/pve-firewall.adoc @@ -825,38 +825,48 @@ You can check the generated ruleset via the following command: nft list ruleset ---- -If you want to debug `proxmox-firewall` you can simply run the daemon in -foreground with the `RUST_LOG` environment variable set to `trace`. This should -provide you with detailed debugging output: +If you want to debug `proxmox-firewall` you can dump the commands generated by +the firewall via the `compile` subcommand. Additionally, setting the PVE_LOG +environment variable will print log output to STDERR, which can be useful for +debugging issues during the generation of the nftables ruleset: ---- -RUST_LOG=trace /usr/libexec/proxmox/proxmox-firewall +PVE_LOG=trace /usr/libexec/proxmox/proxmox-firewall compile > firewall.json +---- + +The nftables ruleset consists of the skeleton ruleset, that is included in the +proxmox-firewall binary, as well as the rules generated from the firewall +configuration. You can obtain the base ruleset via the `skeleton` subcommand: + +---- +/usr/libexec/proxmox/proxmox-firewall skeleton +---- + +The output of both commands can be piped directly to the `nft` executable. The +following commands will re-create the whole nftables ruleset from scratch: + +---- +/usr/libexec/proxmox/proxmox-firewall skeleton | nft -f - +/usr/libexec/proxmox/proxmox-firewall compile | nft -j -f - ---- You can also edit the systemctl service if you want to have detailed output for -your firewall daemon: +your firewall daemon while it is running: ---- systemctl edit proxmox-firewall ---- -Then you need to add the override for the `RUST_LOG` environment variable: +Then you need to add the override for the `PVE_LOG` environment variable: ---- [Service] -Environment="RUST_LOG=trace" +Environment="PVE_LOG=trace" ---- This will generate a large amount of logs very quickly, so only use this for debugging purposes. Other, less verbose, log levels are `info` and `debug`. -Running in foreground writes the log output to STDERR, so you can redirect it -with the following command (e.g. for submitting logs to the community forum): - ----- -RUST_LOG=trace /usr/libexec/proxmox/proxmox-firewall 2> firewall_log_$(hostname).txt ----- - It can be helpful to trace packet flow through the different chains in order to debug firewall rules. This can be achieved by setting `nftrace` to 1 for packets that you want to track. It is advisable that you do not set this flag for *all* -- 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
