Hi Alexandre, you are right, logging the packets passing the firewall bridge seems a bit overkill and redundant.
Will send a patch to fix this. > On May 15, 2019 at 4:08 PM Alexandre DERUMIER <aderum...@odiso.com> wrote: > > > Hi, > > since this commit > > > https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff;f=src/PVE/Firewall.pm;h=ccc5d7ffb62f1ef4c4d59e363192f512c88742c9;hp=6ac303831a62f630d437ef0e0508decd2b72f5ac;hb=3489f8a2b9597201fe8e42fa5832507f96169619;hpb=33efd363ab32d3f8f6a9c49e481cb62a8da40b5d > > @@ -2341,10 +2348,10 @@ sub generate_tap_rules_direction { > # plug the tap chain to bridge chain > if ($direction eq 'IN') { > ruleset_addrule($ruleset, "PVEFW-FWBR-IN", > - "-m physdev --physdev-is-bridged --physdev-out > $iface", "-j $tapchain"); > + "-m physdev --physdev-is-bridged --physdev-out > $iface", "-j $tapchain", $loglevel, 'FWBR-IN: ', $vmid); > } else { > ruleset_addrule($ruleset, "PVEFW-FWBR-OUT", > - "-m physdev --physdev-is-bridged --physdev-in > $iface", "-j $tapchain"); > + "-m physdev --physdev-is-bridged --physdev-in > $iface", "-j $tapchain", $loglevel, 'FWBR-OUT: ', $vmid); > } > } > > > > The default loglevel of a vm is logging all packets comming to the tap chain > ex: > -A PVEFW-FWBR-IN -m physdev --physdev-out tap135i0 --physdev-is-bridged -m > limit --limit 1/sec -j NFLOG --nflog-prefix ":135:6:PVEFW-FWBR-IN: FWBR-IN: " > > Previously, it was only for the final DROP/REJECT/ACCEPT action > > > Here a example with a connection to port 53, with default action input/output > policy = reject, loglevelin:info, and no rule to allow port > [OPTIONS] > > log_level_out: info > macfilter: 1 > policy_out: REJECT > enable: 1 > policy_in: REJECT > dhcp: 0 > log_level_in: info > > [RULES] > > > > > > 135 6 PVEFW-FWBR-IN 15/May/2019:15:53:23 +0200 FWBR-IN: IN=fwbr135i0 > OUT=fwbr135i0 PHYSIN=fwln135i0 PHYSOUT=tap135i0 > MAC=56:af:a2:0d:53:9b:58:49:3b:80:fb:24:08:00 SRC=10.11.53.33 DST=10.3.95.29 > LEN=283 TOS=0x00 PREC=0x00 TTL=127 ID=20498 PROTO=UDP SPT=54689 DPT=389 > LEN=263 > 135 6 tap135i0-IN 15/May/2019:15:53:23 +0200 policy REJECT: IN=fwbr135i0 > OUT=fwbr135i0 PHYSIN=fwln135i0 PHYSOUT=tap135i0 > MAC=56:af:a2:0d:53:9b:58:49:3b:80:fb:24:08:00 SRC=10.11.53.33 DST=10.3.95.29 > LEN=283 TOS=0x00 PREC=0x00 TTL=127 ID=20498 PROTO=UDP SPT=54689 DPT=389 > LEN=263 > > > As you see, it's logged twice. (once when coming to tap chain, one when final > action is reject) > > Same if you make a rule in the vm, activating log on the rule, it's loggued > twice. > > I would like to be able to remove this logging in FWBR-IN, and only log on > rules or default input/output policy action. > But currently, if I disable the loglevel=nolog, it's disabling too the log > for default action. > > > I'm not sure, but do we really need this log on FWBR-IN ? (I mean, we don't > have any info if it's drop/accept/reject, so it's pretty useless, we only now > that a packet is coming). > Or maybe could we have a different loglevel option for default input/output > policy ? > > _______________________________________________ > pve-devel mailing list > pve-devel@pve.proxmox.com > https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
