Thanks !
Also,
about new log ratelimit
https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff;f=src/PVE/Firewall.pm;h=48e630004bf424c2db578aad3e60eb61db42f8e6;hp=ba1cb5f5924af094fe647f98d40e2703eca96ff4;hb=cc37e0005d0617e405883fd12b80faf65cedb153;hpb=95ed90a9a8418173ab7cac2d0c1f6ddd04c376cc
it's seem that the default is now
+my $global_log_ratelimit = '--limit 1/sec';
(If don't have the option "log_ratelimit" in cluster.fw)
+my $set_global_log_ratelimit = sub {
+ my $cluster_opts = shift;
+
+ $global_log_ratelimit = '--limit 1/sec';
+ if (defined(my $log_rlimit = $cluster_opts->{log_ratelimit})) {
+ my $ll_format = $cluster_option_properties->{log_ratelimit}->{format};
+ my $limit = PVE::JSONSchema::parse_property_string($ll_format,
$log_rlimit);
+
+ if ($limit->{enable}) {
+ if (my $rate = $limit->{rate}) {
+ $global_log_ratelimit = "--limit $rate";
+ }
+ if (my $burst = $limit->{burst}) {
+ $global_log_ratelimit .= " --limit-burst $burst";
+ }
+ } else {
+ $global_log_ratelimit = undef;
+ }
+ }
+};
but it's correctly disabled with
"log_ratelimit: enable=0" in cluster.fw
I think the behaviour should be also the same when option is not defined.
----- Mail original -----
De: "Christian Ebner" <c.eb...@proxmox.com>
À: "pve-devel" <pve-devel@pve.proxmox.com>, "aderumier" <aderum...@odiso.com>
Envoyé: Mercredi 15 Mai 2019 17:03:13
Objet: Re: [pve-devel] pve-firewall: default loglevel behaviour change
Hi Alexandre,
you are right, logging the packets passing the firewall bridge seems a bit
overkill and redundant.
Will send a patch to fix this.
> On May 15, 2019 at 4:08 PM Alexandre DERUMIER <aderum...@odiso.com> wrote:
>
>
> Hi,
>
> since this commit
>
>
> https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff;f=src/PVE/Firewall.pm;h=ccc5d7ffb62f1ef4c4d59e363192f512c88742c9;hp=6ac303831a62f630d437ef0e0508decd2b72f5ac;hb=3489f8a2b9597201fe8e42fa5832507f96169619;hpb=33efd363ab32d3f8f6a9c49e481cb62a8da40b5d
>
>
> @@ -2341,10 +2348,10 @@ sub generate_tap_rules_direction {
> # plug the tap chain to bridge chain
> if ($direction eq 'IN') {
> ruleset_addrule($ruleset, "PVEFW-FWBR-IN",
> - "-m physdev --physdev-is-bridged --physdev-out $iface", "-j $tapchain");
> + "-m physdev --physdev-is-bridged --physdev-out $iface", "-j $tapchain",
> $loglevel, 'FWBR-IN: ', $vmid);
> } else {
> ruleset_addrule($ruleset, "PVEFW-FWBR-OUT",
> - "-m physdev --physdev-is-bridged --physdev-in $iface", "-j $tapchain");
> + "-m physdev --physdev-is-bridged --physdev-in $iface", "-j $tapchain",
> $loglevel, 'FWBR-OUT: ', $vmid);
> }
> }
>
>
>
> The default loglevel of a vm is logging all packets comming to the tap chain
> ex:
> -A PVEFW-FWBR-IN -m physdev --physdev-out tap135i0 --physdev-is-bridged -m
> limit --limit 1/sec -j NFLOG --nflog-prefix ":135:6:PVEFW-FWBR-IN: FWBR-IN: "
>
> Previously, it was only for the final DROP/REJECT/ACCEPT action
>
>
> Here a example with a connection to port 53, with default action input/output
> policy = reject, loglevelin:info, and no rule to allow port
> [OPTIONS]
>
> log_level_out: info
> macfilter: 1
> policy_out: REJECT
> enable: 1
> policy_in: REJECT
> dhcp: 0
> log_level_in: info
>
> [RULES]
>
>
>
>
>
> 135 6 PVEFW-FWBR-IN 15/May/2019:15:53:23 +0200 FWBR-IN: IN=fwbr135i0
> OUT=fwbr135i0 PHYSIN=fwln135i0 PHYSOUT=tap135i0
> MAC=56:af:a2:0d:53:9b:58:49:3b:80:fb:24:08:00 SRC=10.11.53.33 DST=10.3.95.29
> LEN=283 TOS=0x00 PREC=0x00 TTL=127 ID=20498 PROTO=UDP SPT=54689 DPT=389
> LEN=263
> 135 6 tap135i0-IN 15/May/2019:15:53:23 +0200 policy REJECT: IN=fwbr135i0
> OUT=fwbr135i0 PHYSIN=fwln135i0 PHYSOUT=tap135i0
> MAC=56:af:a2:0d:53:9b:58:49:3b:80:fb:24:08:00 SRC=10.11.53.33 DST=10.3.95.29
> LEN=283 TOS=0x00 PREC=0x00 TTL=127 ID=20498 PROTO=UDP SPT=54689 DPT=389
> LEN=263
>
>
> As you see, it's logged twice. (once when coming to tap chain, one when final
> action is reject)
>
> Same if you make a rule in the vm, activating log on the rule, it's loggued
> twice.
>
> I would like to be able to remove this logging in FWBR-IN, and only log on
> rules or default input/output policy action.
> But currently, if I disable the loglevel=nolog, it's disabling too the log
> for default action.
>
>
> I'm not sure, but do we really need this log on FWBR-IN ? (I mean, we don't
> have any info if it's drop/accept/reject, so it's pretty useless, we only now
> that a packet is coming).
> Or maybe could we have a different loglevel option for default input/output
> policy ?
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
