Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add proxmox firewall iptables parser #484

Merged
merged 3 commits into from Jun 30, 2022
Merged

add proxmox firewall iptables parser #484

merged 3 commits into from Jun 30, 2022

Conversation

aderumier
Copy link

This add proxmox iptables specific iptables logformat
-j NFLOG --nflog-prefix '$vmid:$loglevel:$chain: $msg'

@aderumier
add proxmox firewall iptables parser
9b6a25b 
This add proxmox iptables specific iptables logformat
-j NFLOG --nflog-prefix '$vmid:$loglevel:$chain: $msg'
@nameduser0
Copy link

Thanks for this. A couple of naive questions:

So does this deal with DROPs for all VM and container firewall traffic or just the host traffic?
And does the log_level need to be set to something other than nolog somewhere to capture drops?

@aderumier
Copy link
Author

It'll deal with both host && vm firewall.

it's the same format, only the iptables chain is different (.... HOST-IN .... , ....TAP-IN, ....).
the grok pattern is catching both correctly.

the log_level need indeed to be different than "nolog" to be logged in /var/log/pve-firewall.log

@he2ss
Copy link
Member

he2ss commented Jun 14, 2022

Hi @aderumier,

Thanks for the contribution.
Could you please add tests for this parser, using (cscli hubtest)[https://docs.crowdsec.net/docs/next/cscli/cscli_hubtest/]. It will generate suite tests config.

@aderumier
Copy link
Author

@he2ss

yes sure. I'm a bit busy this week, I'll send tests next week.

Thanks !

@aderumier
fix parser
23c381d 
fix grok parser : some fields are optionnal for host firewall

also change filter to be sure to only catch DROP¦REJET|PVEFW-reject
@aderumier
add proxmox-iptables-logs test
cf0ee3c
@aderumier
Copy link
Author

@he2ss

I have added tests and also fix the parser (thanks to the tests ;)

@buixor buixor requested a review from he2ss June 21, 2022 09:49
@buixor buixor added WIP Work in progress REVIEW to be reviewed and merged and removed WIP Work in progress labels Jun 23, 2022
@he2ss he2ss merged commit b782d64 into crowdsecurity:master Jun 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@he2ss he2ss Awaiting requested review from he2ss

Assignees
No one assigned
Labels
REVIEW to be reviewed and merged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@aderumier @nameduser0 @he2ss @buixor