From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <pve-devel-bounces@lists.proxmox.com> Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id B05A51FF16E for <inbox@lore.proxmox.com>; Mon, 14 Apr 2025 17:45:28 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 974A537399; Mon, 14 Apr 2025 17:45:28 +0200 (CEST) From: Stefan Hanreich <s.hanreich@proxmox.com> To: pve-devel@lists.proxmox.com Date: Mon, 14 Apr 2025 17:44:55 +0200 Message-Id: <20250414154455.274151-4-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250414154455.274151-1-s.hanreich@proxmox.com> References: <20250414154455.274151-1-s.hanreich@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.235 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH pve-docs 1/1] firewall: update 'useful commands' section with new subcommands X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com> List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe> List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/> List-Post: <mailto:pve-devel@lists.proxmox.com> List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help> List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe> Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com> Migrating proxmox-firewall to the proxmox_log crate has removed the RUST_LOG environment variable, among other things. Additionally, the proxmox-firewall binary now has subcommands for dumping the generated firewall ruleset. Update the documentation to provide information on how to use the new subcommands for debugging proxmox-firewall. Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com> --- pve-firewall.adoc | 38 ++++++++++++++++++++++++-------------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/pve-firewall.adoc b/pve-firewall.adoc index 47ab3d3..ccf0cb3 100644 --- a/pve-firewall.adoc +++ b/pve-firewall.adoc @@ -825,38 +825,48 @@ You can check the generated ruleset via the following command: nft list ruleset ---- -If you want to debug `proxmox-firewall` you can simply run the daemon in -foreground with the `RUST_LOG` environment variable set to `trace`. This should -provide you with detailed debugging output: +If you want to debug `proxmox-firewall` you can dump the commands generated by +the firewall via the `compile` subcommand. Additionally, setting the PVE_LOG +environment variable will print log output to STDERR, which can be useful for +debugging issues during the generation of the nftables ruleset: ---- -RUST_LOG=trace /usr/libexec/proxmox/proxmox-firewall +PVE_LOG=trace /usr/libexec/proxmox/proxmox-firewall compile > firewall.json +---- + +The nftables ruleset consists of the skeleton ruleset, that is included in the +proxmox-firewall binary, as well as the rules generated from the firewall +configuration. You can obtain the base ruleset via the `skeleton` subcommand: + +---- +/usr/libexec/proxmox/proxmox-firewall skeleton +---- + +The output of both commands can be piped directly to the `nft` executable. The +following commands will re-create the whole nftables ruleset from scratch: + +---- +/usr/libexec/proxmox/proxmox-firewall skeleton | nft -f - +/usr/libexec/proxmox/proxmox-firewall compile | nft -j -f - ---- You can also edit the systemctl service if you want to have detailed output for -your firewall daemon: +your firewall daemon while it is running: ---- systemctl edit proxmox-firewall ---- -Then you need to add the override for the `RUST_LOG` environment variable: +Then you need to add the override for the `PVE_LOG` environment variable: ---- [Service] -Environment="RUST_LOG=trace" +Environment="PVE_LOG=trace" ---- This will generate a large amount of logs very quickly, so only use this for debugging purposes. Other, less verbose, log levels are `info` and `debug`. -Running in foreground writes the log output to STDERR, so you can redirect it -with the following command (e.g. for submitting logs to the community forum): - ----- -RUST_LOG=trace /usr/libexec/proxmox/proxmox-firewall 2> firewall_log_$(hostname).txt ----- - It can be helpful to trace packet flow through the different chains in order to debug firewall rules. This can be achieved by setting `nftrace` to 1 for packets that you want to track. It is advisable that you do not set this flag for *all* -- 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel