projekte/edgeguard-native
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(firewall-log): ulogd2 + NFLOG group 0 → JSON-Lines

Browse Source 
Foundation für Live-Log + Firewall-History (Logsystem Phase 1):

- nft-Renderer: `log prefix "edgeguard:<rule-id>" group 0` für Rules
  mit log=true. Ohne `group` schrieb nft in kernel-log (dmesg), nie
  in netlink → ulogd2 sah nichts.
- ulogd2 + ulogd2-json als Depends, postinst legt /etc/ulogd.conf
  (NFLOG group 0 → /var/log/edgeguard/firewall.jsonl) + logrotate-
  Profil (14d, daily, copytruncate) + enable/restart ulogd2.service.
- /var/log/edgeguard/ ist root:edgeguard 0640 — ulogd2 schreibt
  (root), edgeguard-api liest (UI-Endpoints kommen in Phase 2).

End-to-End smoke-test bestätigt: ICMP echo → JSON-Line mit allen
Feldern (src_ip, dest_ip, oob.prefix, oob.in, icmp.*) in ~30ms.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Debian
2026-05-12 20:44:00 +02:00
parent d385e5217d
commit 3c817b7080
8 changed files with 78 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
packaging/debian/edgeguard-api/DEBIAN/postinst
View File

@@ -199,6 +199,77 @@ vm.dirty_background_ratio = 5
SYSCTL
sysctl --system >/dev/null 2>&1 || true
# ── Firewall-Logging via ulogd2 (NFLOG group 0) ──────────────
# nft-Renderer emittiert `log prefix "edgeguard:<rule-id>" group 0`
# für jede Rule mit log=true. ulogd2 subscribed auf netlink-group
# 0 und schreibt JSON-Lines nach /var/log/edgeguard/firewall.jsonl.
# Das UI tailt das File für Live-Log + Historie.
install -d -m 0755 /var/log/edgeguard
install -d -m 0755 -o "$EG_USER" -g "$EG_USER" /var/log/edgeguard
if [ ! -f /var/log/edgeguard/firewall.jsonl ]; then
: > /var/log/edgeguard/firewall.jsonl
fi
# ulogd2 läuft als root (eigener Daemon); File muss von ihm
# schreibbar UND von edgeguard-API lesbar sein.
chown root:"$EG_USER" /var/log/edgeguard/firewall.jsonl
chmod 0640 /var/log/edgeguard/firewall.jsonl
cat > /etc/ulogd.conf <<'ULOGD'
# Managed by edgeguard — re-installation overwrites this file.
# NFLOG group 0 → JSON-Lines pro Paket nach /var/log/edgeguard/firewall.jsonl
# Format-Felder: oob.time.sec, oob.prefix (rule-id), src_ip, dst_ip,
# src_port, dst_port, ip.protocol, raw.pktlen, oob.in/oob.out (iface).
[global]
logfile="/var/log/ulogd.log"
loglevel=5
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_NFLOG.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_HWHDR.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_raw2packet_BASE.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_JSON.so"
stack=fw1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,json1:JSON
[fw1]
group=0
[json1]
sync=1
file="/var/log/edgeguard/firewall.jsonl"
timestamp=1
boolean_label=1
ULOGD
chmod 0644 /etc/ulogd.conf
# Logrotate-Profil für firewall.jsonl — Default: daily, 14 days
# comprimiert, copytruncate damit ulogd kein Reopen-Signal braucht.
cat > /etc/logrotate.d/edgeguard-firewall <<'LOGROTATE'
/var/log/edgeguard/firewall.jsonl {
daily
rotate 14
missingok
notifempty
compress
delaycompress
copytruncate
create 0640 root edgeguard
}
LOGROTATE
chmod 0644 /etc/logrotate.d/edgeguard-firewall
# ulogd2 enablen + restarten (idempotent). Wenn das Paket nicht
# da ist (Dependency-Konflikt o.ä.), nur warnen — die Firewall
# läuft auch ohne Logger.
if systemctl list-unit-files ulogd2.service >/dev/null 2>&1; then
systemctl enable ulogd2.service >/dev/null 2>&1 || true
systemctl restart ulogd2.service || \
echo "postinst: ulogd2.service restart failed (firewall logs disabled until fixed)" >&2
else
echo "postinst: ulogd2.service not installed — install ulogd2 to enable firewall log" >&2
fi
# ── Self-signed default cert so HAProxy starts cleanly ───────
# HAProxy `bind :443 ssl crt /etc/edgeguard/tls/` needs at least
# one PEM in the directory to come up. Operator runs certbot