Log accepted new connections

[mreiger]

Attempt to resolve issue https://github.com/metal-stack/firewall-controller/issues/117

Not complete yet; do not merge!

[majst01]

Droptailer needs to be modified as well to pick lines starting with the new log-prefix as well here: https://github.com/metal-stack/droptailer/blob/master/client/main.go#L20

[mwennrich]

Be aware, that this will blow up the logs on high-traffic services (like S3) a lot, and might hit journal rate-limits or rotate out other journal-entries on the firewalls pretty quickly.

[majst01]

Agree with @mwennrich this must be at least configurable

[mreiger]

Yes, the droptailer needs to be adjusted too.

• It needs to pick up the accept prefix
• We'll need to change the output format to indicate whether a log entry is a drop or an accept

Unfortunately the latter would be a breaking change. Do we know of any users who actually parse the droptailer log at the moment?

Agreed, we'll have to watch the log volume.

[majst01]

• whether a log entry is a

There is no contract on the receiver side, it simply is a json output, so adding a

{"accept":true}

field should not break anything

[Gerrit91]

Looking forward to this feature!

I know it's nitpicking, but to me the term acceptLog makes my thoughts go into another direction of what this is actually doing. Not so much of a networker to judge this but could there be a better name like logAcceptedConns?

[majst01]

Also as discussed offline we should discuss if the current approach by setting the acceptLog globally for all rules in the firewall CR, or if it would be more user friendly to allow to set this by rule in the CWNP (only for egress obviously) and in the Service Object by annotation for example for ingress.