add 'log_nf_conntrack' option description

[pve-firewall.git] / src / PVE / Firewall.pm

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index ccc5d7ffb62f1ef4c4d59e363192f512c88742c9..f294d365545facc005c3a6195ba699eaf4674bce 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1248,6 +1248,12 @@ our $host_option_properties = {
        default => 0,
        optional => 1,
     },
+    log_nf_conntrack => {
+       description => "Enable logging of conntrack information.",
+       type => 'boolean',
+       default => 0,
+       optional => 1
+    },
 };
 
 our $vm_option_properties = {
@@ -2011,8 +2017,8 @@ sub ipt_rule_to_cmds {
     }
 
     my @iptcmds;
-    if ($rule->{log} && $rule->{log} ne 'nolog') {
-       my $log = $rule->{log};
+    my $log = $rule->{log};
+    if (defined($log) && $log ne 'nolog') {
        my $loglevel = $log_level_hash->{$log};
        my $logaction = get_log_rule_base($chain, $vmid, $rule->{logmsg}, $loglevel);
        push @iptcmds, "-A $chain $matchstr $logaction";
@@ -2100,7 +2106,7 @@ sub get_log_rule_base {
     # Note: we use special format for prefix to pass further
     # info to log daemon (VMID, LOGLEVEL and CHAIN)
 
-    return "-m limit --limit 1/sec --limit-burst 1 -j NFLOG --nflog-prefix \":$vmid:$loglevel:$chain: $msg\"";
+    return "-m limit --limit 1/sec -j NFLOG --nflog-prefix \":$vmid:$loglevel:$chain: $msg\"";
 }
 
 sub ruleset_add_chain_policy {