kern/178482: [ipfw] logging problem from vnet jail

Joe fbsd8 at a1poweruser.com
Wed May 22 17:10:02 UTC 2013 

The following reply was made to PR kern/178482; it has been noted by GNATS.

From: Joe <fbsd8 at a1poweruser.com>
To: Ian Smith <smithi at nimnet.asn.au>
Cc: bug-followup at FreeBSD.org
Subject: Re: kern/178482: [ipfw] logging problem from vnet jail
Date: Wed, 22 May 2013 13:04:29 -0400

 Ian Smith wrote:
 > 
 >  > 9.1-RELEASE kernel with modules and vimage plus ipfw compiled in.
 >  > vnet jails running ipfw are logging to the host security file and
 >  > don't log any ipfw log messages to the hosts message file. Secondly
 >  > the vnet jails security and messages files never get populated with
 >  > ipfw log messages.
 > 
 > Logging to the host's syslog rather than the jail's appears to be the
 > main/real issue here, confirmed and demonstrated by Anders Hagman, see
 > http://lists.freebsd.org/pipermail/freebsd-ipfw/2013-May/005398.html
 
 You have the incorrect conclusion. Let me reword what was stated in the 
 original pr to give a clearer picture of the pr. IPFW log messages 
 coming from a IPFW process running inside of a jail(8) vnet jail are 
 being written to the hosts /etc/log/security file and not to the vnet 
 jail's /etc/log/security file. If the host is also running ipfw, it's 
 logging messages are intermingled with those coming from the vnet jail 
 ipfw process. And yes Anders Hagman did confirm this per the link you 
 provided.
 
 > 
 >  > logger command works. logged msg in both security and messages on
 >  > host
 >  > vnet jail can ping the public internet.
 >  > Hosts security file has log messages from both jail and host.
 >  > ipfw log messages are not being put into the hosts messages file.
 > 
 > Apart from certain admin messages such as ipfw initialization, 'limit N 
 > reached on rule X' and 'Entry X logging count reset.' ipfw log messages 
 > are never written to /var/log/messages but only to /var/log/security. 
 
 > Since you set verbose_limit=0, you shouldn't expect to see anything from 
 > ipfw in /var/log/messages, on either host or jail.
 
 I don't know how you can to that conclusion. verbose_limit is not 
 mentioned in this pr. You are incorrect. verbose_limit is not set for 
 this pr test.
 
 > 
 >  > # /root >/var/log/security
 >  > empty file
 >  >
 >  > # /root >cat /var/log/messages
 >  > empty file
 > 
 > Strange that there were not even normal bootup messages on the host?
 
 Thats because I deleted all content before running this test to make the 
 output simple. What purpose would showing boot messages serve?
 > 
 > The rest serves to demonstrate the vnet jail logging-to-host issue.
 > 
 > Ian
 > 
 >

More information about the freebsd-ipfw mailing list