[Bug 248112] ipfilter ipmon intermixing vnet jail log records into host /var/log/security log file in error

Sun Jul 19 18:56:46 UTC 2020

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248112

            Bug ID: 248112
           Summary: ipfilter ipmon intermixing vnet jail log records into
                    host /var/log/security log file in error
           Product: Base System
           Version: 12.1-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: joeb1 at a1poweruser.com

Host rc.conf has this
ipmon_flags="-DsL security"
This causes the host ipfilter firewall to log ipmon records using the security
facility. The /etc/syslog.conf is unmodified which means the security.*
facility is written to /var/log/security file. This is how its intended to
work.

When this same ipmon_flags="-DsL security" statement is added to the vnet jails
rc.conf alone with the normal ipfilter statements the desired host behavior is
NOT occurring in the vnet jail.

What is happening is the vnet jails ipfilter log records are being inserted
into the hosts /var/log/security file. This is an error. Beyond that this is a
security violation of the security intent of vnet jails as a whole.

The vnet jails ipmon needs to be fixed to enforce the option flags in the vnet
jails rc.conf ipmon_flags="-DsL security" statement so the ipmon log records
are written to the /var/log/security file with in the running vnet jail.

FYI: This also occurs with ipfw. But ipfw has an un-documented statement
firewall_logif="YES" which when used in the vnet jails rc.conf will cause the
ipfw log records to be written to the vnet jails /var/log/security file. You
may want to look at it for idea on how to fix ipfilter ipmon.

-- 
You are receiving this mail because:
You are the assignee for the bug.