From owner-freebsd-bugs@FreeBSD.ORG Fri May 10 13:10:01 2013 Return-Path: Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 1D51164F for ; Fri, 10 May 2013 13:10:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id F1476895 for ; Fri, 10 May 2013 13:10:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r4ADA03P026044 for ; Fri, 10 May 2013 13:10:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r4ADA0Q1026043; Fri, 10 May 2013 13:10:00 GMT (envelope-from gnats) Resent-Date: Fri, 10 May 2013 13:10:00 GMT Resent-Message-Id: <201305101310.r4ADA0Q1026043@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Joe Barbish Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id AB5FC2ED for ; Fri, 10 May 2013 13:04:13 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from oldred.FreeBSD.org (oldred.freebsd.org [8.8.178.121]) by mx1.freebsd.org (Postfix) with ESMTP id 9D826849 for ; Fri, 10 May 2013 13:04:13 +0000 (UTC) Received: from oldred.FreeBSD.org ([127.0.1.6]) by oldred.FreeBSD.org (8.14.5/8.14.5) with ESMTP id r4AD4Dgg067778 for ; Fri, 10 May 2013 13:04:13 GMT (envelope-from nobody@oldred.FreeBSD.org) Received: (from nobody@localhost) by oldred.FreeBSD.org (8.14.5/8.14.5/Submit) id r4AD4D0M067772; Fri, 10 May 2013 13:04:13 GMT (envelope-from nobody) Message-Id: <201305101304.r4AD4D0M067772@oldred.FreeBSD.org> Date: Fri, 10 May 2013 13:04:13 GMT From: Joe Barbish To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: kern/178480: dynamically loaded ipfw with a vimage kernel don't work. X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 May 2013 13:10:01 -0000 >Number: 178480 >Category: kern >Synopsis: dynamically loaded ipfw with a vimage kernel don't work. >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri May 10 13:10:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Joe Barbish >Release: 9.1-RELEASE >Organization: None >Environment: >Description: 9.1-RELEASE ipfw dynamically loaded by firewall statements in hosts rc.conf with modules and only vimage compiled into kernel. logger cmd on host did not work until after vnet jail was started and stopped. vnet jail pings passed through vnet jails ipfw but was not passed to host ipfw. vnet jail pings got logged to hosts security file but not messages and vnet jails security and messages files are not populated. After vnet jail stopped, host logger cmd works and host pings work and logged correctly to security and messages. Host console log showing processing sequence # /root >sysctl net.inet.ip.fw.verbose net.inet.ip.fw.verbose: 1 # /root >sysctl net.inet.ip.fw.verbose_limit net.inet.ip.fw.verbose_limit: 0 # /root >cat /etc/rc.conf # snip firewall_enable="YES" firewall_logging="YES" firewall_script="/etc/ipfw.rules" # /root >logger security.notice this msg is from logger cmd on host # /root >cat /var/log/security empty file # /root >cat /var/log/messages empty file # /root >ping -c 4 freebsd.org PING freebsd.org (8.8.178.135): 56 data bytes 64 bytes from 8.8.178.135: icmp_seq=0 ttl=51 time=102.814 ms 64 bytes from 8.8.178.135: icmp_seq=1 ttl=51 time=84.625 ms 64 bytes from 8.8.178.135: icmp_seq=2 ttl=51 time=101.332 ms 64 bytes from 8.8.178.135: icmp_seq=3 ttl=51 time=120.662 ms --- freebsd.org ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 84.625/102.358/120.662/12.755 ms # /root >cat /var/log/messages empty file # /root >cat /var/log/security May 2 19:05:50 fbsdjones kernel: ipfw: 11 Accept UDP 10.0.10.5:42524 209.18.47.61:53 out via rl0 May 2 19:05:50 fbsdjones kernel: ipfw: 11 Accept UDP 209.18.47.61:53 10.0.10.5:42524 in via rl0 May 2 19:05:50 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.0.10.5 8.8.178.135 out via rl0 May 2 19:05:50 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.0.10.5 in via rl0 May 2 19:05:51 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.0.10.5 8.8.178.135 out via rl0 May 2 19:05:51 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.0.10.5 in via rl0 May 2 19:05:52 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.0.10.5 8.8.178.135 out via rl0 May 2 19:05:52 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.0.10.5 in via rl0 May 2 19:05:53 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.0.10.5 8.8.178.135 out via rl0 May 2 19:05:53 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.0.10.5 in via rl0 vnet jail gets started using jail(8) # /root >jls JID IP Address Hostname Path 2 - vdir2 /usr/jails/vdir2 # /root >jexec vdir2 tcsh vdir2 / >logger -p security.notice logger cmd msg from within the host vdir2 / >ipfw -a list 00010 0 0 allow ip from any to any via lo0 00011 0 0 allow log ip from any to any via epair2b 65535 5 368 deny ip from any to any vdir2 / >ping -c 4 freebsd.org ping: cannot resolve freebsd.org: Host name lookup failure vdir2 / >ipfw -a list 00010 0 0 allow ip from any to any via lo0 00011 8 480 allow log ip from any to any via epair2b 65535 5 368 deny ip from any to any vdir2 / >exit exit # back on the host, see jail logged to host security file but packets # were not handed off to host ipfw because no host log messages for those # packets. # /root >cat /var/log/security May 2 19:05:50 fbsdjones kernel: ipfw: 11 Accept UDP 10.0.10.5:42524 209.18.47.61:53 out via rl0 May 2 19:05:50 fbsdjones kernel: ipfw: 11 Accept UDP 209.18.47.61:53 10.0.10.5:42524 in via rl0 May 2 19:05:50 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.0.10.5 8.8.178.135 out via rl0 May 2 19:05:50 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.0.10.5 in via rl0 May 2 19:05:51 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.0.10.5 8.8.178.135 out via rl0 May 2 19:05:51 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.0.10.5 in via rl0 May 2 19:05:52 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.0.10.5 8.8.178.135 out via rl0 May 2 19:05:52 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.0.10.5 in via rl0 May 2 19:05:53 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.0.10.5 8.8.178.135 out via rl0 May 2 19:05:53 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.0.10.5 in via rl0 May 2 19:10:50 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:32606 209.18.47.61:53 out via epair2b May 2 19:10:55 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:29810 209.18.47.62:53 out via epair2b May 2 19:10:57 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:32606 209.18.47.61:53 out via epair2b May 2 19:11:00 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:35933 209.18.47.61:53 out via epair2b May 2 19:11:05 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:56823 209.18.47.62:53 out via epair2b May 2 19:11:07 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:35933 209.18.47.61:53 out via epair2b May 2 19:11:07 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:29810 209.18.47.62:53 out via epair2b May 2 19:11:17 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:56823 209.18.47.62:53 out via epair2b May 2 19:11:22 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:37981 209.18.47.61:53 out via epair2b May 2 19:11:27 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:24567 209.18.47.62:53 out via epair2b May 2 19:11:29 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:37981 209.18.47.61:53 out via epair2b May 2 19:11:39 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:24567 209.18.47.62:53 out via epair2b May 2 19:11:44 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:54854 209.18.47.61:53 out via epair2b May 2 19:11:49 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:33964 209.18.47.62:53 out via epair2b May 2 19:11:51 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:54854 209.18.47.61:53 out via epair2b # /root >logger -p security.notice host logger msg # /root >cat /var/log/security May 2 19:11:39 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:24567 209.18.47.62:53 out via epair2b May 2 19:11:44 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:54854 209.18.47.61:53 out via epair2b May 2 19:11:49 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:33964 209.18.47.62:53 out via epair2b May 2 19:11:51 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:54854 209.18.47.61:53 out via epair2b May 2 19:12:01 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:33964 209.18.47.62:53 out via epair2b May 2 19:12:50 fbsdjones root: host logger msg # /root >cat /var/log/messages May 2 19:08:10 fbsdjones kernel: bridge0: Ethernet address: 02:8f:94:84:0c:00 May 2 19:08:10 fbsdjones kernel: bridge0: link state changed to UP May 2 19:08:10 fbsdjones kernel: epair2a: Ethernet address: 02:c0:a4:00:0a:0a May 2 19:08:10 fbsdjones kernel: epair2b: Ethernet address: 02:c0:a4:00:0b:0b May 2 19:08:10 fbsdjones kernel: epair2a: link state changed to UP May 2 19:08:10 fbsdjones kernel: epair2b: link state changed to UP May 2 19:12:50 fbsdjones root: host logger msg >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: