From owner-freebsd-jail@FreeBSD.ORG Wed May 1 21:43:06 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 54DC03C1 for ; Wed, 1 May 2013 21:43:06 +0000 (UTC) (envelope-from fbsd8@a1poweruser.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id 40AED1513 for ; Wed, 1 May 2013 21:43:06 +0000 (UTC) Received: from [10.0.10.1] ([173.88.202.176]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 1 May 2013 14:43:07 -0700 Message-ID: <51818C67.7070708@a1poweruser.com> Date: Wed, 01 May 2013 17:43:03 -0400 From: Joe User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Ian Smith Subject: Re: vnet jail with ipfw having logging problem References: <44AC45947DA14449AEDFB13B9F6C5F7DAF3E1FA5@ltcfiswmsgmb25> <517A7BCB.8060604@a1poweruser.com> <13CA24D6AB415D428143D44749F57D7201F22068@ltcfiswmsgmb21> <517D3426.1090703@a1poweruser.com> <51805EFB.6050806@a1poweruser.com> <20130502021830.O30818@sola.nimnet.asn.au> In-Reply-To: <20130502021830.O30818@sola.nimnet.asn.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 01 May 2013 21:43:07.0582 (UTC) FILETIME=[DE2C35E0:01CE46B4] X-Sender: fbsd8@a1poweruser.com X-Authenticated-Sender: fbsd8@a1poweruser.com X-EchoSenderHash: [fbsd8]-[a1poweruser*com] Cc: freebsd-jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 May 2013 21:43:06 -0000 > > I have ipfw running inside of a vnet jail on a 9.1-RELEASE host using the > > jail(8) definition statements for starting and stopping the vnet jail. As a > > side note non-vnet jails are working as expected. > > > > The host is running a custom kernel with modules and with > > options VIMAGE > > nooptions SCTP > > options IPFIREWALL > > options IPFIREWALL_VERBOSE > > options IPFIREWALL_VERBOSE_LIMIT=10 > > What steps have you taken during testing to override this ridiculously > low limit on logging? Otherwise, after e.g. just 5 pings and 5 ping > responses are logged, all logging ceases until issuing 'ipfw resetlog'. /usr/src/sys/conf/NOTES says IPFIREWALL_VERBOSE_LIMIT; limits the number of times a matching entry can be logged. Says nothing about this limit being the maximum number of log records allowed after which the log file is closed for business. Are you saying the /usr/src/sys/conf/NOTES info is no longer true? Without IPFIREWALL_VERBOSE and IPFIREWALL_VERBOSE_LIMIT where does the logged packets get written to? /var/log/security I have not used ipfw since it's ipfw2 rewrite so my knowledge is dated. > > > options IPFIREWALL_DEFAULT_TO_ACCEPT > > options IPFIREWALL_IPDIVERT > > You'd likely do better using in-kernel NAT; natd doesn't get much love. > I kept getting kernel compile errors using "options IPFIREWALL_NAT". I thought the error was caused by vimage. Now I know "options LIBALIAS" is required. Could not find info on internet search for IPFIREWALL_NAT with vimage kernel. Do you have first hand experience getting "ipfw kernel nat" to work in a vimage jail or having logging work on the host and within the vnet jail?