From owner-freebsd-bugs@FreeBSD.ORG Fri May 10 13:20:01 2013 Return-Path: Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id B486594D for ; Fri, 10 May 2013 13:20:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 9A1C393C for ; Fri, 10 May 2013 13:20:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r4ADK1p9028938 for ; Fri, 10 May 2013 13:20:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r4ADK1EY028937; Fri, 10 May 2013 13:20:01 GMT (envelope-from gnats) Resent-Date: Fri, 10 May 2013 13:20:01 GMT Resent-Message-Id: <201305101320.r4ADK1EY028937@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Joe Barbish Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 77EB8772 for ; Fri, 10 May 2013 13:14:52 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from oldred.FreeBSD.org (oldred.freebsd.org [8.8.178.121]) by mx1.freebsd.org (Postfix) with ESMTP id 6969B8DE for ; Fri, 10 May 2013 13:14:52 +0000 (UTC) Received: from oldred.FreeBSD.org ([127.0.1.6]) by oldred.FreeBSD.org (8.14.5/8.14.5) with ESMTP id r4ADEqHb086933 for ; Fri, 10 May 2013 13:14:52 GMT (envelope-from nobody@oldred.FreeBSD.org) Received: (from nobody@localhost) by oldred.FreeBSD.org (8.14.5/8.14.5/Submit) id r4ADEqjv086932; Fri, 10 May 2013 13:14:52 GMT (envelope-from nobody) Message-Id: <201305101314.r4ADEqjv086932@oldred.FreeBSD.org> Date: Fri, 10 May 2013 13:14:52 GMT From: Joe Barbish To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: kern/178482: ipfw logging problem from vnet jail X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 May 2013 13:20:01 -0000 >Number: 178482 >Category: kern >Synopsis: ipfw logging problem from vnet jail >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri May 10 13:20:01 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Joe Barbish >Release: 9.1-RELEASE >Organization: None >Environment: >Description: 9.1-RELEASE kernel with modules and vimage plus ipfw compiled in. vnet jails running ipfw are logging to the host security file and don't log any ipfw log messages to the hosts message file. Secondly the vnet jails security and messages files never get populated with ipfw log messages. logger command works. logged msg in both security and messages on host vnet jail can ping the public internet. Hosts security file has log messages from both jail and host. ipfw log messages are not being put into the hosts messages file. Kernel compile options used. options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_DEFAULT_TO_ACCEPT # ran on the host # /root >sysctl net.inet.ip.fw.verbose net.inet.ip.fw.verbose: 1 # /root >sysctl net.inet.ip.fw.verbose_limit net.inet.ip.fw.verbose_limit: 0 # /root >ipfw -a list 00010 0 0 allow ip from any to any via lo0 00011 0 0 allow log ip from any to any via rl0 65535 1 328 allow ip from any to any # /root >/var/log/security empty file # /root >cat /var/log/messages empty file # /root >logger -p security.notice host logger cmd 1 # /root >cat /var/log/security May 2 19:45:51 fbsdjones root: host logger cmd 1 # /root >cat /var/log/messages May 2 19:45:51 fbsdjones root: host logger cmd 1 # /root >ipfw -a list 00010 0 0 allow ip from any to any via lo0 00011 0 0 allow log ip from any to any via rl0 65535 1 328 allow ip from any to any # /root >ping -c 3 freebsd.org PING freebsd.org (8.8.178.135): 56 data bytes 64 bytes from 8.8.178.135: icmp_seq=0 ttl=51 time=85.032 ms 64 bytes from 8.8.178.135: icmp_seq=1 ttl=51 time=84.381 ms 64 bytes from 8.8.178.135: icmp_seq=2 ttl=51 time=84.647 ms --- freebsd.org ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 84.381/84.687/85.032/0.267 ms # /root >ipfw -a list 00010 0 0 allow ip from any to any via lo0 00011 9 869 allow log ip from any to any via rl0 65535 1 328 allow ip from any to any vnet jail started usinf jail(8) # /root >jls JID IP Address Hostname Path 1 - vdir2 /usr/jails/vdir2 # /root >jexec vdir2 tcsh vdir2 / >cat /etc/ipfw.rules # Flush out the list before we begin. ipfw -q -f flush cmd="ipfw -q add" if [ -e /etc/epair ]; then pif=`cat "/etc/epair"` rm /etc/epair else pif="lo0" fi $cmd 010 allow all from any to any via lo0 $cmd 011 allow log all from any to any via $pif vdir2 / >ipfw -a list 00010 0 0 allow ip from any to any via lo0 00011 0 0 allow log ip from any to any via epair1b 65535 8 624 allow ip from any to any vdir2 / >ping -c 3 freebsd.org PING freebsd.org (8.8.178.135): 56 data bytes 64 bytes from 8.8.178.135: icmp_seq=0 ttl=51 time=84.342 ms 64 bytes from 8.8.178.135: icmp_seq=1 ttl=51 time=84.195 ms 64 bytes from 8.8.178.135: icmp_seq=2 ttl=51 time=84.015 ms --- freebsd.org ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 84.015/84.184/84.342/0.134 ms vdir2 / >ipfw -a list 00010 0 0 allow ip from any to any via lo0 00011 8 634 allow log ip from any to any via epair1b 65535 8 624 allow ip from any to any vdir2 / >cat /var/log/security May 1 21:56:27 vdir2 newsyslog[5202]: logfile first created vdir2 / >cat /var/log/messages May 1 21:56:27 vdir2 newsyslog[5202]: logfile first created vdir2 / >exit exit Back on the host # /root >cat /var/log/security May 2 19:45:51 fbsdjones root: host logger cmd 1 May 2 19:46:53 fbsdjones kernel: ipfw: 11 Accept UDP 10.0.10.1:138 10.0.10.7:138 in via rl0 May 2 19:46:58 fbsdjones kernel: ipfw: 11 Accept UDP 10.0.10.5:64721 209.18.47.61:53 out via rl0 May 2 19:46:58 fbsdjones kernel: ipfw: 11 Accept UDP 209.18.47.61:53 10.0.10.5:64721 in via rl0 May 2 19:46:58 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.0.10.5 8.8.178.135 out via rl0 May 2 19:46:58 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.0.10.5 in via rl0 May 2 19:46:59 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.0.10.5 8.8.178.135 out via rl0 May 2 19:46:59 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.0.10.5 in via rl0 May 2 19:47:00 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.0.10.5 8.8.178.135 out via rl0 May 2 19:47:00 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.0.10.5 in via rl0 May 2 19:47:38 fbsdjones kernel: ipfw: 11 Accept ICMPv6:143.0 [::] [ff02::16] out via rl0 May 2 19:47:38 fbsdjones kernel: ipfw: 11 Accept ICMPv6:143.0 [::] [ff02::16] out via rl0 May 2 19:47:39 fbsdjones kernel: ipfw: 11 Accept ICMPv6:135.0 [::] [ff02::1:ff00:b0b] out via rl0 May 2 19:47:39 fbsdjones kernel: ipfw: 11 Accept ICMPv6:143.0 [::] [ff02::16] out via rl0 May 2 19:49:21 fbsdjones kernel: ipfw: 11 Accept UDP 10.1.0.2:13101 209.18.47.61:53 out via epair1b May 2 19:49:21 fbsdjones kernel: ipfw: 11 Accept UDP 10.1.0.2:13101 209.18.47.61:53 out via rl0 May 2 19:49:21 fbsdjones kernel: ipfw: 11 Accept UDP 209.18.47.61:53 10.1.0.2:13101 in via rl0 May 2 19:49:21 fbsdjones kernel: ipfw: 11 Accept UDP 209.18.47.61:53 10.1.0.2:13101 in via rl0 May 2 19:49:21 fbsdjones kernel: ipfw: 11 Accept UDP 209.18.47.61:53 10.1.0.2:13101 in via epair1b May 2 19:49:21 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.1.0.2 8.8.178.135 out via epair1b May 2 19:49:21 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.1.0.2 8.8.178.135 out via rl0 May 2 19:49:21 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.1.0.2 in via rl0 May 2 19:49:21 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.1.0.2 in via rl0 May 2 19:49:21 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.1.0.2 in via epair1b May 2 19:49:22 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.1.0.2 8.8.178.135 out via epair1b May 2 19:49:22 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.1.0.2 8.8.178.135 out via rl0 May 2 19:49:22 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.1.0.2 in via rl0 May 2 19:49:22 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.1.0.2 in via rl0 May 2 19:49:22 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.1.0.2 in via epair1b May 2 19:49:23 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.1.0.2 8.8.178.135 out via epair1b May 2 19:49:23 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.1.0.2 8.8.178.135 out via rl0 May 2 19:49:23 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.1.0.2 in via rl0 May 2 19:49:23 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.1.0.2 in via rl0 May 2 19:49:23 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.1.0.2 in via epair1b # /root >cat /var/log/messages May 2 19:45:51 fbsdjones root: host logger cmd 1 May 2 19:47:38 fbsdjones kernel: bridge0: Ethernet address: 02:8f:94:84:0c:00 May 2 19:47:38 fbsdjones kernel: bridge0: link state changed to UP May 2 19:47:38 fbsdjones kernel: epair1a: Ethernet address: 02:c0:24:00:0a:0a May 2 19:47:38 fbsdjones kernel: epair1b: Ethernet address: 02:c0:24:00:0b:0b May 2 19:47:38 fbsdjones kernel: epair1a: link state changed to UP May 2 19:47:38 fbsdjones kernel: epair1b: link state changed to UP May 2 19:50:59 fbsdjones kernel: epair1a: link state changed to DOWN May 2 19:50:59 fbsdjones kernel: epair1b: link state changed to DOWN May 2 19:50:59 fbsdjones kernel: bridge0: link state changed to DOWN May 2 19:51:02 fbsdjones kernel: Freed UMA keg was not empty (30 items). Lost 2 pages of memory. May 2 19:51:02 fbsdjones kernel: Freed UMA keg was not empty (203 items). Lost 1 pages of memory. May 2 19:51:02 fbsdjones kernel: Freed UMA keg was not empty (30 items). Lost 2 pages of memory. May 2 19:51:02 fbsdjones kernel: hhook_vnet_uninit: hhook_head type=1, id=1 cleanup required May 2 19:51:02 fbsdjones kernel: hhook_vnet_uninit: hhook_head type=1, id=0 cleanup required # /root >exit exit >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: