From nobody Fri Jul 18 19:50:38 2025
X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bkL5d41vFz62j40
	for <freebsd-net@mlmmj.nyi.freebsd.org>; Fri, 18 Jul 2025 19:51:33 +0000 (UTC)
	(envelope-from leeb@ratnaling.org)
Received: from mail-yw1-x1134.google.com (mail-yw1-x1134.google.com [IPv6:2607:f8b0:4864:20::1134])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "WR4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4bkL5c74D7z3YKn
	for <freebsd-net@freebsd.org>; Fri, 18 Jul 2025 19:51:32 +0000 (UTC)
	(envelope-from leeb@ratnaling.org)
Authentication-Results: mx1.freebsd.org;
	none
Received: by mail-yw1-x1134.google.com with SMTP id 00721157ae682-70e5e6ab7b8so21580207b3.1
        for <freebsd-net@freebsd.org>; Fri, 18 Jul 2025 12:51:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ratnaling-org.20230601.gappssmtp.com; s=20230601; t=1752868290; x=1753473090; darn=freebsd.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=COI5uyMDhYs8YZMB0+78lY1mfGPiJQECo09k9Xr8ExM=;
        b=rdnSBGUb/dWm9Y0te32AEFv1VXahq3GHz/G+2dAqQdl0cdKfQ9zY9ZKOAsHZVFWZ7R
         GuA9QN+qX0wD+70PpwF5roFFogD1s8cAMQp7ox86xYtkvYbUYnMTn+Lyj7eujeg8mMdZ
         I6kUA+2fkfXuZGMdD5n7D6RL3iEQYQue59h44wRooKrbct9YW7Nscc16PUK2MblBUfrz
         33ZqLSeRQKGrRKSEo1HVYoP55zmvBcJ4o96S4XV6f1D+0DE97mETaBo9po703gRuTY73
         rdub9ZdEUEw743mxVrsGXTeTgCJJDgIMhW91YSCIQ5gDXSL2dioxbLXaHI5ijUMKvJYT
         DKGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752868290; x=1753473090;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=COI5uyMDhYs8YZMB0+78lY1mfGPiJQECo09k9Xr8ExM=;
        b=ELzyAdn0zhdc919ZM7DDwJou0RuBhPPa31tqZoG9FFEelSeAbqcOhvOMKs8ZcZB0lM
         U+C0KPFe1nS2tTllq4nThMx4zF+QG+M6BSfwLmL4bCXCKP9jan7ZcFtJOKx3OoJ3SKsz
         +fvZcwi3hhVrIITkM1v+57YVDsEHF6MMf6sCpm4VRWmcRUgDm9uYZlrReY0KLMQWtowU
         wCmoqMn5xt2unVVPvS9/CmuDKu/9j6DsL1J0scJc5zjPab7t1lBaO4Hew8A1dWj8Pmy4
         l1BxJrpNCGETBKY7r012a0Pp1FjBkQ1wr55oyaFsxbV+MQRhTHWxyhpVQ5ev86KfZybY
         uDJQ==
X-Gm-Message-State: AOJu0YxHrwGE1CpljDuQSqMv1q6uMV3INCXIYdrlJX541ar+Fo0mLOZc
	nyepGviZNBfxGhtHeMAqoXEQKMwyKYs/wU6mzdNkINYFxscxsRkH+yLGv6GhaO9UH2X/87Vaor0
	B1/T21wj0L/HIm0amSUAbXvUKyGSQwPp2Be8+/uzjuv6vl4gdIN6j
X-Gm-Gg: ASbGnctCCQej2A6tZXdSQDzmxLz/g6H6BpW6hGEIHm6yucexQxmX886mF+8ue4uYOgl
	UdVmaFfBGGGsNszEC6mERbWB/JfLNTNz5FNoowR4TplOtGvWD1GVjb59PYvId3g3RMw9mP1ebp3
	tCL7d7v98OrQPsQBNdAeUpumPT6sBd+fJg2j39shnJ4RKG+bKwNrmQG0jtdhdrHpORG9x3D7N65
	eug5tKzrDNt8qLbho4u
X-Google-Smtp-Source: AGHT+IHQ8c4VHvpDt3psH3fEz1J3DRzUPIEnBvZCru+EGc0X96l1M+NwbbsgMr64GkKzlm9gu/G7/o6CB2qV3yMm2fA=
X-Received: by 2002:a05:690c:6f08:b0:70e:87d2:c2cb with SMTP id
 00721157ae682-7183518a63fmr169422207b3.31.1752868290269; Fri, 18 Jul 2025
 12:51:30 -0700 (PDT)
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-net
List-Help: <mailto:freebsd-net+help@freebsd.org>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Subscribe: <mailto:freebsd-net+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-net+unsubscribe@freebsd.org>
Sender: owner-freebsd-net@FreeBSD.org
MIME-Version: 1.0
References: <C963E6A0-CF3B-4052-A954-46CC28134FA9@punkt.de>
In-Reply-To: <C963E6A0-CF3B-4052-A954-46CC28134FA9@punkt.de>
From: Lee Brown <leeb@ratnaling.org>
Date: Fri, 18 Jul 2025 12:50:38 -0700
X-Gm-Features: Ac12FXzi7TIoqBgg4TiuJAmGyzHol62SGw88IMyh1980iOKw0pgGal4_gOIGoh8
Message-ID: <CAFPNf5_+dQjxGc1VVmZ_YVv_UC5JG0wBaowu=3oaQKNS2S09kg@mail.gmail.com>
Subject: Re: net.inet.ip.fw.verbose in jails
To: "Patrick M. Hausen" <hausen@punkt.de>
Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Content-Type: multipart/alternative; boundary="000000000000c7a86f063a39736e"
X-Rspamd-Queue-Id: 4bkL5c74D7z3YKn
X-Spamd-Bar: ----
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]

--000000000000c7a86f063a39736e
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

I've had that happen if the jails don't have syslogd running inside them.

On Fri, Jul 18, 2025 at 6:25=E2=80=AFAM Patrick M. Hausen <hausen@punkt.de>=
 wrote:

> Hi all,
>
> one customer started to make more use of IPFW inside
> their vnet jails in our hosting environment.
>
> When they
>
> -       create a firewall rule with "log" set, like:
>         ipfw add 65532 allow log ip from me to any out
> -       set:
>         sysctl net.inet.ip.fw.verbose=3D1
>
> all *inside* a jail, the firewall rules work as expected, yet
> the log entries end up in /var/log/security on the host.
>
> All the time net.inet.ip.fw.verbose on the host is set to 0.
>
> Is this intentional? Or fundamental, because there is only
> a shared host kernel with jails?
>
> Or is it a bug?
>
> I checked multiple times, the sysctl variables can be set for
> each jail and the host independently just like each can have
> its own set of firewall rules.
>
> Kind regards,
> Patrick
> --
> punkt.de GmbH
> Patrick M. Hausen
> .infrastructure
>
> Sophienstr. 187
> 76185 Karlsruhe
>
> Tel. +49 721 9109500
>
> https://infrastructure.punkt.de
> info@punkt.de
>
> AG Mannheim 108285
> Gesch=C3=A4ftsf=C3=BChrer: Daniel Lienert, Fabian Stein
>
>

--000000000000c7a86f063a39736e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">I&#39;ve had that happen if the jails don&#39;t have syslo=
gd running inside them.</div><br><div class=3D"gmail_quote gmail_quote_cont=
ainer"><div dir=3D"ltr" class=3D"gmail_attr">On Fri, Jul 18, 2025 at 6:25=
=E2=80=AFAM Patrick M. Hausen &lt;<a href=3D"mailto:hausen@punkt.de">hausen=
@punkt.de</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding=
-left:1ex">Hi all,<br>
<br>
one customer started to make more use of IPFW inside<br>
their vnet jails in our hosting environment.<br>
<br>
When they<br>
<br>
-=C2=A0 =C2=A0 =C2=A0 =C2=A0create a firewall rule with &quot;log&quot; set=
, like:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 ipfw add 65532 allow log ip from me to any out<=
br>
-=C2=A0 =C2=A0 =C2=A0 =C2=A0set:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 sysctl net.inet.ip.fw.verbose=3D1<br>
<br>
all *inside* a jail, the firewall rules work as expected, yet<br>
the log entries end up in /var/log/security on the host.<br>
<br>
All the time net.inet.ip.fw.verbose on the host is set to 0.<br>
<br>
Is this intentional? Or fundamental, because there is only<br>
a shared host kernel with jails?<br>
<br>
Or is it a bug?<br>
<br>
I checked multiple times, the sysctl variables can be set for<br>
each jail and the host independently just like each can have<br>
its own set of firewall rules.<br>
<br>
Kind regards,<br>
Patrick<br>
-- <br>
<a href=3D"http://punkt.de" rel=3D"noreferrer" target=3D"_blank">punkt.de</=
a> GmbH<br>
Patrick M. Hausen<br>
.infrastructure<br>
<br>
Sophienstr. 187<br>
76185 Karlsruhe<br>
<br>
Tel. +49 721 9109500<br>
<br>
<a href=3D"https://infrastructure.punkt.de" rel=3D"noreferrer" target=3D"_b=
lank">https://infrastructure.punkt.de</a><br>
<a href=3D"mailto:info@punkt.de" target=3D"_blank">info@punkt.de</a><br>
<br>
AG Mannheim 108285<br>
Gesch=C3=A4ftsf=C3=BChrer: Daniel Lienert, Fabian Stein<br>
<br>
</blockquote></div>

--000000000000c7a86f063a39736e--