Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 19 Jul 2020 18:56:45 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 248112] ipfilter ipmon intermixing vnet jail log records into host /var/log/security log file in error
Message-ID:  <bug-248112-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D248112

            Bug ID: 248112
           Summary: ipfilter ipmon intermixing vnet jail log records into
                    host /var/log/security log file in error
           Product: Base System
           Version: 12.1-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: joeb1@a1poweruser.com

Host rc.conf has this
ipmon_flags=3D"-DsL security"
This causes the host ipfilter firewall to log ipmon records using the secur=
ity
facility. The /etc/syslog.conf is unmodified which means the security.*
facility is written to /var/log/security file. This is how its intended to
work.

When this same ipmon_flags=3D"-DsL security" statement is added to the vnet=
 jails
rc.conf alone with the normal ipfilter statements the desired host behavior=
 is
NOT occurring in the vnet jail.

What is happening is the vnet jails ipfilter log records are being inserted
into the hosts /var/log/security file. This is an error. Beyond that this i=
s a
security violation of the security intent of vnet jails as a whole.

The vnet jails ipmon needs to be fixed to enforce the option flags in the v=
net
jails rc.conf ipmon_flags=3D"-DsL security" statement so the ipmon log reco=
rds
are written to the /var/log/security file with in the running vnet jail.

FYI: This also occurs with ipfw. But ipfw has an un-documented statement
firewall_logif=3D"YES" which when used in the vnet jails rc.conf will cause=
 the
ipfw log records to be written to the vnet jails /var/log/security file. You
may want to look at it for idea on how to fix ipfilter ipmon.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-248112-227>