Date: Sun, 19 Jul 2020 18:56:45 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 248112] ipfilter ipmon intermixing vnet jail log records into host /var/log/security log file in error Message-ID: <bug-248112-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D248112 Bug ID: 248112 Summary: ipfilter ipmon intermixing vnet jail log records into host /var/log/security log file in error Product: Base System Version: 12.1-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: joeb1@a1poweruser.com Host rc.conf has this ipmon_flags=3D"-DsL security" This causes the host ipfilter firewall to log ipmon records using the secur= ity facility. The /etc/syslog.conf is unmodified which means the security.* facility is written to /var/log/security file. This is how its intended to work. When this same ipmon_flags=3D"-DsL security" statement is added to the vnet= jails rc.conf alone with the normal ipfilter statements the desired host behavior= is NOT occurring in the vnet jail. What is happening is the vnet jails ipfilter log records are being inserted into the hosts /var/log/security file. This is an error. Beyond that this i= s a security violation of the security intent of vnet jails as a whole. The vnet jails ipmon needs to be fixed to enforce the option flags in the v= net jails rc.conf ipmon_flags=3D"-DsL security" statement so the ipmon log reco= rds are written to the /var/log/security file with in the running vnet jail. FYI: This also occurs with ipfw. But ipfw has an un-documented statement firewall_logif=3D"YES" which when used in the vnet jails rc.conf will cause= the ipfw log records to be written to the vnet jails /var/log/security file. You may want to look at it for idea on how to fix ipfilter ipmon. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-248112-227>