Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 03 Feb 2021 14:13:23 +0100
From:      "Kristof Provost" <kp@FreeBSD.org>
To:        "R. Tyler Croy" <rtyler@brokenco.de>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: pflog0 showing up in my vnet jails
Message-ID:  <1EA150C1-183C-472E-9E8C-3DFC931BD8B6@FreeBSD.org>
In-Reply-To: <20210203061148.4fcg6ml6yj7k6aqi@grape>
References:  <20210203061148.4fcg6ml6yj7k6aqi@grape>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 3 Feb 2021, at 7:11, R. Tyler Croy wrote:
> I noticed this evening that pflog0 is propagated into my vnet-based 
> jails
> (12.2-RELEASE) and I'm somewhat surprised to see it there.
>
> My host's /etc/rc.conf simply has `pflog_enable="YES"`, so nothing too
> esoteric. My /etc/jail.conf doesn't do anything with pflog0 for the 
> jails, so
> the fact that it shows up _feels_ like a bug, from within a jail:
>
>     # ifconfig
>     lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>             options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
>             inet6 ::1 prefixlen 128
>             inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
>             inet 127.0.0.1 netmask 0xff000000
>             groups: lo
>             nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
>     pflog0: flags=0<> metric 0 mtu 33160
>             groups: pflog
>     epair2b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 
> 0 mtu 1500
>             options=8<VLAN_MTU>
>             ether 02:c4:52:c8:47:0b
>             inet 10.0.1.4 netmask 0xffffff00 broadcast 10.0.1.255
>             groups: epair
>             media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
>             status: active
>             nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>     #
>
> Fortunately, when I tcpdump that device from within the jail, it has 
> none of
> the host pflog0's entries being reported.
>
>
> Regardless, should I file this as a bug?
>
I wouldn’t consider this to be a bug, no. Or if it is one, one that 
won’t be fixed anyway.

As soon as the pflog module is loaded pf creates a pflog0 interface. 
That interface is per-vnet, so it’s perfectly safe to have.

Arguably pf shouldn’t create a log interface automatically, but that 
ship has sailed. If we change it we’re going to break expectations for 
at least some users, so we’re not going to change that.

Regards,
Kristof

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1EA150C1-183C-472E-9E8C-3DFC931BD8B6>