Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 01 May 2013 17:43:03 -0400
From:      Joe <fbsd8@a1poweruser.com>
To:        Ian Smith <smithi@nimnet.asn.au>
Cc:        freebsd-jail <freebsd-jail@freebsd.org>
Subject:   Re: vnet jail with ipfw having logging problem
Message-ID:  <51818C67.7070708@a1poweruser.com>
In-Reply-To: <20130502021830.O30818@sola.nimnet.asn.au>
References:  <44AC45947DA14449AEDFB13B9F6C5F7DAF3E1FA5@ltcfiswmsgmb25> <517A7BCB.8060604@a1poweruser.com> <13CA24D6AB415D428143D44749F57D7201F22068@ltcfiswmsgmb21> <517D3426.1090703@a1poweruser.com> <51805EFB.6050806@a1poweruser.com> <20130502021830.O30818@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help 

>  > I have ipfw running inside of a vnet jail on a 9.1-RELEASE host using the
>  > jail(8) definition statements for starting and stopping the vnet jail. As a
>  > side note non-vnet jails are working as expected.
>  > 
>  > The host is running a custom kernel with modules and with
>  > options VIMAGE
>  > nooptions SCTP
>  > options IPFIREWALL
>  > options IPFIREWALL_VERBOSE
>  > options IPFIREWALL_VERBOSE_LIMIT=10
> 
> What steps have you taken during testing to override this ridiculously 
> low limit on logging?  Otherwise, after e.g. just 5 pings and 5 ping 
> responses are logged, all logging ceases until issuing 'ipfw resetlog'.

/usr/src/sys/conf/NOTES says IPFIREWALL_VERBOSE_LIMIT; limits the number 
of times a matching entry can be logged. Says nothing about this limit 
being the maximum number of log records allowed after which the log file 
is closed for business. Are you saying the /usr/src/sys/conf/NOTES info 
is no longer true?

Without IPFIREWALL_VERBOSE and IPFIREWALL_VERBOSE_LIMIT where does the 
logged packets get written to? /var/log/security

I have not used ipfw since it's ipfw2 rewrite so my knowledge is dated.

> 
>  > options IPFIREWALL_DEFAULT_TO_ACCEPT
>  > options IPFIREWALL_IPDIVERT
> 
> You'd likely do better using in-kernel NAT; natd doesn't get much love.
> 

I kept getting kernel compile errors using "options IPFIREWALL_NAT". I 
thought the error was caused by vimage. Now I know "options LIBALIAS" is 
required. Could not find info on internet search for IPFIREWALL_NAT with 
vimage kernel.

Do you have first hand experience getting "ipfw kernel nat" to work in a 
vimage jail or having logging work on the host and within the vnet jail?

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51818C67.7070708>