Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 22 May 2013 17:10:01 GMT
From:      Joe <>
Subject:   Re: kern/178482: [ipfw] logging problem from vnet jail
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help
The following reply was made to PR kern/178482; it has been noted by GNATS.

From: Joe <>
To: Ian Smith <>
Subject: Re: kern/178482: [ipfw] logging problem from vnet jail
Date: Wed, 22 May 2013 13:04:29 -0400

 Ian Smith wrote:
 >  > 9.1-RELEASE kernel with modules and vimage plus ipfw compiled in.
 >  > vnet jails running ipfw are logging to the host security file and
 >  > don't log any ipfw log messages to the hosts message file. Secondly
 >  > the vnet jails security and messages files never get populated with
 >  > ipfw log messages.
 > Logging to the host's syslog rather than the jail's appears to be the
 > main/real issue here, confirmed and demonstrated by Anders Hagman, see
 You have the incorrect conclusion. Let me reword what was stated in the 
 original pr to give a clearer picture of the pr. IPFW log messages 
 coming from a IPFW process running inside of a jail(8) vnet jail are 
 being written to the hosts /etc/log/security file and not to the vnet 
 jail's /etc/log/security file. If the host is also running ipfw, it's 
 logging messages are intermingled with those coming from the vnet jail 
 ipfw process. And yes Anders Hagman did confirm this per the link you 
 >  > logger command works. logged msg in both security and messages on
 >  > host
 >  > vnet jail can ping the public internet.
 >  > Hosts security file has log messages from both jail and host.
 >  > ipfw log messages are not being put into the hosts messages file.
 > Apart from certain admin messages such as ipfw initialization, 'limit N 
 > reached on rule X' and 'Entry X logging count reset.' ipfw log messages 
 > are never written to /var/log/messages but only to /var/log/security. 
 > Since you set verbose_limit=0, you shouldn't expect to see anything from 
 > ipfw in /var/log/messages, on either host or jail.
 I don't know how you can to that conclusion. verbose_limit is not 
 mentioned in this pr. You are incorrect. verbose_limit is not set for 
 this pr test.
 >  > # /root >/var/log/security
 >  > empty file
 >  >
 >  > # /root >cat /var/log/messages
 >  > empty file
 > Strange that there were not even normal bootup messages on the host?
 Thats because I deleted all content before running this test to make the 
 output simple. What purpose would showing boot messages serve?
 > The rest serves to demonstrate the vnet jail logging-to-host issue.
 > Ian

Want to link to this message? Use this URL: <>