Date: Fri, 10 May 2013 13:04:13 GMT From: Joe Barbish <fbsd8@a1poweruser.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/178480: dynamically loaded ipfw with a vimage kernel don't work. Message-ID: <201305101304.r4AD4D0M067772@oldred.FreeBSD.org> Resent-Message-ID: <201305101310.r4ADA0Q1026043@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 178480
>Category: kern
>Synopsis: dynamically loaded ipfw with a vimage kernel don't work.
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri May 10 13:10:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Joe Barbish
>Release: 9.1-RELEASE
>Organization:
None
>Environment:
>Description:
9.1-RELEASE ipfw dynamically loaded by firewall statements in hosts rc.conf
with modules and only vimage compiled into kernel.
logger cmd on host did not work until after vnet jail was started and stopped.
vnet jail pings passed through vnet jails ipfw but was not passed to host ipfw.
vnet jail pings got logged to hosts security file but not messages and vnet
jails security and messages files are not populated.
After vnet jail stopped, host logger cmd works and host pings work and
logged correctly to security and messages.
Host console log showing processing sequence
# /root >sysctl net.inet.ip.fw.verbose
net.inet.ip.fw.verbose: 1
# /root >sysctl net.inet.ip.fw.verbose_limit
net.inet.ip.fw.verbose_limit: 0
# /root >cat /etc/rc.conf
#
snip
firewall_enable="YES"
firewall_logging="YES"
firewall_script="/etc/ipfw.rules"
# /root >logger security.notice this msg is from logger cmd on host
# /root >cat /var/log/security
empty file
# /root >cat /var/log/messages
empty file
# /root >ping -c 4 freebsd.org
PING freebsd.org (8.8.178.135): 56 data bytes
64 bytes from 8.8.178.135: icmp_seq=0 ttl=51 time=102.814 ms
64 bytes from 8.8.178.135: icmp_seq=1 ttl=51 time=84.625 ms
64 bytes from 8.8.178.135: icmp_seq=2 ttl=51 time=101.332 ms
64 bytes from 8.8.178.135: icmp_seq=3 ttl=51 time=120.662 ms
--- freebsd.org ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 84.625/102.358/120.662/12.755 ms
# /root >cat /var/log/messages
empty file
# /root >cat /var/log/security
May 2 19:05:50 fbsdjones kernel: ipfw: 11 Accept UDP 10.0.10.5:42524 209.18.47.61:53 out via rl0
May 2 19:05:50 fbsdjones kernel: ipfw: 11 Accept UDP 209.18.47.61:53 10.0.10.5:42524 in via rl0
May 2 19:05:50 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.0.10.5 8.8.178.135 out via rl0
May 2 19:05:50 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.0.10.5 in via rl0
May 2 19:05:51 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.0.10.5 8.8.178.135 out via rl0
May 2 19:05:51 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.0.10.5 in via rl0
May 2 19:05:52 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.0.10.5 8.8.178.135 out via rl0
May 2 19:05:52 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.0.10.5 in via rl0
May 2 19:05:53 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.0.10.5 8.8.178.135 out via rl0
May 2 19:05:53 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.0.10.5 in via rl0
vnet jail gets started using jail(8)
# /root >jls
JID IP Address Hostname Path
2 - vdir2 /usr/jails/vdir2
# /root >jexec vdir2 tcsh
vdir2 / >logger -p security.notice logger cmd msg from within the host
vdir2 / >ipfw -a list
00010 0 0 allow ip from any to any via lo0
00011 0 0 allow log ip from any to any via epair2b
65535 5 368 deny ip from any to any
vdir2 / >ping -c 4 freebsd.org
ping: cannot resolve freebsd.org: Host name lookup failure
vdir2 / >ipfw -a list
00010 0 0 allow ip from any to any via lo0
00011 8 480 allow log ip from any to any via epair2b
65535 5 368 deny ip from any to any
vdir2 / >exit
exit
# back on the host, see jail logged to host security file but packets
# were not handed off to host ipfw because no host log messages for those
# packets.
# /root >cat /var/log/security
May 2 19:05:50 fbsdjones kernel: ipfw: 11 Accept UDP 10.0.10.5:42524 209.18.47.61:53 out via rl0
May 2 19:05:50 fbsdjones kernel: ipfw: 11 Accept UDP 209.18.47.61:53 10.0.10.5:42524 in via rl0
May 2 19:05:50 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.0.10.5 8.8.178.135 out via rl0
May 2 19:05:50 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.0.10.5 in via rl0
May 2 19:05:51 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.0.10.5 8.8.178.135 out via rl0
May 2 19:05:51 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.0.10.5 in via rl0
May 2 19:05:52 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.0.10.5 8.8.178.135 out via rl0
May 2 19:05:52 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.0.10.5 in via rl0
May 2 19:05:53 fbsdjones kernel: ipfw: 11 Accept ICMP:8.0 10.0.10.5 8.8.178.135 out via rl0
May 2 19:05:53 fbsdjones kernel: ipfw: 11 Accept ICMP:0.0 8.8.178.135 10.0.10.5 in via rl0
May 2 19:10:50 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:32606 209.18.47.61:53 out via epair2b
May 2 19:10:55 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:29810 209.18.47.62:53 out via epair2b
May 2 19:10:57 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:32606 209.18.47.61:53 out via epair2b
May 2 19:11:00 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:35933 209.18.47.61:53 out via epair2b
May 2 19:11:05 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:56823 209.18.47.62:53 out via epair2b
May 2 19:11:07 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:35933 209.18.47.61:53 out via epair2b
May 2 19:11:07 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:29810 209.18.47.62:53 out via epair2b
May 2 19:11:17 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:56823 209.18.47.62:53 out via epair2b
May 2 19:11:22 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:37981 209.18.47.61:53 out via epair2b
May 2 19:11:27 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:24567 209.18.47.62:53 out via epair2b
May 2 19:11:29 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:37981 209.18.47.61:53 out via epair2b
May 2 19:11:39 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:24567 209.18.47.62:53 out via epair2b
May 2 19:11:44 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:54854 209.18.47.61:53 out via epair2b
May 2 19:11:49 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:33964 209.18.47.62:53 out via epair2b
May 2 19:11:51 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:54854 209.18.47.61:53 out via epair2b
# /root >logger -p security.notice host logger msg
# /root >cat /var/log/security
May 2 19:11:39 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:24567 209.18.47.62:53 out via epair2b
May 2 19:11:44 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:54854 209.18.47.61:53 out via epair2b
May 2 19:11:49 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:33964 209.18.47.62:53 out via epair2b
May 2 19:11:51 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:54854 209.18.47.61:53 out via epair2b
May 2 19:12:01 fbsdjones kernel: ipfw: 11 Accept UDP 10.2.0.2:33964 209.18.47.62:53 out via epair2b
May 2 19:12:50 fbsdjones root: host logger msg
# /root >cat /var/log/messages
May 2 19:08:10 fbsdjones kernel: bridge0: Ethernet address: 02:8f:94:84:0c:00
May 2 19:08:10 fbsdjones kernel: bridge0: link state changed to UP
May 2 19:08:10 fbsdjones kernel: epair2a: Ethernet address: 02:c0:a4:00:0a:0a
May 2 19:08:10 fbsdjones kernel: epair2b: Ethernet address: 02:c0:a4:00:0b:0b
May 2 19:08:10 fbsdjones kernel: epair2a: link state changed to UP
May 2 19:08:10 fbsdjones kernel: epair2b: link state changed to UP
May 2 19:12:50 fbsdjones root: host logger msg
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201305101304.r4AD4D0M067772>