From owner-freebsd-stable@FreeBSD.ORG Wed Oct 13 20:43:26 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 21631106566B for ; Wed, 13 Oct 2010 20:43:26 +0000 (UTC) (envelope-from oberman@es.net) Received: from mailgw.es.net (mail1.es.net [IPv6:2001:400:201:1::2]) by mx1.freebsd.org (Postfix) with ESMTP id 0C0188FC08 for ; Wed, 13 Oct 2010 20:43:26 +0000 (UTC) Received: from ptavv.es.net (ptavv.es.net [IPv6:2001:400:910::29]) by mailgw.es.net (8.14.3/8.14.3) with ESMTP id o9DKhO4q001616 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 13 Oct 2010 13:43:24 -0700 Received: from ptavv.es.net (localhost [127.0.0.1]) by ptavv.es.net (Tachyon Server) with ESMTP id 43E941CC3E; Wed, 13 Oct 2010 13:43:24 -0700 (PDT) To: Luigi Rizzo In-reply-to: Your message of "Wed, 13 Oct 2010 11:55:19 +0200." Date: Wed, 13 Oct 2010 13:43:24 -0700 From: "Kevin Oberman" Message-Id: <20101013204324.43E941CC3E@ptavv.es.net> Cc: Marcin , freebsd-stable@freebsd.org, Jeremy Chadwick Subject: Re: Problem with security log X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Oct 2010 20:43:26 -0000 > Date: Wed, 13 Oct 2010 11:55:19 +0200 > From: Luigi Rizzo > Sender: owner-freebsd-stable@freebsd.org > > On Wed, Oct 13, 2010 at 11:23 AM, Jeremy Chadwick > wrote: > > On Wed, Oct 13, 2010 at 11:03:36AM +0200, Marcin wrote: > >> 2010/10/13 Jeremy Chadwick : > >> > On Tue, Oct 12, 2010 at 10:50:28PM +0200, Marcin wrote: > >> >> Hi folks, > >> >> > >> >> For some time in the file / var / log / security appear illegible entries: > >> >> kernel: ipfw: 200 Deny UDiPp f1w9:2 .168.10.5:5230503 D22e4n.y0 > >> >> .U0D.P25 1:15923.5136 o8.u10t. 5va5 3r5e03 224.0.0.251:5353 in via re0 > >> >> > >> >> How to get rid of it? Please help... > >> > > >> > There isn't a 100% reliable way to get rid of this problem.  I've been > >> > harping about this for years (sorry to sound like a jerk, but this > >> > really is a major problem that keeps coming up and annoys users/admins > >> > to no end.  There are solutions -- Linux solved it by implementing a > >> > lockless circular ring buffer[1] used by kmsg). > >> > > >> > The """workaround""" -- which again, does not solve the problem, only > >> > decreases the regularity of it happening (and when it does happen, can > >> > sometimes decrease how much interspersed output there is) -- is to add > >> > the following line to your kernel config and rebuild/reinstall your > >> > kernel: > >> > > >> > options         PRINTF_BUFR_SIZE=128    # Prevent printf output being interspersed. > >> > > >> > This option became part of the GENERIC kernel configuration file at the > >> > following times: > >> > > >> > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/amd64/conf/GENERIC#rev1.529 > >> > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/i386/conf/GENERIC#rev1.517 > >> > > >> > Depending on what release/tag you follow, you may or may not find the > >> > above commit/change in your GENERIC file.  I can't be bothered to track > >> > down what time the CVS tagging was done, for multiple architectures, > >> > etc... > >> > > >> > [1]: http://www.mjmwired.net/kernel/Documentation/trace/ring-buffer-design.txt > >> > >> Hi Jeremy, > >> I have compiled kernel with this option and unfortunately problem still exist... > >> Do you have another idea how can i improve my log file? :) > > > > I was incorrect in my understanding/prognosis, so as Andriy pointed out, > > the option won't solve your problem. > > > > It sounds like the only way to solve this issue is to improve/fix the > > msgbuf code.  Alternatively, you could consider moving from ipfw to > > pf(4) and use pflog(4) / pflogd(8). > > or you can use the log option of ipfw and run tcpdump on the "ipfw0" > pseudo interface > which will give you all the traffic that matches a 'log' rule (there > is a sysctl variable that > controls whether log goes to syslog or to the ipfw pseudo interface) Is the any real documentation on the ipfw0 device and how to use it? I can see it as being very handy. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751