Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 11 Feb 2019 23:24:17 -0800
From:      "Rudy (bulk address)" <crapsh@monkeybrains.net>
To:        freebsd-ipfw@freebsd.org
Subject:   Patch to have ipfw0 work properly in jails
Message-ID:  <ebd26c5a84b465183de8f8066f884136.squirrel@mail.monkeybrains.net>
In-Reply-To: <mailman.47.1549886401.19526.freebsd-current@freebsd.org>
References:  <mailman.47.1549886401.19526.freebsd-current@freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help

Never submitted a patch... is this good enough?

Problem: ipfw logs in a way that is confusing in jails (it logs to the
host syslogd)
Solution: use ipfw0 and make sure to fix up syslog and launch tcpdump if
firewall_logif is set in rc.conf

Thanks,
Rudy


--- /etc/rc.d/ipfw.orig 2019-02-11 23:19:09.074313000 -0800
+++ /etc/rc.d/ipfw      2019-02-11 23:17:37.675032000 -0800
@@ -65,8 +65,23 @@
                ${SYSCTL} net.inet.ip.fw.verbose=1 >/dev/null
        fi
        if checkyesno firewall_logif; then
-               ifconfig ipfw0 create
-               echo 'Firewall logging pseudo-interface (ipfw0) created.'
+    if ! ifconfig ipfw0 > /dev/null 2> /dev/null; then
+      ifconfig ipfw0 create
+                 echo 'Firewall logging pseudo-interface (ipfw0) created.'
+      # have tcpdump listen to ipfw and send info to logger
+      /usr/sbin/tcpdump -lnti ipfw0 2> /dev/null | /usr/bin/logger -t www
-p security.info &
+      echo "ipfw0 redirecting to syslog"
+    elif ! killall -0 tcpdump 2> /dev/null; then
+      # no tcpdump running... launch it!
+      /usr/sbin/tcpdump -lnti ipfw0 2> /dev/null | /usr/bin/logger -t www
-p security.info &
+      echo "ipfw0 redirecting to syslog"
+    fi
+    fwverbose=`sysctl -n net.inet.ip.fw.verbose`
+    if [ $fwverbose == 1 ]; then
+      # turn down for what ... I mean, turn off verbose so ipfw0 is used.
+      sysctl net.inet.ip.fw.verbose=0 > /dev/null
+      echo "verbose logging off and redirecting to ipfw0"
+    fi
        fi
 }




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ebd26c5a84b465183de8f8066f884136.squirrel>