On 3 Feb 2021, at 7:11, R. Tyler Croy wrote:
I noticed this evening that pflog0 is propagated into my vnet-based
jails
(12.2-RELEASE) and I'm somewhat surprised to see it there.
My host's /etc/rc.conf simply has `pflog_enable="YES"`, so nothing too
esoteric. My /etc/jail.conf doesn't do anything with pflog0 for the
jails, so
the fact that it shows up _feels_ like a bug, from within a jail:
# ifconfig
lo0: flags=8049 metric 0 mtu 16384
options=680003
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff00
groups: lo
nd6 options=21
pflog0: flags=0<> metric 0 mtu 33160
groups: pflog
epair2b: flags=8843 metric
0 mtu 1500
options=8
ether 02:c4:52:c8:47:0b
inet 10.0.1.4 netmask 0xff00 broadcast 10.0.1.255
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T )
status: active
nd6 options=29
#
Fortunately, when I tcpdump that device from within the jail, it has
none of
the host pflog0's entries being reported.
Regardless, should I file this as a bug?
I wouldn’t consider this to be a bug, no. Or if it is one, one that
won’t be fixed anyway.
As soon as the pflog module is loaded pf creates a pflog0 interface.
That interface is per-vnet, so it’s perfectly safe to have.
Arguably pf shouldn’t create a log interface automatically, but that
ship has sailed. If we change it we’re going to break expectations for
at least some users, so we’re not going to change that.
Regards,
Kristof
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
