Discussion:
[lxc-users] LXC and netfilter log
aeris
2017-08-04 19:02:44 UTC
Permalink
Hi here !

I have trouble with LXC and netfilter logging.

Configuring traffic log works like a charm on a baremetal machine and finish in /
var/log/syslog as expected, but logs nothing when inside a LXC container, both
with iptables and nftables

iptables rules
*filter
:INPUT DROP [0:0]
-A INPUT -j LOG --log-prefix INPUT

nftables rules
table inet filter {
chain input {
type filter hook input priority 0
policy drop
log prefix "input " counter
}
}

On host :
# sysctl net.netfilter.nf_log | grep -v NONE
net.netfilter.nf_log.10 = nf_log_ipv6
net.netfilter.nf_log.2 = nf_log_ipv4
On guest:
# sysctl net.netfilter.nf_log | grep -v NONE
net.netfilter.nf_log.10 = nf_log_ipv6
net.netfilter.nf_log.2 = nf_log_ipv4
net.netfilter.nf_log.7 = nfnetlink_log



I try to install ulogd2 on my container too, no more luck.

Does somebody here was able to do traffic logging inside a container ?

Regards,
--
Aeris
Individual crypto-terrorist group self-radicalized on the digital Internet
https://imirhil.fr/

Protect your privacy, encrypt your communications
GPG : EFB74277 ECE4E222
OTR : 5769616D 2D3DAC72
https://café-vie-privée.fr/
Michal Kubecek
2017-08-05 00:00:38 UTC
Permalink
Post by aeris
Hi here !
I have trouble with LXC and netfilter logging.
Configuring traffic log works like a charm on a baremetal machine and finish in /
var/log/syslog as expected, but logs nothing when inside a LXC container, both
with iptables and nftables
Logging from network namespaces other than init has been disabled since
kernel 3.10 in order to prevent host kernel log flooding from inside
a container.

If you have kernel >= 4.11 or one with commit 2851940ffee3 ("netfilter:
allow logging from non-init namespaces") backported, you can enable
netfilter logging from other network namespaces by

echo 1 >/proc/sys/net/netfilter/nf_log_all_netns

(the command must be issued from init_net).
Post by aeris
I try to install ulogd2 on my container too, no more luck.
Logging via NFLOG target and ulogd2 should work even without the sysctl
mentioned above, IIRC.

Michal Kubecek
aeris
2017-08-09 08:18:15 UTC
Permalink
Post by Michal Kubecek
Logging from network namespaces other than init has been disabled since
kernel 3.10 in order to prevent host kernel log flooding from inside
a container.
allow logging from non-init namespaces") backported, you can enable
netfilter logging from other network namespaces by
echo 1 >/proc/sys/net/netfilter/nf_log_all_netns
(the command must be issued from init_net).
Post by aeris
I try to install ulogd2 on my container too, no more luck.
Logging via NFLOG target and ulogd2 should work even without the sysctl
mentioned above, IIRC.
Hi,

Thanks for the reply.

I try with a 4.11 kernel, logs are OK.
Will retry with nflog+ulogd2 too, I surely miss a point during my setup test.

Regards,
--
Aeris
Individual crypto-terrorist group self-radicalized on the digital Internet
https://imirhil.fr/

Protect your privacy, encrypt your communications
GPG : EFB74277 ECE4E222
OTR : 5769616D 2D3DAC72
https://café-vie-privée.fr/
n***@gmail.com
2017-08-22 05:54:13 UTC
Permalink
A little late to the party, but wanted to confirm ulogd does indeed work
in unprivileged containers. I have installed and working in several
containers since around Feb this year:

lxc exec www /bin/bash
apt-get update
apt-get install ulogd2

In /etc/iptables.up.rules (or wherever you store your netfilter rules):

 ......
# Log dropped
-A INPUT -m limit --limit 5/second -j NFLOG --nflog-prefix "DROPPED "
# DROP
-A INPUT -j DROP
COMMIT
......

Logs are stored in /var/log/ulog/syslogemu.log

No other configuration was required on my part.

-net
Post by Michal Kubecek
Post by aeris
Hi here !
I have trouble with LXC and netfilter logging.
Configuring traffic log works like a charm on a baremetal machine and finish in /
var/log/syslog as expected, but logs nothing when inside a LXC container, both
with iptables and nftables
Logging from network namespaces other than init has been disabled since
kernel 3.10 in order to prevent host kernel log flooding from inside
a container.
allow logging from non-init namespaces") backported, you can enable
netfilter logging from other network namespaces by
echo 1 >/proc/sys/net/netfilter/nf_log_all_netns
(the command must be issued from init_net).
Post by aeris
I try to install ulogd2 on my container too, no more luck.
Logging via NFLOG target and ulogd2 should work even without the sysctl
mentioned above, IIRC.
Michal Kubecek
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users
Loading...