[lxc-users] LXC and netfilter log
netritious at gmail.com
netritious at gmail.com
Tue Aug 22 05:54:13 UTC 2017
A little late to the party, but wanted to confirm ulogd does indeed work
in unprivileged containers. I have installed and working in several
containers since around Feb this year:
lxc exec www /bin/bash
apt-get update
apt-get install ulogd2
In /etc/iptables.up.rules (or wherever you store your netfilter rules):
......
# Log dropped
-A INPUT -m limit --limit 5/second -j NFLOG --nflog-prefix "DROPPED "
# DROP
-A INPUT -j DROP
COMMIT
......
Logs are stored in /var/log/ulog/syslogemu.log
No other configuration was required on my part.
-net
On 8/4/2017 7:00 PM, Michal Kubecek wrote:
> On Fri, Aug 04, 2017 at 09:02:44PM +0200, aeris wrote:
>> Hi here !
>>
>> I have trouble with LXC and netfilter logging.
>>
>> Configuring traffic log works like a charm on a baremetal machine and finish in /
>> var/log/syslog as expected, but logs nothing when inside a LXC container, both
>> with iptables and nftables
> Logging from network namespaces other than init has been disabled since
> kernel 3.10 in order to prevent host kernel log flooding from inside
> a container.
>
> If you have kernel >= 4.11 or one with commit 2851940ffee3 ("netfilter:
> allow logging from non-init namespaces") backported, you can enable
> netfilter logging from other network namespaces by
>
> echo 1 >/proc/sys/net/netfilter/nf_log_all_netns
>
> (the command must be issued from init_net).
>
>> I try to install ulogd2 on my container too, no more luck.
> Logging via NFLOG target and ulogd2 should work even without the sysctl
> mentioned above, IIRC.
>
> Michal Kubecek
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list