* iptables in container, wrong log destination, need pointer
@ 2010-02-11 14:32 Jean-Marc Pigeon
[not found] ` <1265898746.19130.119.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org>
0 siblings, 1 reply; 2+ messages in thread
From: Jean-Marc Pigeon @ 2010-02-11 14:32 UTC (permalink / raw)
To: Linux Containers
Hello,
I have containerized syslog, such each container has its
own syslog.
Container can have their own set of iptables rules.
I was expecting CONT: iptables log report to be
send to the CONT: syslog, which is not the case,
they are rather sent to HOST: syslog.
This means to me, iptables rules are containerized,
but the execution is NOT (CONT: rules are checked
within the HOST: context, not the CONT: context).
Could somebody give me hint where I should look
in the code, to have a better understanding about
what is happening?
--
A bientôt
==========================================================================
Jean-Marc Pigeon Internet: jmp@safe.ca
SAFE Inc. Phone: (514) 493-4280
Fax: (514) 493-1946
Clement, 'a kiss solution' to get rid of SPAM (at last)
Clement' Home base <"http://www.clement.safe.ca">
==========================================================================
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
^ permalink raw reply [flat|nested] 2+ messages in thread[parent not found: <1265898746.19130.119.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org>]
* Re: iptables in container, wrong log destination, need pointer [not found] ` <1265898746.19130.119.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org> @ 2010-02-11 17:51 ` Serge E. Hallyn 0 siblings, 0 replies; 2+ messages in thread From: Serge E. Hallyn @ 2010-02-11 17:51 UTC (permalink / raw) To: Jean-Marc Pigeon; +Cc: Linux Containers Quoting Jean-Marc Pigeon (jmp-4qkeo2rQ0gg@public.gmane.org): > Hello, > > > I have containerized syslog, such each container has its > own syslog. > > Container can have their own set of iptables rules. > > I was expecting CONT: iptables log report to be > send to the CONT: syslog, which is not the case, > they are rather sent to HOST: syslog. > > This means to me, iptables rules are containerized, > but the execution is NOT (CONT: rules are checked > within the HOST: context, not the CONT: context). > > Could somebody give me hint where I should look > in the code, to have a better understanding about > what is happening? Again, printk can be called from any context, so you can't rely on 'current'. But you are relying on current in emit_log_char() to get the syslog_ns. That is why you're getting that. You're going to have to keep a separate container_printk (nsprintk) which is called with a syslog_ns. Then in functions where you know you can determine the syslog_ns, you can call that fn instead of printk and pass the ns. Note that since iptables printks are happening out of context, this means yet another problem: you'll need to have a way to get the syslog_ns from the netns, which I suspect is the only thing can track at that point. -serge ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-02-11 17:51 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-02-11 14:32 iptables in container, wrong log destination, need pointer Jean-Marc Pigeon
[not found] ` <1265898746.19130.119.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org>
2010-02-11 17:51 ` Serge E. Hallyn
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox