# netfilter/iptable logging

> Logging from network namespaces other than init has been disabled since
kernel 3.10 in order to prevent host kernel log flooding from inside
a container.

Source: [lxc-users.linuxcontainers.narkive.com](https://lxc-users.linuxcontainers.narkive.com/fuIM2bZg/lxc-and-netfilter-log)

There are two ways to get logging working on guests running in Namespaces. The first is to simply enable it on even though it is off by default due to the security concerns mentioned above. The second _and better_ way is to use User space logging which doesn't carry the same restrictions because it doesn't interact with Kernel space in the same way. Besides the User space logging method being the best security practice, anytime it is possible to modify the host machine less it is better in my opinion.

## Method 1: Userspace Logging (on guest)

Install `ulogd2`

```bash
apt install ulogd2
```

Replace `LOG` in any `iptable/netfilter` rules with `NFLOG`

```diff
- -A INPUT -j LOG
+ -A INPUT -j NFLOG
```

Source: [lxadm.com](https://lxadm.com/Iptables:_LOG_target_not_working_in_LXD_containers)

## Method 2: Enable Logging In Namespaces (on host)

> Logging from network namespaces other than init has been disabled since
kernel 3.10 in order to prevent host kernel log flooding from inside
a container.<br/>
<br />
If you have kernel >= 4.11 or one with commit 2851940ffee3 ("netfilter: allow logging from non-init namespaces") backported, you can enable netfilter logging from other network namespaces by...

```
sysctl net.netfilter.nf_log_all_netns=1
```

Source: [lxc-users.linuxcontainers.narkive.com](https://lxc-users.linuxcontainers.narkive.com/fuIM2bZg/lxc-and-netfilter-log)

This will enable all netfilter (the `nf` part in `nf_log_all_netns`) logging from namespaces until the next reboot. It can also be enabled persistently using one of the following methods…

#### Option 1: Always On with `sysctl.conf`

Add a single line to `sysctl.conf` so the setting gets applied at boot.

```
echo "net.netfilter.nf_log_all_netns = 1" >> /etc/sysctl.conf
```

#### Option 2: On Demand with Snippets (for Proxmox only)

Add a bash script to use as a `snippet`. 

```diff
# /var/lib/vz/snippets/nf_log_all_netns.sh
+ #!/bin/bash
+ 
+ case $2 in
+   pre-start)
+     echo "[pre-start]"
+     echo -e "\tEnabling netfilter namespace logging."
+     echo -e "\t$(sysctl net.netfilter.nf_log_all_netns=1)"
+     ;;
+   pre-stop)
+     echo "[pre-stop]"
+     echo -e "\tDisabling netfilter namespace logging."
+     echo -e "\t$(sysctl net.netfilter.nf_log_all_netns=0)"
+     ;;
+ esac
```

Then add the _"hookscript"_ to that container. If your container ID was `100` it would look like

```
$ pct set 100 -hookscript local:snippets/nf_log_all_netns.sh
```