On Sat, Apr 17, 2004 at 10:16:26PM +0800, Canggung Mendonan wrote: > I use ipfilter exclusively in all the FreeBSD systems I ever set up / > administer since FreeBSD 4.x at least. In addition, in all my systems I > have a habit of logging ipfilter to a different file, by using the > following setting in /etc/rc.conf:- > > ipmon_enable="YES" > ipmon_flags="-D /var/log/ipflog" > > and rotating it in newsyslog.conf:- > > /var/log/ipflog 640 7 1000 * J > > Reason for this is I also turn on /var/log/all.log (logging everything), > so default ipmon settings tend to clutter the logs. > > Anyway, since FreeBSD v5.x (been using it since a while before > 5.0-RELEASE), in at least 3 of the machines I administer, rotation works > fine, and ipmon resumes logging afterwards. However the partition where > /var/log/ipflog resides gradually fills up, until 100% full. Curiously, > killing ipmon process releases back the space taken.
Yes. This is one of those unixy things that makes a great deal of
sense only after you've stopped and thought about it for a while.
What's happening is this: ipmon has an open filehandle onto the
logfile it's writing. Which means that even if you delete the file or
overwrite it in the filesystem, the kernel still sees that file as
active and doesn't free up the space it takes until the ipmon process
closes the file.
There's a conceptual difference between a file name -- which is just
an entry in a directory structure with a pointer to the file's
location -- and to the file itself. A file can have many different
names in many directories so long as they are all on the same
filesystem -- this is the concept known as 'hard linking' as described
in ln(1). A file is only deleted once all filesystem links to it have
been removed and all open file descriptors on it have been closed.
> Adding /var/run/ipmon.pid at the end of newsyslog.conf line above stops
> the above symptom, but ipmon stopped logging after each rotation.
This should be the correct thing to do: ipmon should interpret a HUP
signal to mean 'reopen log files' -- unless it's changed dramatically
between 4.x and 5.x[*], in which case you'll have to hunt down what
should be done instead by reading the documentation or the code or
something.
Have you tried recompiling without any extra optimization and without
and CPUTYPE flags? Is your system up-to-date with the latest patches
for whatever code branch you're tracking, and does your kernel match
correctly with the system you're using (ie. they were both compiled
from the same sources and you followed the procedure in
/usr/src/UPDATING to do any upgrades)? Does the ipmon process actually
quit when sent a SIGHUP? If the answer is yes to two or more of
those, then it's worth using send-pr(1) to report this as a bug.
Cheers,
Matthew
[*] It hasn't, at least in this respect, as can be seen using cvsweb.
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
pgp00000.pgp
Description: PGP signature
