Date: Sun, 28 Oct 2018 23:07:56 +0100 From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> To: freebsd-current@freebsd.org Subject: Re: 12.0-BETA1 vnet with pf firewall Message-ID: <113f7b4f-0a72-7f0f-afe0-f9f9885011e6@plan-b.pwste.edu.pl> In-Reply-To: <201810282139.w9SLdO58054096@pdx.rh.CN85.dnsmgr.net> References: <201810282139.w9SLdO58054096@pdx.rh.CN85.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --7M791gwMT7B1IgjNjyRkBSq1eWh9UlbY1 Content-Type: multipart/mixed; boundary="qDamPaM7igb0SPWAdO6xxVB77XmxGWXra"; protected-headers="v1" From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> To: freebsd-current@freebsd.org Message-ID: <113f7b4f-0a72-7f0f-afe0-f9f9885011e6@plan-b.pwste.edu.pl> Subject: Re: 12.0-BETA1 vnet with pf firewall References: <201810282139.w9SLdO58054096@pdx.rh.CN85.dnsmgr.net> In-Reply-To: <201810282139.w9SLdO58054096@pdx.rh.CN85.dnsmgr.net> --qDamPaM7igb0SPWAdO6xxVB77XmxGWXra Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-US W dniu 28.10.2018 o=C2=A022:39, Rodney W. Grimes pisze: >> Bjoern A. Zeeb wrote: >>> On 28 Oct 2018, at 15:31, Ernie Luzar wrote: >>> >>>> Tested with host running ipfilter and vnet running pf. Tried loading= =20 >>>> pf from host console or from vnet console using kldload pf.ko comman= d=20 >>>> and get this error message; >>>> >>>> linker_load_file: /boot/kernel/pf.ko-unsupported file type. >>>> >>>> Looks like the 12.0 version of pf which is suppose to work in vnet=20 >>>> independent of what firewall is running on the host is not working. >>> You cannot load pf from inside a jail (with or without vnet). Kernel= =20 >>> modules are global objects loaded from the base system or you compile= =20 >>> the devices into the kernel; it is their state which is virtualised.= >>> >>> If you load multiple firewalls they will all be available to the base= =20 >>> system and all jails+vnet. Whichever you configure in which one is u= p=20 >>> to you. Just be careful as an unconfigured firewall might have a=20 >>> default action affecting the outcome of the overall decision. >>> >>> For example you could have: >>> >>> a base system using ipfilter and setting pf to default accept everyth= ing >>> and a jail+vnet using pf and setting ipfilter there to accept everyth= ing. >>> >>> >>> Hope that clarifies some things. >>> >>> /bz >>> >> Hello Bjoern. >> >> What you said is correct for 10.x & 11.x. But I an talking about=20 >> 12.0-beta1. I have the ipfilter options enabled in rc.conf of the hos= t=20 >> and on boot ipfilter starts just like it all ways does. Now to prep th= e=20 >> host for pf in a vnet jail, I issue from the host console the >> "kldload pf.ko" command and get this error message; >> >> linker_load_file: /boot/kernel/pf.ko-unsupported file type. >> >> Something is wrong here. This is not suppose to happen according to yo= ur=20 >> post above. >> >> Remember that in 12.0 vimage is included in the base system kernel. > Confirmed, if I boot a clean install and issue: > kldload ipfilter.ko > kldload pf.ko > my dmesg has: > IP Filter: v5.1.2 initialized. Default =3D pass all, Logging =3D enabl= ed > linker_load_file: /boot/kernel/pf.ko - unsupported file type > The same when loading pf.ko combined with ipsec.ko, both can't be loaded on the same running kernel # kldload ipsec && echo ok || echo fail ; kldload pf && echo ok || echo f= ail ok kldload: an error occurred while loading module pf. Please check dmesg(8) for more details. fail Another try in reverse order (both modules unloaded first): # kldload pf && echo ok || echo fail ; kldload ipsec && echo ok || echo fail=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 ok kldload: an error occurred while loading module ipsec. Please check dmesg(8) for more details. fail Some time ago I submitted a PR about this, but I was unaware that the case of failure during loading ipsec.ko is caused by the presence of already loaded pf.ko https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D228854 --=20 Marek Zarychta --qDamPaM7igb0SPWAdO6xxVB77XmxGWXra-- --7M791gwMT7B1IgjNjyRkBSq1eWh9UlbY1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMOqvKm6wKvS1/ZeCdZ/s//1SjSwFAlvWM0EACgkQdZ/s//1S jSx3hwgAm3+FVffppWhuNTMVq0jXDdBV2fn+PjsQWaiPhLffHxDZ5ocFYiZxqakj PRHD9jYHUbnait99sEhpgqw2AyJeftQT88G+AjOjT5FhnUi/LVwUjjE1HBNHzsUW fG5DYRZu6gQqDvMj41nTxffispaayC2qxAndUSzBw9w4U5ZkUA7686/L7oO4q+u7 5SCgVsVujQB7nJKbKx+4vUuzJ3Jl3zhvkt5hu1avlTn66mnLYtue7B4GhD8F0Q3I PkejsyLf8FYHIYIz5Y2NhJwZ30FwwcyyF+CMjHPukztXTJxst0Eb35k7OmdLR2Vf UZdcTVMmolhoY/Ky5oV5qE+NOiBwRQ== =1aH1 -----END PGP SIGNATURE----- --7M791gwMT7B1IgjNjyRkBSq1eWh9UlbY1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?113f7b4f-0a72-7f0f-afe0-f9f9885011e6>