From owner-freebsd-current@freebsd.org Sun Oct 28 19:56:11 2018 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A7F1E10DE90E for ; Sun, 28 Oct 2018 19:56:11 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-oi1-x22e.google.com (mail-oi1-x22e.google.com [IPv6:2607:f8b0:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 31A3D6CB56 for ; Sun, 28 Oct 2018 19:56:11 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-oi1-x22e.google.com with SMTP id k19-v6so5262174oiw.5 for ; Sun, 28 Oct 2018 12:56:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=GOoHlUF8cwE624Rp6qnH5wfV7hmYqNJnyN5L+i034rA=; b=QcL+SCVWcUfmHkkfSpPJ1DdtTCCjYg3ohhkB/njtHe9uCTTb8p47B8Amc7XrtSyq7I zterinXPD+dFIJi2+8XHULgjejcxyVqPA52RFWZEyzggCGYD17LzHaTj4l6PPKkP3O4t AjP5jU1wPtBaxI/pswOHbwjr8nT9jLzFfkQbZbJ7mUyJHkchGuH/2g0s8pCImSmbkZNY MPAnSb90bUmaatAn3auj+8SW2mh04B5qVLC65CEMNt03o3FoSMxc81FTMSqHv7glOUZw 9RyCEuip2FDJvTJJS/F25XNi3jxxJGNjJdTHM8cVN/Yvv4cqsiI6CieMDBkcbdOgP84z 8XcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=GOoHlUF8cwE624Rp6qnH5wfV7hmYqNJnyN5L+i034rA=; b=pUFxJSXYryWVcjVb7QRRZIVpuO98AxFoiWux6Y/sgJLBuOxiL9umaDgG9eamnvXkVl hVB9l203BbNtMKNM01xS828j3YPjtgXNjKoRY4Sdriv0BZq4vCUMxAcOuNL6NwZFpnUY SJF2idy7yiJ0FqE3GNquHADUqVHhBMRfjUmrDF8zSfgOZ3Py5phgGYwKK3GCElEDM2aa yyDBui47Ogl2SuHO3x3npKpNe/xW31To8QL+Kp6Vwq1yYW8lvGznd70USX0L3ljj9J7E YtffFYgaSjr3+wXqJUcw22O2sg42RuyQj8x4WERkmEMmeT5opNZtbqNyLe55MXKfMbem YJaw== X-Gm-Message-State: AGRZ1gLOpkSePZXHVpMz2YEP8OXteJUOKUvYbw2WJE7S/nQZj4vGu/qB lBjNEhKqO4BnpeLsU6DW86M= X-Google-Smtp-Source: AJdET5dRGUtsPysbreJql4Qm1OVsejJMDFdaiG1GQ0+GVDRnRrhqV0ur+CABQTMcUGbPY8vTM15b+A== X-Received: by 2002:a54:4d01:: with SMTP id v1-v6mr7204713oix.81.1540756570233; Sun, 28 Oct 2018 12:56:10 -0700 (PDT) Received: from [10.0.10.7] (cpe-65-25-48-31.neo.res.rr.com. [65.25.48.31]) by smtp.googlemail.com with ESMTPSA id v2sm3438779otb.15.2018.10.28.12.56.08 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 28 Oct 2018 12:56:09 -0700 (PDT) Message-ID: <5BD61458.9040402@gmail.com> Date: Sun, 28 Oct 2018 15:56:08 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: "Bjoern A. Zeeb" CC: FreeBSD current Subject: Re: 12.0-BETA1 vnet with pf firewall References: <5BD5D656.4050204@gmail.com> <6811B138-54C8-448F-A7F8-76374A077D8A@lists.zabbadoz.net> In-Reply-To: <6811B138-54C8-448F-A7F8-76374A077D8A@lists.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Oct 2018 19:56:11 -0000 Bjoern A. Zeeb wrote: > On 28 Oct 2018, at 15:31, Ernie Luzar wrote: > >> Tested with host running ipfilter and vnet running pf. Tried loading >> pf from host console or from vnet console using kldload pf.ko command >> and get this error message; >> >> linker_load_file: /boot/kernel/pf.ko-unsupported file type. >> >> Looks like the 12.0 version of pf which is suppose to work in vnet >> independent of what firewall is running on the host is not working. > > You cannot load pf from inside a jail (with or without vnet). Kernel > modules are global objects loaded from the base system or you compile > the devices into the kernel; it is their state which is virtualised. > > If you load multiple firewalls they will all be available to the base > system and all jails+vnet. Whichever you configure in which one is up > to you. Just be careful as an unconfigured firewall might have a > default action affecting the outcome of the overall decision. > > For example you could have: > > a base system using ipfilter and setting pf to default accept everything > and a jail+vnet using pf and setting ipfilter there to accept everything. > > > Hope that clarifies some things. > > /bz > Hello Bjoern. What you said is correct for 10.x & 11.x. But I an talking about 12.0-beta1. I have the ipfilter options enabled in rc.conf of the host and on boot ipfilter starts just like it all ways does. Now to prep the host for pf in a vnet jail, I issue from the host console the "kldload pf.ko" command and get this error message; linker_load_file: /boot/kernel/pf.ko-unsupported file type. Something is wrong here. This is not suppose to happen according to your post above. Remember that in 12.0 vimage is included in the base system kernel.