From owner-freebsd-stable@FreeBSD.ORG Wed Aug 8 11:34:32 2012 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CA3FA106566B for ; Wed, 8 Aug 2012 11:34:32 +0000 (UTC) (envelope-from mamalos@eng.auth.gr) Received: from vergina.eng.auth.gr (vergina.eng.auth.gr [155.207.18.1]) by mx1.freebsd.org (Postfix) with ESMTP id 4D06C8FC1A for ; Wed, 8 Aug 2012 11:34:31 +0000 (UTC) Received: from mamalacation.ee.auth.gr (athedsl-4494147.home.otenet.gr [94.71.95.75]) (authenticated bits=0) by vergina.eng.auth.gr (8.14.4/8.14.3) with ESMTP id q78BXWHa023625 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Wed, 8 Aug 2012 14:33:33 +0300 (EEST) (envelope-from mamalos@eng.auth.gr) Message-ID: <50224E85.2040707@eng.auth.gr> Date: Wed, 08 Aug 2012 14:33:25 +0300 From: George Mamalakis User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120717 Thunderbird/14.0 MIME-Version: 1.0 To: stable@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (vergina.eng.auth.gr [192.168.18.7]); Wed, 08 Aug 2012 14:33:34 +0300 (EEST) Cc: Subject: pf nat fails on msk0 from packets deriving from a jail interface X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Aug 2012 11:34:32 -0000 Hi all, Suddenly I am facing a problem on a new PC, using a configuration that I have been using on more than 10 servers for the last few years. The only thing that I find that differs from my other configuratinos is the NIC of the PC. If not, I must be missing something very trivial. I have built a jail on this PC, following the handbook's guidelines (section: application of jails). The PC has one NIC, msk0, where I run pf on (built on my kernel; I have already tried using the module). My pf.conf is as simple as possible: # cat /etc/pf.conf nat on msk0 from any to any -> 10.0.3.6 pass quick all when I jexec inside the jail, and pf is running, I am unable to reach any machine except my jail (not even the host). If pf is off, the network works just fine (of course my router knows where to find my jail's subnet). What is strange is that if I tcpdump on msk0, then after a few seconds that I request something from within the jail, I see the packets going and coming on msk0 using the correct IP (the NAT IP), but it seems that the machine fails to route them back inside the jail. My configuration is as follows: #uname -a FreeBSD filesrv.svr.noca 9.0-STABLE FreeBSD 9.0-STABLE #1: Fri Jul 27 15:40:48 EEST 2012 root@filesrv.svr.noca:/usr/obj/usr/src/sys/MAMALOPYRINO amd64 #ifconfig -a msk0: flags=8843 metric 0 mtu 1500 options=c011b ether 80:ee:73:10:a3:58 inet 10.0.3.6 netmask 0xffffff00 broadcast 10.0.3.255 inet6 fe80::82ee:73ff:fe10:a358%msk0 prefixlen 64 scopeid 0x1 nd6 options=29 media: Ethernet autoselect (1000baseT ) status: active pflog0: flags=0<> metric 0 mtu 33152 nd6 options=29 pfsync0: flags=0<> metric 0 mtu 1500 nd6 options=29 syncpeer: 0.0.0.0 maxupd: 128 lo0: flags=8049 metric 0 mtu 16384 options=3 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x9 inet 127.0.0.1 netmask 0xff000000 nd6 options=21 lo1: flags=8049 metric 0 mtu 16384 options=3 inet 10.3.2.1 netmask 0xff000000 nd6 options=29 tap1: flags=8843 metric 0 mtu 1500 options=80000 ether 00:bd:7b:c3:0c:01 inet6 fe80::2bd:7bff:fec3:c01%tap1 prefixlen 64 scopeid 0xb inet 10.3.2.2 netmask 0xffffff00 broadcast 10.3.2.255 nd6 options=29 tap2: flags=8843 metric 0 mtu 1500 options=80000 ether 00:bd:7f:c3:0c:02 inet6 fe80::2bd:7fff:fec3:c02%tap2 prefixlen 64 scopeid 0xc nd6 options=29 lo3: flags=8049 metric 0 mtu 16384 options=3 inet 10.3.2.3 netmask 0xffffff00 nd6 options=29