Date: Mon, 2 Nov 2015 14:59:03 +0100 From: Kristof Provost <kp@FreeBSD.org> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: freebsd-current@freebsd.org Subject: Re: pf NAT and VNET Jails Message-ID: <D9FD5254-DA54-40B0-B4D6-71F65EB3B84A@FreeBSD.org> In-Reply-To: <6607014.lfu2kQizLV@hbsd-dev-laptop> References: <CAExMvs=jVsASLyiqU9nTpir0Hy_s_DfChgf4XKeGWv-8yojNBw@mail.gmail.com> <56354BD2.5060608@freebsd.org> <6607014.lfu2kQizLV@hbsd-dev-laptop>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 02 Nov 2015, at 14:47, Shawn Webb <shawn.webb@hardenedbsd.org> wrote: > > On Sunday, 01 November 2015 07:16:34 AM Julian Elischer wrote: >> On 11/1/15 2:50 AM, Shawn Webb wrote: >>> I'm at r290228 on amd64. I'm not sure which revision I was on last when it >>> last worked, but it seems VNET jails aren't working anymore. >>> >>> I've got a bridge, bridge1, with an IP of 192.168.7.1. The VNET jails set >>> their default route to 192.168.7.1. The host simply NATs outbound from >>> 192.168.7.0/24 to the rest of the world. The various epairs get added to >>> bridge1 and assigned to each jail. Pretty simple setup. That worked until >>> today. When I do tcpdump on my public-facing NIC, I see that NAT isn't >>> applied. When I run `ping 8.8.8.8` from the jail, the jail's >>> 192.168.7.0/24 >>> address gets sent on the wire. >>> >>> Let me know what I can do to help debug this further. >> >> send the list your setup script/settings? > > I'm using iocage to start up the jails. Here's a pasted output of `iocage get > all mutt-hardenedbsd`: http://ix.io/lLG Can you add your pf.conf too? I’ll try upgrading my machine to something beyond 290228 to see if I can reproduce it. It’s on r289635 now, and seems to be fine. My VNET jails certainly get their traffic NATed. Thanks, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D9FD5254-DA54-40B0-B4D6-71F65EB3B84A>