From owner-freebsd-current@freebsd.org Mon Nov 2 14:07:34 2015 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2F942A22F63 for ; Mon, 2 Nov 2015 14:07:34 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-vk0-x22e.google.com (mail-vk0-x22e.google.com [IPv6:2607:f8b0:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CFD5C17C1 for ; Mon, 2 Nov 2015 14:07:33 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by vkgy127 with SMTP id y127so86116475vkg.0 for ; Mon, 02 Nov 2015 06:07:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd_org.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:organization:user-agent :in-reply-to:references:mime-version:content-type; bh=R/w6AVXCPam/TuwblfxJmy84NuBz3Pjn7ba3cPJtnrs=; b=E9kDvA2XjRcoWF1hBEUt7L9OXym1kbAaJXFSSNFB2uVsdtrn5Qdgt0sOeF17aA24E8 BllJMnqv5h4j/EZ0JGAkJ3qNXqqbnpXDHN5fstS/YvRPd1sm9A2myh3AWPnmvWq4z0k3 3gcwr4gfg590I8hHpXBWfgX0I7QczDpjuKJMtLpMABjOjGp9Gu705LkSAUSQ4/TD5PSg rf7aLImewPvlnFntbhSCG2IcgieJuWpID4LEs0eDOlWsHxDl3XqT5mDLStpuiJCl5EM3 bNvlUj4zO0czgaSACpQsJ5Y6pSkOvOYg9IAShj7CtF5WHjo41+j3qP5rSjw8g2GvhhTL gRaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:organization :user-agent:in-reply-to:references:mime-version:content-type; bh=R/w6AVXCPam/TuwblfxJmy84NuBz3Pjn7ba3cPJtnrs=; b=SiAE+aQPpRG/1uYrUaO9ltPIf9LtdaQlq2/qfeNk/2mHNbfdE3mrlOkOrZdzgW9K2J 7Z5ScoI4V23vbCqkrtMKvw5XDYlFWcDk4y5UdLl4yQIZNYUN/vnbUCt4TxZPV0lGYhaU BYt+5TPyFA4Afr91Pg/mycdCVocE9NzCwp7FsFMlEiH+T9+Yabf1eUfWhb5CTsD02VKR zCsQy5jLtwg3e7OSz1S0c5OPxA0j8Gr0tUZZNO+yr4VVsYoWCE2jUXTV8lWYHQ4TGZq+ MeBrDUUtbx1CXaZEZ+k+aB/s+4nkpNIJvLODXkWEB1QM+R+JOwTuEplPIOiRlrQc8f9a cjGQ== X-Gm-Message-State: ALoCoQkBbTcOGEV02xhiHpnitCY3z38tFrnPy15CjQ9/zl/HDemVICiMPWAwxxgX9q1YEElBwgjL X-Received: by 10.31.13.11 with SMTP id 11mr15771188vkn.59.1446473252771; Mon, 02 Nov 2015 06:07:32 -0800 (PST) Received: from hbsd-dev-laptop.localnet ([129.6.251.181]) by smtp.gmail.com with ESMTPSA id b184sm6187453vkf.28.2015.11.02.06.07.32 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 02 Nov 2015 06:07:32 -0800 (PST) From: Shawn Webb To: Kristof Provost Cc: freebsd-current@freebsd.org Subject: Re: pf NAT and VNET Jails Date: Mon, 02 Nov 2015 09:07:27 -0500 Message-ID: <20151798.z4nmEG8eZc@hbsd-dev-laptop> Organization: HardenedBSD User-Agent: KMail/4.14.3 (FreeBSD/11.0-CURRENT-HBSD; KDE/4.14.3; amd64; ; ) In-Reply-To: References: <6607014.lfu2kQizLV@hbsd-dev-laptop> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4758233.7oiUq5Sv66"; micalg="pgp-sha256"; protocol="application/pgp-signature" X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Nov 2015 14:07:34 -0000 --nextPart4758233.7oiUq5Sv66 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" On Monday, 02 November 2015 02:59:03 PM Kristof Provost wrote: > > On 02 Nov 2015, at 14:47, Shawn Webb w= rote: > >=20 > > On Sunday, 01 November 2015 07:16:34 AM Julian Elischer wrote: > >> On 11/1/15 2:50 AM, Shawn Webb wrote: > >>> I'm at r290228 on amd64. I'm not sure which revision I was on las= t when > >>> it > >>> last worked, but it seems VNET jails aren't working anymore. > >>>=20 > >>> I've got a bridge, bridge1, with an IP of 192.168.7.1. The VNET j= ails > >>> set > >>> their default route to 192.168.7.1. The host simply NATs outbound= from > >>> 192.168.7.0/24 to the rest of the world. The various epairs get a= dded to > >>> bridge1 and assigned to each jail. Pretty simple setup. That work= ed > >>> until > >>> today. When I do tcpdump on my public-facing NIC, I see that NAT = isn't > >>> applied. When I run `ping 8.8.8.8` from the jail, the jail's > >>> 192.168.7.0/24 > >>> address gets sent on the wire. > >>>=20 > >>> Let me know what I can do to help debug this further. > >>=20 > >> send the list your setup script/settings? > >=20 > > I'm using iocage to start up the jails. Here's a pasted output of `= iocage > > get all mutt-hardenedbsd`: http://ix.io/lLG >=20 > Can you add your pf.conf too? >=20 > I=E2=80=99ll try upgrading my machine to something beyond 290228 to s= ee if I can > reproduce it. It=E2=80=99s on r289635 now, and seems to be fine. My V= NET jails > certainly get their traffic NATed. Sorry about that! I should've included it. It's pasted here: http://ix.= io/lLI It's probably not the most concise. This is a laptop that can have one = of=20 three interfaces online: re0 (ethernet on the laptop), wlan0 (you can g= uess=20 what that is), or ue0 (usb tethering from my phone). I used to be able = to=20 specify NATing like that and pf would automatically figure out which ou= tgoing=20 device to use. Seems like that's broken now. Thanks, =2D-=20 Shawn Webb HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --nextPart4758233.7oiUq5Sv66 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCAAGBQJWN24fAAoJEGqEZY9SRW7uaMIP/Aqlsj1wuBVup9HJcXQyuFEW hQxNqX8gFkTmwZQvf/B/FNP2hNWtGh1bOg/INI6aVv8eqgrHTas3Cuv4avMGkVo0 Lx9EOiUK0gFY/IwHeqB4bPmO4iRqCEpo6axETWXju7ZarPt28h77MTYB+TYyY1BK XOAwCfuSzPS5id4+O9VqU5RgDDtqJ9S1wwSHXYtF5az+MICUU6ajMN7C91SJ2nJK QvRePSeAc4j1/O8JD7OzuxWTgy2SObiTbtpJvh3Y6Uffo8f13ISaFQvscEXxh9Td czUOdGCKhP29chcfF2gZSNmoXyA2dIZschOsoREIBfFB67keXY7H1kyjwSJ7zk8N 7Jg0CjqusuVkLOH49H1xmcoOP3C0W94qhD9N72JohWX3WryhwtDoRv9WXxiRtEAA bfMSLq5NYbJyKWchXyW8WEK2CQCTg81tKw6Y00aipx5Eal5XAorl6GakKlWQ4E1Y Kpg4rvuyHOvdjJSky19/H3wMsyZdepVtBBgVwP3p4PQthjQqpVnOj1e6yXqk5wt0 2a7okvxPcdMvUuSU92UuQhUczn4ljG3vDXGDTtRHXUxXTFOiIti1zglW8MMknqvd Lu28GbaKpfinnovcSvmdGc9drTFntMT8bwHn8a+4AiImGBhgpHXIo5+6gyb3Rw97 8WvCLyktP3vBNOyTbIFK =ES0G -----END PGP SIGNATURE----- --nextPart4758233.7oiUq5Sv66--