From owner-freebsd-questions@freebsd.org Tue Aug 16 12:47:34 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 92C32BBB5B2; Tue, 16 Aug 2016 12:47:34 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2797814AD; Tue, 16 Aug 2016 12:47:34 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: by mail-wm0-x22e.google.com with SMTP id i5so165290702wmg.0; Tue, 16 Aug 2016 05:47:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=8gT6sxO6L0oGpVfp3vcM4xefENF1o4jgp8+A77HAFHw=; b=BGDUbsw0RthM60hKUrp7tK7nGNhjjefwzWXiMpfxGJ+A/dl/kRT6yjqyXXvNZYSQnr d2kWfZj/vx+RK374zl1FNGuhmamrWVLL75JDOVxlh398XwBWG38CBq+4P2+/K9uZcaq7 B2JT0i9wVNO2ah9Pp+xWjuapyTKeUj97LWy5TF8qAF7s07OfV4oh2ti2CsCzFqxbp0mV iwaYZhkTOMwG7krHiwM20Rv7/bwYu/DB6zz9vS3YYztNYLGNRESLyZK6nRib1WXNuGg5 pPUx8m9JqdFPeSE/wAqqJMZ9ZL/aeGxBS5DbMd39djvE4iZ9DcMZg9Cwcj8AeH/A01Kh EwXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=8gT6sxO6L0oGpVfp3vcM4xefENF1o4jgp8+A77HAFHw=; b=CS+HD96uHO7xnd7WZI9COMvuYvKCOdFftyxWs7uLDxHbVU6LKaUwhJMhuPSFUAFLrF Lp7LEH4Bu+jXrICUJzKKTtyRjmm9OoLZhrO1MlzStS2nyreHIenTBaEZ4JK7rWDS/+HY 1D8R0Q2oL2Kc6bpHnyqfG2q2PRWgkwzgDhOP046PkcQqsnhfMVnXkNEem91KKLbBwnh1 oNgHh3bx1Yzk1QWE3qaJvOZqySdr2sk6gu2DXyJz917Bowdqp8622kGYps+eAR8wPcxA LjSLqv8KexPvN0Iio6ZEvavWf8uRv1GlYBT0O9xKJxi1SB/kxB6s+ITlP5MCko85MgJ3 Pe/Q== X-Gm-Message-State: AEkooutbVq0xldKg7IBlsJQsCWxpam8S6x0uulBiA/EHTJFPUrOJJe36SHWz3vbyjfcKFQhci5dUdL5rYIW3DA== X-Received: by 10.194.175.106 with SMTP id bz10mr38025491wjc.42.1471351652728; Tue, 16 Aug 2016 05:47:32 -0700 (PDT) MIME-Version: 1.0 Received: by 10.194.54.202 with HTTP; Tue, 16 Aug 2016 05:47:32 -0700 (PDT) In-Reply-To: <078403E1-D8A3-4E52-B218-7A8B4400749A@lists.zabbadoz.net> References: <57B1E1BC.4090205@gmail.com> <078403E1-D8A3-4E52-B218-7A8B4400749A@lists.zabbadoz.net> From: krad Date: Tue, 16 Aug 2016 13:47:32 +0100 Message-ID: Subject: Re: testing 11.0-RC1 vnet jails with ipfilter To: "Bjoern A. Zeeb" Cc: Ernie Luzar , "freebsd-jail@freebsd.org" , Freebsd Questions Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Aug 2016 12:47:34 -0000 is ipfilter supported in vnet jails? Last time I looked and tried pf didnt work (kernel panics), and only ipfw was supported. On 15 August 2016 at 17:59, Bjoern A. Zeeb wrote: > On 15 Aug 2016, at 15:37, Ernie Luzar wrote: > > Hello list; >> >> Running 11.0-RC1 with only option vimage compiled into the generic kerne= l. >> >> I can run ipfilter on the host and start vnet jails containing no >> firewalls just fine. But when I try to also have ipfilter run in the vne= t >> jail nothing happens. I added this to the vnet jails rc.conf >> ipfilter_enable=3D"YES" >> ipfilter_rules=3D"/etc/ipf.boot.rules" >> ipmon_enable=3D"YES" >> ipmon_flags=3D"-Ds" >> >> Then start the vnet jail and its like those ipfilter statements in the >> vnet jails rc.conf are not there. The vnet jails /var/log/messages file = is >> not even there. Issuing "ipfstat" inside the running vnet jail to displa= y >> the jails ipfilter rules gives this error message "open(IPSTATE_NAME): N= o >> such file or directory" >> To me this means ipfilter is not running in the vnet jail even though I >> requested it in the vnet jails rc.conf file. >> >> So my question to this list is, has anyone managed to get ipfilter to ru= n >> inside a vnet jail using any of the 11.0 alpha, beta, or rc versions? If= so >> would you please share your setup with me? >> >> Maybe I am to close to the bleeding edge for there to be other users in >> the same test loop? >> > > > The startup script contains =E2=80=9Cnojail=E2=80=9D. I think someone o= pened a bug > report the other day but I can=E2=80=99t find it anymore; so the startup= script > won=E2=80=99t automatically run inside a jail. Can you remove that line= and try > again? > > > /bz > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe > @freebsd.org" >