From owner-freebsd-jail@freebsd.org Mon Nov 12 09:19:40 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 13AE511001D4; Mon, 12 Nov 2018 09:19:40 +0000 (UTC) (envelope-from srs0=llzh=nx=vega.codepro.be=kp@codepro.be) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.codepro.be", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0ECC7850E8; Mon, 12 Nov 2018 09:19:38 +0000 (UTC) (envelope-from srs0=llzh=nx=vega.codepro.be=kp@codepro.be) Received: from vega.codepro.be (unknown [172.16.1.3]) by venus.codepro.be (Postfix) with ESMTP id 32E768A9D; Mon, 12 Nov 2018 10:19:37 +0100 (CET) Received: by vega.codepro.be (Postfix, from userid 1001) id 119591D2D1; Mon, 12 Nov 2018 10:19:37 +0100 (CET) Date: Mon, 12 Nov 2018 10:19:37 +0100 From: Kristof Provost To: Ernie Luzar Cc: freebsd-questions@freebsd.org, freebsd-jail@freebsd.org Subject: Re: 12.0-beta3 pf firewall NAT rule syntax for vnet jail using pf Message-ID: <20181112091936.GA73897@vega.codepro.be> References: <5BE5CE9D.9030503@gmail.com> <5BE86041.9070900@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <5BE86041.9070900@gmail.com> X-Checked-By-NSA: Probably User-Agent: Mutt/1.10.1 (2018-07-13) X-Rspamd-Queue-Id: 0ECC7850E8 X-Spamd-Result: default: False [-4.27 / 200.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2a01:4f8:162:1127::2]; NEURAL_HAM_LONG(-1.00)[-0.999,0]; MIME_GOOD(-0.10)[text/plain]; IP_SCORE(-1.18)[ipnet: 2a01:4f8::/29(-2.98), asn: 24940(-2.92), country: DE(-0.01)]; TO_DN_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: mx2.codepro.be]; RCVD_IN_DNSWL_MED(-0.20)[2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.2.1.1.2.6.1.0.8.f.4.0.1.0.a.2.list.dnswl.org : 127.0.9.2]; NEURAL_HAM_SHORT(-0.98)[-0.982,0]; FORGED_SENDER(0.30)[kristof@sigsegv.be,srs0=llzh=nx=vega.codepro.be=kp@codepro.be]; FREEMAIL_TO(0.00)[gmail.com]; R_DKIM_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; FROM_NEQ_ENVFROM(0.00)[kristof@sigsegv.be,srs0=llzh=nx=vega.codepro.be=kp@codepro.be]; DMARC_POLICY_SOFTFAIL(0.10)[sigsegv.be : SPF not aligned (relaxed), No valid DKIM, none] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Nov 2018 09:19:40 -0000 On 2018-11-11 12:00:49 (-0500), Ernie Luzar wrote: > Kristof Provost wrote: > > > > If so, how can the jail see the vge0 interface? > > Through the bridge? I don't really know. Just guessing. > Think of vnet jails as separate machines. There's no mechanism for pf hosts to exchange that sort of information between machines, so there's no mechanism for them to exchange that between host and vnet jail. In this case your nat rule simply won't do anything, because the vge0 interface does not exist in the jail. > I added pass to the pf nat rule so inbound packets that match entry in > state table get passed automatically. > > Now using this pf nat rule > nat pass on epair2b from 10.0.0.30/24 to any -> (epair2b) > > This is the ifconfig -a on the host after the vnet jail is started. > Your bridge doesn't have an IP address. How do you expect to route traffic arriving on that interface? To be frank, you seem to be very confused on general networking concepts. I'd advise you to study those first, because you're going to keep struggling until you grasp the fundamentals of how IP works. Best regards, Kristof