From owner-freebsd-bugs@FreeBSD.ORG Tue Jan 13 23:26:50 2015 Return-Path: Delivered-To: freebsd-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E927EECB for ; Tue, 13 Jan 2015 23:26:49 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CFF32D25 for ; Tue, 13 Jan 2015 23:26:49 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id t0DNQnqP059220 for ; Tue, 13 Jan 2015 23:26:49 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 196699] pf starts blocking traffic from jails (with VIMAGE) needs to be stooped and reloaded Date: Tue, 13 Jan 2015 23:26:49 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: miguelmclara@gmail.com X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2015 23:26:50 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=196699 Bug ID: 196699 Summary: pf starts blocking traffic from jails (with VIMAGE) needs to be stooped and reloaded Product: Base System Version: 9.2-STABLE Hardware: amd64 OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: miguelmclara@gmail.com I'm not seeing any panic, and I left my jail with no firewall to test. So the only firewall running is PF and only on host. Its set to skip "brigde" and "epair", but for some random reason (could be related to network inactivity but I'm not sure) it starts blocking traffic. Ex: tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes 23:00:53.704965 rule 4..16777216/0(match): block out on xn0: x.x.x10.53 > x.x.x25.20602: 4690 6 0/1/0 (112) Note that the jail resolv.conf point to the host ip, because I'm running dnscrypt-proxy+unbound on the host, but even if I take dnscrypt out of the equation and point it to the router/isp dns I get the same issue. More importantly I explicitly allow packets to/form any port "domain" pass out on xn0 proto tcp from any to any port = domain flags S/SA keep state pass out on xn0 proto udp from any to any port = domain keep state pass in quick on xn0 inet proto tcp from x.x.x0/24 to any port = domain flags S/SA keep state pass in quick on xn0 inet proto udp from x.x.x0/24 to any port = domain keep state When this happens if I do a dns query from the host it works fine, so the issue is related to the jail ip only. Also, I've just update my kernel and world (on host and jail): FreeBSD host.local 9.3-STABLE FreeBSD 9.3-STABLE #0 r277102: Tue Jan 13 16:33:46 WET 2015 root@host.local:/usr/obj/usr/src/sys/VIMAGE amd64 The issue was already happening, I just wanted to make sure I was not missing any patch, I see some work is being done on patching VIMAGE/PF support, but probably its not yet in 9-stable Last lines of dmesg show this: epair0a: Ethernet address: 02:6a:22:00:06:0a epair0b: Ethernet address: 02:6a:22:00:07:0b epair0a: link state changed to UP epair0b: link state changed to UP epair0a: promiscuous mode enabled arp: x.x.x10 moved from 02:6a:22:00:06:0a to 00:16:3e:52:3e:cf on epair0b arp: x.x.x10 moved from 02:6a:22:00:06:0a to 00:16:3e:52:3e:cf on epair0b arp: x.x.x10 moved from 02:6a:22:00:06:0a to 00:16:3e:52:3e:cf on epair0b And not sure if relevant, but: # arp hostIP ? (x.x.x.10) at 00:16:3e:52:3e:cf on xn0 permanent [ethernet] # arp jailIP ? (x.x.x.25) at 02:6a:22:00:07:0b on epair0a expires in 70 seconds [ethernet] Is it normal to see the mac address expire? -- You are receiving this mail because: You are the assignee for the bug.