From owner-freebsd-bugs@freebsd.org Sun Aug 21 13:36:46 2016 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CFE3EBC1076 for ; Sun, 21 Aug 2016 13:36:46 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B62D811C1 for ; Sun, 21 Aug 2016 13:36:46 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7LDakwR000666 for ; Sun, 21 Aug 2016 13:36:46 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 212013] 11.0-RC1: vimage jail with pf not working Date: Sun, 21 Aug 2016 13:36:46 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-RC1 X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: qjail1@a1poweruser.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Aug 2016 13:36:46 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D212013 Joe Barbish changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bz@FreeBSD.org, | |qjail1@a1poweruser.com --- Comment #2 from Joe Barbish --- I changed "in" to "out" in the vnet jail pf rules file. Here is the rules f= rom inside of the vnet jail pfctl -sr -vv No ALTQ support in kernel ALTQ related functions disabled @0 block drop out quick on epair23b inet proto tcp from any to any port =3D nicnam e [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0= =20=20=20=20 ] [ Inserted: uid 0 pid 1171 State Creations: 0 ] @1 pass log (all) quick on epair23b all flags S/SA keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0= =20=20=20=20 ] [ Inserted: uid 0 pid 1171 State Creations: 0 ] With pf on the host and in the vnet jail issuing the "whois" command from within the vnet jail still worked, and it should have not worked. The vnet = pf firewall rules are not being enforced. Here is a snip it from the host pf log. pass out on fxp0: 10.23.0.2.29486 > 192.0.32.59.43: pass in on fxp0: 192.0.32.59.43 > 10.23.0.2.29486: pass in on bridge0: 192.0.32.59.43 > 10.23.0.2.29486: pass out on fxp0: 10.23.0.2.29486 > 192.0.32.59.43: pass in on fxp0: 192.0.32.59.43 > 10.23.0.2.29486: pass in on bridge0: 192.0.32.59.43 > 10.23.0.2.29486: pass out on fxp0: 10.23.0.2.29486 > 192.0.32.59.43: pass out on fxp0: 10.23.0.2.29486 > 192.0.32.59.43: pass in on fxp0: 192.0.32.59.43 > 10.23.0.2.29486: pass in on bridge0: 192.0.32.59.43 > 10.23.0.2.29486: pass in on fxp0: 192.0.32.59.43 > 10.23.0.2.29486: pass in on bridge0: 192.0.32.59.43 > 10.23.0.2.29486: In a net shell nothing changed from the first post. Those ipv6 packets are still being generated. The following is info for may= be debugging this problem. This is how I create the epair setup ifconfig ${nicname} alias 10.${vnetid}.0.1 ifconfig epair${vnetid} create=20 ifconfig bridge0 addm epair${vnetid}a ifconfig epair${vnetid}a up This is the output of ifconfig -a command on the host after the vnet jail h= as started. /root >ifconfig -a fxp0: flags=3D8943 metric 0= mtu 15 00 options=3D2009 ether 00:0c:f1:cd:55:ea inet 10.0.10.12 netmask 0xfffffff0 broadcast 10.0.10.15 inet 10.23.0.1 netmask 0xff000000 broadcast 10.255.255.255 nd6 options=3D29 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=3D8049 metric 0 mtu 16384 options=3D600003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 nd6 options=3D21 groups: lo pflog0: flags=3D141 metric 0 mtu 33184 groups: pflog bridge0: flags=3D8843 metric 0 mtu = 1500 ether 02:8f:94:84:0c:00 nd6 options=3D9 groups: bridge id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: epair23a flags=3D143 ifmaxaddr 0 port 5 priority 128 path cost 2000 member: fxp0 flags=3D143 ifmaxaddr 0 port 1 priority 128 path cost 200000 epair23a: flags=3D8943 metr= ic 0 mt u 1500 options=3D8 ether 02:c1:00:00:05:0a inet6 fe80::c1:ff:fe00:50a%epair23a prefixlen 64 scopeid 0x5 nd6 options=3D21 media: Ethernet 10Gbase-T (10Gbase-T ) status: active groups: epair Here is the output of ifconfig -a command issued from within the started vn= et jail. lo0: flags=3D8049 metric 0 mtu 16384 options=3D600003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 inet 127.0.0.1 netmask 0xff000000 nd6 options=3D21 groups: lo pflog0: flags=3D0<> metric 0 mtu 33184 groups: pflog epair23b: flags=3D8843 metric 0 mtu= 1500 options=3D8 ether 02:c1:00:00:06:0b inet 10.23.0.2 netmask 0xff000000 broadcast 10.255.255.255 inet6 fe80::c1:ff:fe00:60b%epair23b prefixlen 64 scopeid 0x3 nd6 options=3D21 media: Ethernet 10Gbase-T (10Gbase-T ) status: active groups: epair --=20 You are receiving this mail because: You are the assignee for the bug.=