From owner-freebsd-jail@freebsd.org Tue Aug 16 20:21:05 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0C9A6BBCB88; Tue, 16 Aug 2016 20:21:05 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-it0-x244.google.com (mail-it0-x244.google.com [IPv6:2607:f8b0:4001:c0b::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C738B1C5C; Tue, 16 Aug 2016 20:21:04 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-it0-x244.google.com with SMTP id d65so6498291ith.0; Tue, 16 Aug 2016 13:21:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=LNrED8Hka8c1p9wQSowV3hihmbvf85TCB7ZgxyJW0c0=; b=aGVjdEt2K2VIkJS6G+dqC0l+6uy/IPuZ80sgINUbVSXqXJ9HsAi9BK5/jvmNX8iYTI NNIJye2+GunfyT2XWXzyfBBLCESoNmIHZhur2F0tCh0Z1wq9cj+VtQ5Kc0WMh/kFpyqu MqUwYx4SKxO0hdJFlR6vbn2AvVy15Y/NV22v8jxJJbIA6QHUeCkUEsOdsgQ1uAkMv+TO L1xqHXm9l6PLnjybsvGsPBQookUy7D5IXvpalAC3IFlVItt/JCqeb4INa0Pj7HEROOmj tN+LgaYs9UjGZZ49DaKyx9rnU6w5y6LPzdEk06R8le4vO4LmmcmH2Cii0noz+c9oav+H CxrQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=LNrED8Hka8c1p9wQSowV3hihmbvf85TCB7ZgxyJW0c0=; b=j31SEBIjRFxgvYHxtAHlWjEFpBQYc15ZmFjjkwBBKn62c7gH0squDT7s1C/WkHn5Rd BKEyxUBC1im89LBGIgqRl/eqF1viHWSQ0hsK2+YpugwkY4ZiWq+p6PmvGxIqxLO6cwso FNT+RtEKfI4UR9o2AyJcJG324mFKKPamy5suU7OC8VrRvx+GUEtFezOtoUR+Ifo/LC2/ CNzuei5pX+6wS7FCxAMcBTTvfre/SpyiXtIJX5iNZHp2S/kZk9Q3JDFB3+Q+SEsriUJi Uhx0TBlLvfRssTdCxfIqmdp0cLZYmZBBzrpQv0oxw0cI8KK7wwTY3ZKIm0DpOouxreaS 5KyQ== X-Gm-Message-State: AEkoouufoyVfki7XXwyQhJ0f5JakALKmAw7oJhEivqo2deqE+6LABueEbHsTfj/te+Zakg== X-Received: by 10.36.198.197 with SMTP id j188mr3620732itg.78.1471378864252; Tue, 16 Aug 2016 13:21:04 -0700 (PDT) Received: from [10.0.10.3] (cpe-24-165-196-54.neo.res.rr.com. [24.165.196.54]) by smtp.googlemail.com with ESMTPSA id n10sm3566542ith.18.2016.08.16.13.21.03 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 16 Aug 2016 13:21:03 -0700 (PDT) Message-ID: <57B375C6.9030500@gmail.com> Date: Tue, 16 Aug 2016 16:21:26 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: "Bjoern A. Zeeb" CC: krad , "freebsd-jail@freebsd.org" , Freebsd Questions Subject: Re: testing 11.0-RC1 vnet jails with ipfilter References: <57B1E1BC.4090205@gmail.com> <078403E1-D8A3-4E52-B218-7A8B4400749A@lists.zabbadoz.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Aug 2016 20:21:05 -0000 Bjoern A. Zeeb wrote: > > In 11-RC* it is present for all 3 firewalls; like VIMAGE due to memory > footprint you might have to compile the firewall into the kernel rather > than kldload it (especially ipfilter). > > /bzvnet The 11.0-RC1 host has vimage and ipfilter compiled into the kernel. Vnet jail can ping public network. Host ipf log shows pings from vnet jail as they pass the host firewall on external interface using the ip address assigned to the vnet jail. Codding rules on the host firewall using the vnet jail's assigned ip address does work. But this is not what vimage literature says how vnet firewalls are suppose to work. Issuing "ipf -FS -Fa" command from within the vnet jail gives this message, "open device:no such file or directory. User kernel version check failed. Issuing "ipfstat -hnio command from within the vnet jail gives this message, open(IPSTATE_NAME):no such file or directory. Running the host on a kernel with just vimage compiled in gets same results as above. Only differences between 10.x systems and 11.0 is a vimage kernel no longer panics if the host is running ipfilter and the lost memory message at stopping a vimage jail is gone. Ipfilter does NOT start in a vimage jail. This is a major show stopper.