From owner-freebsd-current@freebsd.org Tue Nov 10 02:47:05 2015 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5D5F9A292D9 for ; Tue, 10 Nov 2015 02:47:05 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qk0-x22d.google.com (mail-qk0-x22d.google.com [IPv6:2607:f8b0:400d:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 132841636 for ; Tue, 10 Nov 2015 02:47:04 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by qkao63 with SMTP id o63so38273364qka.2 for ; Mon, 09 Nov 2015 18:47:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd_org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=itJDcLvq/BG36xlREFN5BdoMzURhwC+r3FsFv0drXME=; b=Pyyp4+wjLWSmTYEoSJp3uQCzfeywzxdfHcCIzSBkNJubmC2eIaDT6vgB0zpMGOqRVH QjC3aIa0nW3ACmw5D1JEPUknaT0pJHUiQTLMkZ2tzJh/GUjdyxJB5S8Tzw6V7CF6rLhy O7NhwWgEjqK8jWH2ehoZQtTnU1vSUL78H6xyCz7U+0D5VY4GHjisyZvoIBv6kqd9QeYq ZGE5IieonZ8LJklwuhtwUP7FL1FqvzrOGlkFJYnU7gUqbWZxhiBevZz54M/eBzvqrf9g cqRTL+mpPbOYl2AW9rw3tCeJG+pOvAJRunJ43W+CnDqT4SehCSknXnMI+OWXnCvB/6O1 1Cdg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; bh=itJDcLvq/BG36xlREFN5BdoMzURhwC+r3FsFv0drXME=; b=J0rX/CT4zgwXJ5IgkZQwl+Mj1YOw6Zt5XE/o+5VfTsFiuyZak4br0yTJZxw+7wNrSu FZxEUA7W73pT2TMl9ZNKl3xK/Thsuxd6xgp3RCH6Ntvjb3GjhW+BCB++TJzu4PieZ9OA bLURs/NcFvVlW/i1jTYkXhEGLE5WOR2DEecwC9Pqi7stuQWCHLS9t0cGXOCTBiXPglAp uZ3J+a8lmrRI2aiu/LUKAl26a/WCf473GfXJoRnAlp8PTIo3tStBLUfP1ylwvxfDaDVX t0fGzh/Fx8CDm4Tk35mD3pC7pHXdtOw1Eg8lJ3p4M5GFLvF5uzBDSuQsGDVBvMiYvyPK mFVw== X-Gm-Message-State: ALoCoQmOwoKfcCZIlQG8diXpNgk5ZhHCGq8WFO1kUpKFQL5b2+HaDxBewoXC9QNrjUSe6it1hHpi X-Received: by 10.55.203.151 with SMTP id u23mr1313707qkl.84.1447123623917; Mon, 09 Nov 2015 18:47:03 -0800 (PST) Received: from mutt-hardenedbsd (c-73-135-80-144.hsd1.md.comcast.net. [73.135.80.144]) by smtp.gmail.com with ESMTPSA id i139sm489297qhc.30.2015.11.09.18.47.03 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 09 Nov 2015 18:47:03 -0800 (PST) Date: Mon, 9 Nov 2015 21:47:01 -0500 From: Shawn Webb To: Kristof Provost Cc: freebsd-current@freebsd.org Subject: Re: pf NAT and VNET Jails Message-ID: <20151110024701.GA2694@mutt-hardenedbsd> References: <13324720.omGDCH0sVj@hbsd-dev-laptop> <5815854.WJiA8b3P58@hbsd-dev-laptop> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="5mCyUwZo2JvN/JJP" Content-Disposition: inline In-Reply-To: <5815854.WJiA8b3P58@hbsd-dev-laptop> X-Operating-System: FreeBSD mutt-hardenedbsd 11.0-CURRENT-HBSD FreeBSD 11.0-CURRENT-HBSD X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2015 02:47:05 -0000 --5mCyUwZo2JvN/JJP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 09, 2015 at 08:18:32AM -0500, Shawn Webb wrote: > I'm using iocage for jailing. >=20 > It's now looking like pf is back to being broken for me. I've tried every= =20 > combination possible, even hardcoding the values: >=20 > nat on wlan0 from {192.168.6.0/24, 192.168.7.0/24} to any -> 129.6.251.181 > pass in > pass out >=20 > I have zero idea why this isn't working. It seems that from the documenta= tion,=20 > I'm doing everything right. I can see from tcpdump that the packets are= =20 > getting forwarded, but without the src IP address being rewritten to=20 > 129.6.251.181. >=20 > tcpdump output for a single ICMP packet, pinging to 8.8.8.8: >=20 > 08:12:30.544462 IP 192.168.7.3 > 8.8.8.8: ICMP echo request, id 28131, se= q 0,=20 > length 64 >=20 > That src IP should say 129.6.251.181. I found the problem: it seems that the new Intel Haswell graphics support (which I've been running with) is at odds somehow with pf NAT. Removing Haswell graphics support means working pf NAT. Thanks, --=20 Shawn Webb HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --5mCyUwZo2JvN/JJP Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWQVqiAAoJEGqEZY9SRW7u0IMQAJ2oEf8Kyez1rYP3bzuI8C/o FwrRSgEcsoKoeKlGjeQG+RSLmKUcngNVnnj9wWHVOD4aN7CnhY0YXBNKFbFFRfjy vbdNjBxDCCxTwvl17QjA/eb6PiRyPO9KyYoTHXccgy8YsRrXtMREFOMAAiowdqix Lg/xB29TvO8BmzBrwQUTVXkbzMEAPOYD/Gmthj67rWG9bP0/Z/TRILaSjZKhYTG6 J8Z/xI5DYEU2mlUKeb+PSkW7MpJYIzk9Azalu6YBsVgi1MQb+ibxMSLKthsMClT+ 33uSlv0NqbW0mM+X/s5gna+Kw1T3TjI2NX0byGgdUcD9QrPtZ9DoU/THmi4mFHHD tm93Bf0atviYy6mUbM7Qy7f0vj9Uso1lSVmJdQnXu5hMWe7ZbZoNTRbFExXdsHk3 H/obU3Mg0AYOYH0dz9pETiwhh8GvP8yap6ExXmVIitL+mfVf4cbgLaA96wTbMkju rxb1JCQAdcRN8coEVhIx0nyBye/Il9cCXCcTbRKRaEbu/sdg3BPmpTzdf3rnThXb AwKiefF0pPZb9zlSX6tChGoepFoc0kzlJRHn1NWkRVl+WSPWP95wBTAsSrV8Zqit 3KJz8B0OADUVWswdhv7wRl64T7XP3aIeRp6vcsTRTEYJtzQZC/v63NS4QXWuO8EP Z4pkV83MxOqqevkRxh0U =HniM -----END PGP SIGNATURE----- --5mCyUwZo2JvN/JJP--