From owner-freebsd-net@freebsd.org  Tue Feb  9 00:43:05 2016
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7C300AA13A2
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Tue,  9 Feb 2016 00:43:05 +0000 (UTC) (envelope-from kvas@bf.pstu.ru)
Received: from serv5.pstu.ru (serv5.pstu.ru [195.19.162.243])
 by mx1.freebsd.org (Postfix) with ESMTP id AC3731DB8
 for <freebsd-net@freebsd.org>; Tue,  9 Feb 2016 00:43:03 +0000 (UTC)
 (envelope-from kvas@bf.pstu.ru)
Received: from tms01.bf.pstu.ru (host.bf.pstu.ru [195.19.182.1] (may be
 forged))
 by serv5.pstu.ru (8.14.5/8.14.2) with ESMTP id u188UDNa007595;
 Mon, 8 Feb 2016 13:30:13 +0500 (GMT-5)
 (envelope-from kvas@bf.pstu.ru)
Received: from k36a2.bf.pstu.ru (tms07.berezniki.ru [195.19.182.7])
 by tms01.bf.pstu.ru (Postfix) with ESMTP id DE5E223905;
 Mon,  8 Feb 2016 13:25:20 +0500 (YEKT)
Date: Mon, 8 Feb 2016 13:30:39 +0600
From: Kiryanov Vassily <kvas@bf.pstu.ru>
X-Mailer: The Bat! (v1.60c)
Reply-To: Kiryanov Vassily <kvas@bf.pstu.ru>
Organization: BF PGTU
X-Priority: 3 (Normal)
Message-ID: <66-1856806937.20160208133039@bf.pstu.ru>
To: freebsd-net@freebsd.org
CC: Alexey Roslyakov <free@oneex.me>
Subject: Re[2]: Problem with ipfw, in-kernel NAT and port redirection to jails
In-Reply-To: <56B5A77B.2010108@oneex.me>
References: <A88A7FED-B5DD-4B1E-96A4-AE1F3EAB8E30@0x89.net>
 <56B5A77B.2010108@oneex.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2016 00:43:05 -0000

Hello Alexey,

Thank you for this information, I have thoughts about using pf nat as
an alternative way and your example will be useful for me.

But Eugene Grosbein adviced me to turn off tso4 on network card
underlaying my VLANs and it was enough to solve problem with port
redirection. Without turning tso4 off ipfw + in-kernel NAT works
fine but port redirection fails. 

Saturday, February 6, 2016, 1:57:47 PM, you wrote:

ARvfn> Hello.
ARvfn> I have same problem when I'm trying redirect incoming traffic into the 
ARvfn> jailed web server.
ARvfn> I repeated my installation few times on different releases - problem 
ARvfn> with redirected ports was here all time (except 9.3 - there was random 
ARvfn> result).
ARvfn> As a temporary solution am using pf nat for redirect ports.

ARvfn> My test configuration:
ARvfn> /etc/rc.conf:
ARvfn> ifconfig_vtnet0="inet 192.168.1.18/24"
ARvfn> defaultrouter="192.168.1.1"
ARvfn> cloned_interfaces="lo1"

ARvfn> /etc/jail.conf:
ARvfn> exec.start = "/bin/sh /etc/rc";
ARvfn> exec.stop = "/bin/sh /etc/rc.shutdown";
ARvfn> exec.clean;
ARvfn> j1 {
ARvfn>          path = /home/jail1;
ARvfn>          mount.devfs;
ARvfn>          host.hostname = j1;
ARvfn>          interface = "lo1";
ARvfn>          ip4.addr = 10.8.0.1;
ARvfn>          persist;
ARvfn> }

ARvfn> rc.firewall:
ARvfn> ipfw nat 1 config if vtnet0 redirect_port tcp 10.8.0.1:80 80
ARvfn> ipfw add 500 nat 1 ip from any to 192.168.1.18 in via vtnet0
ARvfn> ipfw add 600 nat 1 ip from 10.8.0.1 to any out via vtnet0
ARvfn> ipfw add allow ip from any to any

ARvfn> pf.conf:
ARvfn> ext_if = "vtnet0"
ARvfn> int_if = "lo1"
ARvfn> jail_net = $int_if:network
ARvfn> nat on $ext_if from $jail_net to any -> ($ext_if)
ARvfn> rdr pass on $ext_if inet proto tcp from any to ($ext_if:0) port 80 -> 
ARvfn> 10.8.0.1 port 80

ARvfn> In jail I'm try nginx, apache24 and nc as source for redirection. Test 
ARvfn> file was generated: dd if/dev/random of=tmp.raw bs=1M count=2
ARvfn> On 10.1 and 10.2 there is no big differences, when using ipfw nat we can 
ARvfn> get only part of file (I'm using curl on different machine: curl 
ARvfn> http://192.168.1.18/tmp.raw > /dev/null):
ARvfn> with nginx: Received = 33045
ARvfn> with apache: Received = 33092
ARvfn> with nc: Received = 16384
ARvfn> and result seems to be very stable in numbers.
ARvfn> On 9.3:
ARvfn> nginx: random bytes received, has no successful downloads
ARvfn> apache: random bytes received, sometimes download entire file
ARvfn> nc: entire file received

ARvfn> My virtual environment is proxmox 3.
ARvfn> Maybe it's related to 
ARvfn> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=137346 or just not 
ARvfn> properly configured ipfw nat?
ARvfn> _______________________________________________
ARvfn> freebsd-net@freebsd.org mailing list
ARvfn> https://lists.freebsd.org/mailman/listinfo/freebsd-net
ARvfn> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"



-- 
Best regards,
 Kiryanov                            mailto:kvas@bf.pstu.ru