From owner-freebsd-questions@freebsd.org  Wed Aug 17 15:28:43 2016
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C2F3EBBC408;
 Wed, 17 Aug 2016 15:28:43 +0000 (UTC)
 (envelope-from luzar722@gmail.com)
Received: from mail-io0-x244.google.com (mail-io0-x244.google.com
 [IPv6:2607:f8b0:4001:c06::244])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 874DB120E;
 Wed, 17 Aug 2016 15:28:43 +0000 (UTC)
 (envelope-from luzar722@gmail.com)
Received: by mail-io0-x244.google.com with SMTP id y195so10673480iod.0;
 Wed, 17 Aug 2016 08:28:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=message-id:date:from:user-agent:mime-version:to:cc:subject
 :references:in-reply-to:content-transfer-encoding;
 bh=75GUlvqJK6zoWuyrZcKOVT5nvwxxlr1AHGFQTN6yQu4=;
 b=BWOS3Xx7y7DqbmBLoCMS59OsXK+RFBFWoh+04M8BsOuSfSN02lXO3vm0VXHdT05Y+p
 TC0JQJPBkVBsXPYilokGkMd/m8VWuMxV1lbAFB5u6xaUd4nxhGkpDXiEpx3IEBD3t6S8
 iiHd6gv3nc7sseQn2M/Gh/F7SdXgVVJyI42WVVcWyuFlbWug9FxHkwC3qG5r6PRxYCKr
 BNggDyd/z+qTR8RXQkfB61ju2LRMtnXv8COEw8gDf+QkGj7crArENsAjB/F1rm1ztQh+
 kF++E2E39mmHEsU+zkSwHYlOpAfTVeGXZf0itDye1XuhuL3CtQ57aj5tRuTqDpsI23sb
 6Dqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to
 :cc:subject:references:in-reply-to:content-transfer-encoding;
 bh=75GUlvqJK6zoWuyrZcKOVT5nvwxxlr1AHGFQTN6yQu4=;
 b=WLeHvQEHlm5ymA2ozpy/nlVtOOeZoWkQTakGRMpCbLVq+mPUCFWHl/rFmZWgTyw4ba
 T+CesdxpBXRHoMU9DD0TOWQ1cMUNj+Uli4idPCO6vVWYzFZWqReedaC2TDDsvxLRB04y
 rODejPvlIO2JaTgHI+Sq/cfMB2t8a2ah8M/3Mg6w99shnI9/ZiSjs3cyEXTRPbA7uNqj
 wzYr8svamAsZgQaQ42GSxddm9v9QXJiu7OFT+edfEYhoeYdKdtHaOprhWXs6uCuhliUx
 pRQgSjTV5JUZaKly5JlXMIFo3feFNbyU4ULVXNhgcUQwVXhnSqOu3EsdOt2UqTxgI81z
 VxVg==
X-Gm-Message-State: AEkoouv1f9uZzySb+LmP3ajACz3b/G737OBubZt2qB648hL3BtEwm3uA+eGPhPP2UgHRrQ==
X-Received: by 10.107.132.200 with SMTP id o69mr48025997ioi.134.1471447722767; 
 Wed, 17 Aug 2016 08:28:42 -0700 (PDT)
Received: from [10.0.10.3] (cpe-24-165-196-54.neo.res.rr.com. [24.165.196.54])
 by smtp.googlemail.com with ESMTPSA id
 b136sm45160iti.14.2016.08.17.08.28.41
 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Wed, 17 Aug 2016 08:28:42 -0700 (PDT)
Message-ID: <57B482B4.8090708@gmail.com>
Date: Wed, 17 Aug 2016 11:28:52 -0400
From: Ernie Luzar <luzar722@gmail.com>
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Alexander Leidinger <Alexander@leidinger.net>
CC: CyberLeo Kitsana <cyberleo@cyberleo.net>, 
 "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>,
 freebsd-jail@freebsd.org, 
 Freebsd Questions <FreeBSD-questions@freebsd.org>,
 krad <kraduk@gmail.com>, lars.engels@0x20.net
Subject: Re: testing 11.0-RC1 vnet jails with ipfilter
References: <57B1E1BC.4090205@gmail.com>
 <078403E1-D8A3-4E52-B218-7A8B4400749A@lists.zabbadoz.net>
 <CALfReyeR_4pM6FsrFZxTbHNoC1_yd3SZW72Ze9Bo354itzEgWQ@mail.gmail.com>
 <F610E6D1-6622-4E15-98B4-F7AD58EEA9CF@lists.zabbadoz.net>
 <57B375C6.9030500@gmail.com>
 <b640b4fa-ba88-9fde-41a0-339d9d4a897b@cyberleo.net>
 <20160817093615.Horde.6B4nFB_mNqhEm9nGwvdsXWg@webmail.leidinger.net>
In-Reply-To: <20160817093615.Horde.6B4nFB_mNqhEm9nGwvdsXWg@webmail.leidinger.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Wed, 17 Aug 2016 16:54:05 +0000
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2016 15:28:43 -0000


Here is my new rules file. I have tested it with the commented out lines 
and with the comments removed. Tested on vimage/ipfilter kernel and 
vimage only kernel. In all 4 combinations the "ipf" and "ipstat" 
commands work. I can see the ipf firewall rules.

The problem is when issuing the ping command from within the vnet jail 
nothing happens. The count of packets shown by the ipstat command stay 
at zero. The var/log/messages in the vnet jail is not populated. The 
ipf.log on the host only has ipv6 multcast packets from when the vnet 
jail is started. No ipv4 ping packets.

ipfilter in a vnet/vimage jail is broken. If anyone has suggestions to 
try let me know.

[devfsrules_vjail_ipf=5]
add include $devfsrules_jail
add path ipl     unhide
add path ipl0    unhide
add path ipf     unhide
add path ipauth  unhide
add path ipnat   unhide
add path ipstate unhide
# used by ipstate
#add path kmem    unhide
#add path kernel  unhide
# full list of ioctl used by ipf
#add path SIOCIPFFB unhide
#add path FIONREAD  unhide
#add path SIOCADDFR unhide
#add path SIOCDELFR unhide
#add path SIOCIPFFR unhide
#add path SIOCADAFR unhide
#add path SIOCRMAFR unhide
#add path SIOCADIFR unhide
#add path SIOCRMIFR unhide
#add path SIOCINAFR unhide
#add path SIOCINIFR unhide
#add path SIOCSETFF unhide
#add path SIOGGETFF unhide
#add path SIOCGETFS unhide
#add path SIOCIPFFL unhide
#add path SIOCIPFFB unhide
#add path SIOCSWAPA unhide
#add path SIOCFRENB unhide
#add path SIOCFRSYN unhide
#add path SIOCFRZST unhide
#add path SIOCZRLST unhide
#add path SIOCAUTHW unhide
#add path SIOCAUTHR unhide
#add path SIOCATHST unhide