From owner-freebsd-current@freebsd.org Thu Oct 18 19:16:15 2018 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5ED8EEFF695 for ; Thu, 18 Oct 2018 19:16:15 +0000 (UTC) (envelope-from mizhka@gmail.com) Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AF48779541 for ; Thu, 18 Oct 2018 19:16:14 +0000 (UTC) (envelope-from mizhka@gmail.com) Received: by mail-wr1-x436.google.com with SMTP id r17-v6so2535960wrt.9 for ; Thu, 18 Oct 2018 12:16:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GjVim9PQh9X0bXTbUvOMAlUkSs7omgPKRHsGjA5FzYI=; b=LUq3pEG8tf4gG8JCdhWT9i8XQ5erkq9bvQVnrnRYxxupoKWE2j7JvWeUyOkW4h1y43 u7qf0KGbTfDiWUOifhZN33P47/lQCs8Zmh1NqzaxD878uySAaKMFdpFQsjDPsMH6PVBn pc6whHNpPTfQ06rO9Z7PYHSIpNeP+/yYl32uXTC4f9KJFQ79gT8JERiLoR/28sVGbge3 onH8k+on4aYhhYYFDFibpYom8igBzrifN2YyIVOaw3mbxZVTlq82W8DdnktK88dBW/ra fLvYCrjZ7OHTlUON9Ba9LDdjSaL9KlT8SV0lcKE+PJQmLo6xEwOgKDrU4oQwph6G/x/4 Mvlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GjVim9PQh9X0bXTbUvOMAlUkSs7omgPKRHsGjA5FzYI=; b=o+bA88wz+oGRlupfiaH67QpUq/W3khTyYAevh75LYOiO6Dj0kuI8Gt06v1u47NNNgR cOdADNebY9Xv47Wrv4fEtptWUDxu0gke4HO2j7dNf8T2VtWpgFhM8O1xmrsGPYBIn7xG Tc25hdmiZVOZ9PBEnt63/NWSpEnjbhPO1o9O/XR/Hn4y7yBz6tHwCaGtcSjTbUb+3XzW 1rhiRnzy5VTKDxm5Yn2Eb1FH5msCbYu411UoSh6ugf8Gok1ca/0UnhtS0IUwjmiTrK47 blwX/q7o51D/Wm9t0+RDlV5gQ9AEebDKaHUaczBuJ5mAkYaBIt2EEcqQHuKla7e0u/K9 VYyw== X-Gm-Message-State: ABuFfog+Svj46Imd6GqVNsTOoM1u7a3MopxyphwULPlqCTHwjaYuEZ/A g3zyQxv4MbM2jMw7oz7qr7KQMU21ToMBAAK74o4= X-Google-Smtp-Source: ACcGV61oOZl3wyJX2wY1TNuWPM88zilGFM+qH0fM4S+8Y/quusAqa65wJKbvJ4cT+rKLzrpBXcrwxT9MvF9sdfq0DZ0= X-Received: by 2002:adf:8483:: with SMTP id 3-v6mr32998585wrg.34.1539890173585; Thu, 18 Oct 2018 12:16:13 -0700 (PDT) MIME-Version: 1.0 References: <5BC8D1FC.1010802@gmail.com> In-Reply-To: <5BC8D1FC.1010802@gmail.com> From: Michael Zhilin Date: Thu, 18 Oct 2018 22:15:55 +0300 Message-ID: Subject: Re: vnet & firewalls in 12.0 To: luzar722@gmail.com Cc: freebsd-current Current Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Oct 2018 19:16:15 -0000 Hi Ernie, On Thu, Oct 18, 2018 at 9:36 PM Ernie Luzar wrote: > Wanting to get a head start on using 12.0 and vnet jails with in jail > firewall. > > 1. Will Vimage be compiled as a module in the 12.0 kernel and be > included in the base system release? > I suppose it's part of GENERIC kernel configuration > 1.a. Has the boot time console log message about vimage being "highly > experimental" been removed? > I don't see in dmesg such notification. 12-ALPHA3 > 2. Has the pf firewall been fixed so it can now run in a vnet jail or > multiple vnet jails with out concern for which firewall is running on > the host? > > 2.a. Is each vnet/pf log only viewable from it's vnet jail console? > > 2.b. Will pf/kernel module auto load on first call from a vnet jail? > > 2.c. Does vnet/pf NAT work? > > 3. Does the ipfw firewall still have the 11.x release mandatory > requirements that the host must also be running ipfw for the vnet jailed > ipfw to work? > > 3.a. Are all vnet/ipfw log messages still intermixed with the host's > ipfw log messages? > > 3.b. Does vnet/ipfw NAT work? > I use NAT via netgraph+ipfw. it works fine (why not?). I'm patching "jng" to add "nat" feature. > 4. Has any work been done to ipf (ipfilter) so it will function when > used in a vnet jail? > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" >