From owner-freebsd-bugs@freebsd.org Sun Jul 19 15:51:00 2020 Return-Path: Delivered-To: freebsd-bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 50AC7361C6E for ; Sun, 19 Jul 2020 15:51:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org [IPv6:2610:1c1:1:606c::50:13]) by mx1.freebsd.org (Postfix) with ESMTP id 4B8q8N1XDHz3T3W for ; Sun, 19 Jul 2020 15:51:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id 348AB361F4F; Sun, 19 Jul 2020 15:51:00 +0000 (UTC) Delivered-To: bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3453C361C6D for ; Sun, 19 Jul 2020 15:51:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4B8q8N0ftsz3Ssl for ; Sun, 19 Jul 2020 15:51:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D64C71E122 for ; Sun, 19 Jul 2020 15:50:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 06JFox6f051816 for ; Sun, 19 Jul 2020 15:50:59 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 06JFoxhm051815 for bugs@FreeBSD.org; Sun, 19 Jul 2020 15:50:59 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 248109] ipfilter ipf.rules & ipnat.rules not loading when vnet jail starts Date: Sun, 19 Jul 2020 15:50:59 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 12.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: joeb1@a1poweruser.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jul 2020 15:51:00 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D248109 Bug ID: 248109 Summary: ipfilter ipf.rules & ipnat.rules not loading when vnet jail starts Product: Base System Version: 12.1-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: joeb1@a1poweruser.com Running 12.1 on real hardware. Vnet jails using bridge/epair method. The rc.conf in the vnet jail is populated with the normal ipfilter lines to start ipfilter at vnet jail start up. ipfilter_enable=3D"YES" ipmon_enable=3D"YES" ipmon_flags=3D"-D" ipfilter_rules=3D"/etc/ipf.rules" ipnat_enable=3D"YES" ipnat_rules=3D"/etc/ipf.nat.rules" The ipf.rules files has this content pass in quick on lo0 all pass out quick on lo0 all block out log quick on epair41b proto tcp from any to any port =3D 43=20 pass in log quick on epair41b all pass out log quick on epair41b all The ipf.nat.rules files has this content map epair41b 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp map epair41b 0.0.0.0/0 -> 0/32 I use the native jail command to start and stop the vnet jail. jail -cv jailname jail -rv jailname=20 After logging into the jails console as root. ipfstat -hnoi replies with empty list for ipfilter(out) empty list for ipfilter(in) ipnat -l replies with List of active MAP/Redirects filters: and then a blank line. Then I issue this command from the vnet jails command line to load the rules ipf -FS -Fa -f /etc/ipf.rules followed by ipfstat -hnoi and the filter rules are shown and functioning. You may ask how do I know the rules are functioning? The whois command is blocked by the rule on port 43 and it will not work wh= en I issue it from the vnet console. The same thing is true for ipnat rules when I issue the command to load them ipnat -FC -f /etc/ipf.nat.rules then this command shows results ipnat -l Sure hopping a fix can make it into 12.2 and/or 13.0 For your feedback, I may be the first person to really test ipfilter in sid= e of a vnet jail since ipfilter became vimage aware. --=20 You are receiving this mail because: You are the assignee for the bug.=