Date: Thu, 05 Nov 2015 11:25:07 -0500 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Kristof Provost <kp@freebsd.org> Cc: freebsd-current@freebsd.org Subject: Re: pf NAT and VNET Jails Message-ID: <13324720.omGDCH0sVj@hbsd-dev-laptop> In-Reply-To: <089B842B-FE96-4016-BE6E-A63182422A9C@FreeBSD.org> References: <CAExMvs=jVsASLyiqU9nTpir0Hy_s_DfChgf4XKeGWv-8yojNBw@mail.gmail.com> <20151798.z4nmEG8eZc@hbsd-dev-laptop> <089B842B-FE96-4016-BE6E-A63182422A9C@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Tuesday, 03 November 2015 12:44:19 AM Kristof Provost wrote: > > On 02 Nov 2015, at 15:07, Shawn Webb <shawn.webb@hardenedbsd.org> wrote: > > > > On Monday, 02 November 2015 02:59:03 PM Kristof Provost wrote: > >> Can you add your pf.conf too? > >> > >> I’ll try upgrading my machine to something beyond 290228 to see if I can > >> reproduce it. It’s on r289635 now, and seems to be fine. My VNET jails > >> certainly get their traffic NATed. > > > > Sorry about that! I should've included it. It's pasted here: > > http://ix.io/lLI > > > > It's probably not the most concise. This is a laptop that can have one of > > three interfaces online: re0 (ethernet on the laptop), wlan0 (you can > > guess > > what that is), or ue0 (usb tethering from my phone). I used to be able to > > specify NATing like that and pf would automatically figure out which > > outgoing device to use. Seems like that's broken now. > > I’ve updated my machine and things still seem to be working. > As you said, it’s probably related to the multiple nat entries. > > I’ll have to make a test setup, which’ll take a bit of time, especially > since I’m messing with the host machine at the moment. I've figured it out. I've removed all rules and went with a barebones config. Right now, the laptop I'm using for NAT has an outbound interface of wlan0 with an IP of 129.6.251.181 (from DHCP). The following line works: nat on wlan0 from any to any -> 129.6.251.181 The following line doesn't: nat on wlan0 from any to any -> (wlan0) Nor does this: nat on wlan0 from any to any -> wlan0 From the Handbook, the lines that don't work are prefered especially the first non-working line, since using (wlan0) would cause pf to pick up wlan0's IP dynamically (which is good, since wlan0 is DHCP'd). So it seems at some point of time, doing NAT dynamically broke. -- Shawn Webb HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCAAGBQJWO4LjAAoJEGqEZY9SRW7uSacP/RC2KhcfaStJhh5liGLWy97a 1pBf9IlcjCg8n89AeQSC6SJrR/v9u7b8WrhH6y0NcFgc9cE8yextXLz6SSUb/yxH TSbXJM0/AL0pHz3hYO6h+8k2lSfaDgJ0atSBuiPU8nyfzG7/asKUm5yOgfEHJcOG dOAfJfdS1Y/MQcaj9wcHnHW25Vh4mPxiztNcMJEpSZR7pj5DjtntanGn7agDwjDx MwhI0DzxTWrIu2O54KOHoTPOjnuO164GvGFckRGRhehc2l4hATE051TSzcZCid0p 1mi4nbF/aoM/dij7kX1fP2FAdEWI1uiGpGRxufxdqa3gSn14ohnqhru62lYH2UeQ yoj5aoJ0AvHs3qtv3f127aJi2vDlHKQFNRe0bbEAszO1NqHP8xJyFQVho0ELD3qB onSZX2ZfdKQhuKqTKTqWXe81lW0NhuddAGsNeqYy9YVWz0VIrZcBjJZSY4WlPTt9 bqs1FCCoCgUoj2tDf9nvVYbWIBTEMcVFLnZp2XyzNU2TvSXWgU9M6CCvixpzJTxG nDVlbnVbuDKjkZ0yoo/cw5+bro70nB1YudqE7Ol2u7NQZ61oYACmHAwBqH4GJwHz Lv6ERYkQ+lzxbKtDCEXYrAaoPnVAzYyvOqbNNT6B58/ZmFzWfhyhWUTu7tMenIfF SHWzgiMuqI5Lcoqaw4qt =EQr+ -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?13324720.omGDCH0sVj>