From owner-freebsd-current@freebsd.org Thu Nov 5 16:25:13 2015 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 34101A263A8 for ; Thu, 5 Nov 2015 16:25:13 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qg0-x232.google.com (mail-qg0-x232.google.com [IPv6:2607:f8b0:400d:c04::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D9B281941 for ; Thu, 5 Nov 2015 16:25:12 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by qgec40 with SMTP id c40so9624547qge.2 for ; Thu, 05 Nov 2015 08:25:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd_org.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:organization:user-agent :in-reply-to:references:mime-version:content-type; bh=scR+Z9JzHHyBhuglKKFnqMm0HLfl7qTkALN/3nGFQP0=; b=EseCcER3CVqtwKCQfMQ1AqbukFtzEIC0hl/yLUV/K5oYGxDxSk0P2qndm2NOLNBYVh 5cNedD4x8RgamQLvi+MWYGSP4bTUqUIwc7tDxzqDt3+U1YvEDgjjZEH/K2SY7HF/htfx UNN6+pDnGEJOimwY3/zUnOlB9hGqmgAkc2+OS0X8A3WTFNJZthQZqCqw56Yf2QyT3Jly CFIJvPbm9wr1XWEL5KwVTsKalyHvD3z+ibRwf5g1mMta/Ltj4cWh6Csnlafzk3b07fyV 4d8vf+0k80WccJf/lFBUa0bDCO7FE4NhI0tkfknKWE1LokaqgLAML4rQKWp5MG1SO5EQ mRHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:organization :user-agent:in-reply-to:references:mime-version:content-type; bh=scR+Z9JzHHyBhuglKKFnqMm0HLfl7qTkALN/3nGFQP0=; b=jzmzYhasfA8uOhWSlR+51tgxYdQxho3iMFbPqin1YG7YuuqHBTeTnt1Hx0b6mmZYBR ZCMFmrR40ZLX56uOQ00rY//PE1xiyMWCEGXvpbbuLOm13qYvlDL8iTrCjB6gMmSGmatD abVnRNNwRrXsIvUNGV5+LLI3y/u4kjCEdx/uWfjSlUO3XCd1wLF9yDhikrHjjme8x8/8 OtfqpriiGQ1hnAaSdRu/CDahbEi4RCSz3hOphwkp9bMcw6CYQrSIucILlO2n/cZCsvMi pZVtbltupb/ucQYJvpNbxC71lLevTigo95wIyKlwXL75YIjWpM+Lr1wSh90GLXN5LwhP M1IA== X-Gm-Message-State: ALoCoQmaJICqQHHWtB6k4ZBXZpGaLCkrMyMDdWMlQZUc+TcAfaqNXAeyp23ZaACNGRB1gNSF0W41 X-Received: by 10.31.10.16 with SMTP id 16mr7947885vkk.135.1446740711915; Thu, 05 Nov 2015 08:25:11 -0800 (PST) Received: from hbsd-dev-laptop.localnet ([129.6.251.181]) by smtp.gmail.com with ESMTPSA id y194sm5126259vkd.13.2015.11.05.08.25.10 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 05 Nov 2015 08:25:11 -0800 (PST) From: Shawn Webb To: Kristof Provost Cc: freebsd-current@freebsd.org Subject: Re: pf NAT and VNET Jails Date: Thu, 05 Nov 2015 11:25:07 -0500 Message-ID: <13324720.omGDCH0sVj@hbsd-dev-laptop> Organization: HardenedBSD User-Agent: KMail/4.14.3 (FreeBSD/11.0-CURRENT-HBSD; KDE/4.14.3; amd64; ; ) In-Reply-To: <089B842B-FE96-4016-BE6E-A63182422A9C@FreeBSD.org> References: <20151798.z4nmEG8eZc@hbsd-dev-laptop> <089B842B-FE96-4016-BE6E-A63182422A9C@FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3780583.PlkWkpDkmM"; micalg="pgp-sha256"; protocol="application/pgp-signature" X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Nov 2015 16:25:13 -0000 --nextPart3780583.PlkWkpDkmM Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" On Tuesday, 03 November 2015 12:44:19 AM Kristof Provost wrote: > > On 02 Nov 2015, at 15:07, Shawn Webb w= rote: > >=20 > > On Monday, 02 November 2015 02:59:03 PM Kristof Provost wrote: > >> Can you add your pf.conf too? > >>=20 > >> I=E2=80=99ll try upgrading my machine to something beyond 290228 t= o see if I can > >> reproduce it. It=E2=80=99s on r289635 now, and seems to be fine. M= y VNET jails > >> certainly get their traffic NATed. > >=20 > > Sorry about that! I should've included it. It's pasted here: > > http://ix.io/lLI > >=20 > > It's probably not the most concise. This is a laptop that can have = one of > > three interfaces online: re0 (ethernet on the laptop), wlan0 (you c= an > > guess > > what that is), or ue0 (usb tethering from my phone). I used to be a= ble to > > specify NATing like that and pf would automatically figure out whic= h > > outgoing device to use. Seems like that's broken now. >=20 > I=E2=80=99ve updated my machine and things still seem to be working. > As you said, it=E2=80=99s probably related to the multiple nat entrie= s. >=20 > I=E2=80=99ll have to make a test setup, which=E2=80=99ll take a bit o= f time, especially > since I=E2=80=99m messing with the host machine at the moment. I've figured it out. I've removed all rules and went with a barebones c= onfig. Right now, the laptop I'm using for NAT has an outbound interface of wl= an0=20 with an IP of 129.6.251.181 (from DHCP). The following line works: nat on wlan0 from any to any -> 129.6.251.181 The following line doesn't: nat on wlan0 from any to any -> (wlan0) Nor does this: nat on wlan0 from any to any -> wlan0 From=20the Handbook, the lines that don't work are prefered especially th= e first=20 non-working line, since using (wlan0) would cause pf to pick up wlan0's= IP=20 dynamically (which is good, since wlan0 is DHCP'd). So it seems at some point of time, doing NAT dynamically broke. =2D-=20 Shawn Webb HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --nextPart3780583.PlkWkpDkmM Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCAAGBQJWO4LjAAoJEGqEZY9SRW7uSacP/RC2KhcfaStJhh5liGLWy97a 1pBf9IlcjCg8n89AeQSC6SJrR/v9u7b8WrhH6y0NcFgc9cE8yextXLz6SSUb/yxH TSbXJM0/AL0pHz3hYO6h+8k2lSfaDgJ0atSBuiPU8nyfzG7/asKUm5yOgfEHJcOG dOAfJfdS1Y/MQcaj9wcHnHW25Vh4mPxiztNcMJEpSZR7pj5DjtntanGn7agDwjDx MwhI0DzxTWrIu2O54KOHoTPOjnuO164GvGFckRGRhehc2l4hATE051TSzcZCid0p 1mi4nbF/aoM/dij7kX1fP2FAdEWI1uiGpGRxufxdqa3gSn14ohnqhru62lYH2UeQ yoj5aoJ0AvHs3qtv3f127aJi2vDlHKQFNRe0bbEAszO1NqHP8xJyFQVho0ELD3qB onSZX2ZfdKQhuKqTKTqWXe81lW0NhuddAGsNeqYy9YVWz0VIrZcBjJZSY4WlPTt9 bqs1FCCoCgUoj2tDf9nvVYbWIBTEMcVFLnZp2XyzNU2TvSXWgU9M6CCvixpzJTxG nDVlbnVbuDKjkZ0yoo/cw5+bro70nB1YudqE7Ol2u7NQZ61oYACmHAwBqH4GJwHz Lv6ERYkQ+lzxbKtDCEXYrAaoPnVAzYyvOqbNNT6B58/ZmFzWfhyhWUTu7tMenIfF SHWzgiMuqI5Lcoqaw4qt =EQr+ -----END PGP SIGNATURE----- --nextPart3780583.PlkWkpDkmM--