Date: Thu, 5 Nov 2015 23:45:25 +0100 From: Kristof Provost <kp@FreeBSD.org> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: freebsd-current@freebsd.org Subject: Re: pf NAT and VNET Jails Message-ID: <D8AAC66A-ED1D-4A6C-9CCF-447CA788073A@FreeBSD.org> In-Reply-To: <13324720.omGDCH0sVj@hbsd-dev-laptop> References: <CAExMvs=jVsASLyiqU9nTpir0Hy_s_DfChgf4XKeGWv-8yojNBw@mail.gmail.com> <20151798.z4nmEG8eZc@hbsd-dev-laptop> <089B842B-FE96-4016-BE6E-A63182422A9C@FreeBSD.org> <13324720.omGDCH0sVj@hbsd-dev-laptop>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_2EC98374-0AB8-43DE-91E3-48DE12D6F555 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 05 Nov 2015, at 17:25, Shawn Webb <shawn.webb@hardenedbsd.org> = wrote: > I've figured it out. I've removed all rules and went with a barebones = config. >=20 > Right now, the laptop I'm using for NAT has an outbound interface of = wlan0 > with an IP of 129.6.251.181 (from DHCP). The following line works: >=20 > nat on wlan0 from any to any -> 129.6.251.181 >=20 > The following line doesn't: >=20 > nat on wlan0 from any to any -> (wlan0) >=20 > Nor does this: >=20 > nat on wlan0 from any to any -> wlan0 >=20 > =46rom the Handbook, the lines that don't work are prefered especially = the first > non-working line, since using (wlan0) would cause pf to pick up = wlan0's IP > dynamically (which is good, since wlan0 is DHCP'd). >=20 > So it seems at some point of time, doing NAT dynamically broke. >=20 So far I=E2=80=99ve had no luck reproducing this. With pf.conf: nat on vtnet0 from any to any -> (vtnet0) pass in pass out And setup code: ifconfig bridge0 create ifconfig epair0 create ifconfig epair0a up ifconfig epair0b up ifconfig bridge0 addm epair0a jail -c name=3Dtest host.hostname=3Dtest vnet persist ifconfig epair0b vnet test ifconfig bridge0 inet 10.0.0.1/24 jexec test ifconfig epair0b 10.0.0.2/23 jexec test route add default 10.0.0.1 # Activate routing sysctl net.inet.ip.forwarding=3D1 pfctl -e pfctl -g -f pf.conf Then I run exec test ping 8.8.8.8, which works as expected. My home routing is running CURRENT, used vnet jails and also doesn=E2=80=99= t seem to be triggering the problem. Perhaps we=E2=80=99re still missing a component of the problem, but = right now I have no idea what that would be. Hmm. Perhaps=E2=80=A6 do you happen to know in what order things are = done during startup? Perhaps it=E2=80=99s related to the fact that wlan0 is both wifi and = DHCP, in the sense that pf is configured before the IP is assigned to = the interface. Can you try reloading pf with the (wlan0) rule? (Just pfctl -g -f = /etc/pf.conf should do the trick). Regards, Kristof --Apple-Mail=_2EC98374-0AB8-43DE-91E3-48DE12D6F555 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJWO9wSAAoJEG/E3HH7XkpGTu0IAITFxpboMDhgiMd1RnBb17tk gwlbuuzq89u1FdlsYib1AClFp93JuwepSXqzysNBfA83+GyKIfrRnY2+tWuPom4S 88y0bGHlUT1bSW5DuTVHFZ66EuzuPGbN1DbxO48mDbjL8/jmLbzSntv7E60chqhK SKMhkjOj0Ir/ZWrLI80P8fJsoAPL8vPEICPHS3x+5+bxsEnByFyHz4xiEptvXjjd elDRtQsevWYmuECQT8YbKI3xe8ff2lLnH+TAo+BlIyqMSb9Tb9MY3NIrObW1M8yt yYgc1vkJMW2x02rdiOUUOXFmNDgsZyhibm8e6IspY3SYACDakl6QQ86NCsdWuwk= =1kFT -----END PGP SIGNATURE----- --Apple-Mail=_2EC98374-0AB8-43DE-91E3-48DE12D6F555--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D8AAC66A-ED1D-4A6C-9CCF-447CA788073A>