Date: Thu, 5 Nov 2015 23:45:25 +0100 From: Kristof Provost <kp@FreeBSD.org> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: freebsd-current@freebsd.org Subject: Re: pf NAT and VNET Jails Message-ID: <D8AAC66A-ED1D-4A6C-9CCF-447CA788073A@FreeBSD.org> In-Reply-To: <13324720.omGDCH0sVj@hbsd-dev-laptop> References: <CAExMvs=jVsASLyiqU9nTpir0Hy_s_DfChgf4XKeGWv-8yojNBw@mail.gmail.com> <20151798.z4nmEG8eZc@hbsd-dev-laptop> <089B842B-FE96-4016-BE6E-A63182422A9C@FreeBSD.org> <13324720.omGDCH0sVj@hbsd-dev-laptop>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] > On 05 Nov 2015, at 17:25, Shawn Webb <shawn.webb@hardenedbsd.org> wrote: > I've figured it out. I've removed all rules and went with a barebones config. > > Right now, the laptop I'm using for NAT has an outbound interface of wlan0 > with an IP of 129.6.251.181 (from DHCP). The following line works: > > nat on wlan0 from any to any -> 129.6.251.181 > > The following line doesn't: > > nat on wlan0 from any to any -> (wlan0) > > Nor does this: > > nat on wlan0 from any to any -> wlan0 > > From the Handbook, the lines that don't work are prefered especially the first > non-working line, since using (wlan0) would cause pf to pick up wlan0's IP > dynamically (which is good, since wlan0 is DHCP'd). > > So it seems at some point of time, doing NAT dynamically broke. > So far I’ve had no luck reproducing this. With pf.conf: nat on vtnet0 from any to any -> (vtnet0) pass in pass out And setup code: ifconfig bridge0 create ifconfig epair0 create ifconfig epair0a up ifconfig epair0b up ifconfig bridge0 addm epair0a jail -c name=test host.hostname=test vnet persist ifconfig epair0b vnet test ifconfig bridge0 inet 10.0.0.1/24 jexec test ifconfig epair0b 10.0.0.2/23 jexec test route add default 10.0.0.1 # Activate routing sysctl net.inet.ip.forwarding=1 pfctl -e pfctl -g -f pf.conf Then I run exec test ping 8.8.8.8, which works as expected. My home routing is running CURRENT, used vnet jails and also doesn’t seem to be triggering the problem. Perhaps we’re still missing a component of the problem, but right now I have no idea what that would be. Hmm. Perhaps… do you happen to know in what order things are done during startup? Perhaps it’s related to the fact that wlan0 is both wifi and DHCP, in the sense that pf is configured before the IP is assigned to the interface. Can you try reloading pf with the (wlan0) rule? (Just pfctl -g -f /etc/pf.conf should do the trick). Regards, Kristof [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJWO9wSAAoJEG/E3HH7XkpGTu0IAITFxpboMDhgiMd1RnBb17tk gwlbuuzq89u1FdlsYib1AClFp93JuwepSXqzysNBfA83+GyKIfrRnY2+tWuPom4S 88y0bGHlUT1bSW5DuTVHFZ66EuzuPGbN1DbxO48mDbjL8/jmLbzSntv7E60chqhK SKMhkjOj0Ir/ZWrLI80P8fJsoAPL8vPEICPHS3x+5+bxsEnByFyHz4xiEptvXjjd elDRtQsevWYmuECQT8YbKI3xe8ff2lLnH+TAo+BlIyqMSb9Tb9MY3NIrObW1M8yt yYgc1vkJMW2x02rdiOUUOXFmNDgsZyhibm8e6IspY3SYACDakl6QQ86NCsdWuwk= =1kFT -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D8AAC66A-ED1D-4A6C-9CCF-447CA788073A>