Date: Fri, 14 Dec 2018 20:56:17 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 234021] 12.0 gateway host with vnet jail running pf firewall & NAT has no internet access Message-ID: <bug-234021-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D234021 Bug ID: 234021 Summary: 12.0 gateway host with vnet jail running pf firewall & NAT has no internet access Product: Base System Version: 12.0-STABLE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: qjail1@a1poweruser.com Trying to get a vnet jail to access the public internet. Issuing "ping -c 2 8.8.8.8" returns 100.0% packet loss message.=20=20 The host running the vnet jail is a gateway host ie: connected directly to = my ISP. The pf firewall is running on the host and in the vnet jail. The host = and the lan behind it are functioning normally. The pf rules in the vnet jail a= re doing NAT. The pflog in the vnet jail shows outbound packets only, never a inbound reply. gateway_enable is in the vnet jails rc.conf plus the normal = pf enable statements. Not using the "service jail" command for starting or stopping the vnet jail. I start and stop the vnet jail using the native jai= l(8) jail command. Using bridge/epair method for vnet jail networking. Tried a second variation where I ran ipfilter on the host and pf in the vnet jail w= ith the same out come. Running this same setup on a LAN host works. IE; the vnet jail can ping the public internet.=20 Reviewing google search results shows all the vnet jail examples are vnet j= ails on lan hosts. Have suspicion that gateway vnet jails have never worked beca= use I have tested it my self in 10.x and 11.x. Never posted a bug report because thought it was a vimage problem due to its experimental nature. Now that vi= mage is included in the base kernel time for a bug report. Need someone from the vimage kernel project or the pf vimage aware project = to perform their own test of vnet on a gateway host to verify if it works or n= ot. Also have same results if ipfw is the vnet jail firewall. Below is some info about my setup that may help or may not. /root >cat /etc/jail.vnetpf1.conf vnetpf1 {=20 host.hostname =3D "vnetpf1"; path =3D "/usr/jails/vnetpf1"; exec.consolelog =3D "/var/log/jail.vnetpf1.console.log"; mount.devfs; devfs_ruleset =3D "70"; vnet =3D "new"; vnet.interface =3D "epair15b"; exec.start =3D "ifconfig epair15b 10.0.110.25/24"; exec.start +=3D "route add default 10.0.110.2"; exec.start +=3D "/bin/sh /etc/rc"; exec.stop =3D "/bin/sh /etc/rc.shutdown"; } Issued from the host console >netstat -nr4 Routing tables Internet: Destination Gateway Flags Netif Expire default 65.xxx.48.1 UGS vge0 10.0.0.0/8 link#1 U em0 10.0.10.2 link#1 UHS lo0 65.xxx.48.0/20 link#2 U vge0 65.xxx.62.234 link#2 UHS lo0 127.0.0.1 link#3 UH lo0 Issued from the vnet jails console vnetpf1 /root >netstat -nr4 Routing tables Internet: Destination Gateway Flags Netif Expire default 10.0.110.2 UGS epair15b 10.0.110.0/24 link#3 U epair15b 10.0.110.25 link#3 UHS lo0 127.0.0.1 link#1 UH lo0 # devfsrules for pf to function in a vnet jail. [vnet_pf=3D70] add include $devfsrules_hide_all add include $devfsrules_unhide_basic add include $devfsrules_unhide_login add include $devfsrules_jail add path 'bpf*' unhide add path pf unhide add path pflog unhide add path pfsync unhide Issued from the host with the vnet jail running /root >ifconfig -a em0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=3D81249b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,= LRO, WOL_MAGIC,VLAN_HWFILTER> ether d0:50:99:93:75:98 inet 10.0.10.2 netmask 0xff000000 broadcast 10.255.255.255=20 media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> vge0: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>=20 metric 0 mtu 1500 options=3D3899<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST, WOL_MCAST,WOL_MAGIC> ether 10:00:60:21:00:93 inet 65.xxx.62.234 netmask 0xfffff000 broadcast 255.255.255.255=20 media: Ethernet autoselect (1000baseT <full-duplex,master>) status: active nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> pflog0: flags=3D141<UP,RUNNING,PROMISC> metric 0 mtu 33160 groups: pflog=20 bridge10: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu= 1500 ether 02:3a:f8:d2:63:0a id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: epair15a flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 6 priority 128 path cost 2000 member: vge0 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 2 priority 128 path cost 20000 groups: bridge=20 nd6 options=3D1<PERFORMNUD> epair15a: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>=20 metric 0 mtu 1500 options=3D8<VLAN_MTU> ether 02:9b:6a:d0:c6:0a inet6 fe80::9b:6aff:fed0:c60a%epair15a prefixlen 64 scopeid 0x6=20 groups: epair=20 media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>) status: active nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL> #vnet jails pf rules file oif=3Depair15b jip=3D10.0.110.25 pip=3D65.xxx.62.234 set block-policy drop set fail-policy drop set state-policy if-bound scrub in on $oif all set skip on lo0=20=20=20=20=20=20=20=20=20=20=20 nat on $oif from $jip to any -> $pip block out log quick on $oif inet proto tcp from any to any port 43 pass out log (all) quick on $oif from any to any pass in log (all) quick on $oif from any to any --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-234021-227>