From owner-freebsd-bugs@freebsd.org Fri Dec 14 20:56:19 2018 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BA9CB131649A for ; Fri, 14 Dec 2018 20:56:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 53F396AC5E for ; Fri, 14 Dec 2018 20:56:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 174D01316498; Fri, 14 Dec 2018 20:56:19 +0000 (UTC) Delivered-To: bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E8D501316497 for ; Fri, 14 Dec 2018 20:56:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 84B756AC5C for ; Fri, 14 Dec 2018 20:56:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id C26804702 for ; Fri, 14 Dec 2018 20:56:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id wBEKuHsm025642 for ; Fri, 14 Dec 2018 20:56:17 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id wBEKuHfU025641 for bugs@FreeBSD.org; Fri, 14 Dec 2018 20:56:17 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 234021] 12.0 gateway host with vnet jail running pf firewall & NAT has no internet access Date: Fri, 14 Dec 2018 20:56:17 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 12.0-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: qjail1@a1poweruser.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Dec 2018 20:56:20 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D234021 Bug ID: 234021 Summary: 12.0 gateway host with vnet jail running pf firewall & NAT has no internet access Product: Base System Version: 12.0-STABLE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: qjail1@a1poweruser.com Trying to get a vnet jail to access the public internet. Issuing "ping -c 2 8.8.8.8" returns 100.0% packet loss message.=20=20 The host running the vnet jail is a gateway host ie: connected directly to = my ISP. The pf firewall is running on the host and in the vnet jail. The host = and the lan behind it are functioning normally. The pf rules in the vnet jail a= re doing NAT. The pflog in the vnet jail shows outbound packets only, never a inbound reply. gateway_enable is in the vnet jails rc.conf plus the normal = pf enable statements. Not using the "service jail" command for starting or stopping the vnet jail. I start and stop the vnet jail using the native jai= l(8) jail command. Using bridge/epair method for vnet jail networking. Tried a second variation where I ran ipfilter on the host and pf in the vnet jail w= ith the same out come. Running this same setup on a LAN host works. IE; the vnet jail can ping the public internet.=20 Reviewing google search results shows all the vnet jail examples are vnet j= ails on lan hosts. Have suspicion that gateway vnet jails have never worked beca= use I have tested it my self in 10.x and 11.x. Never posted a bug report because thought it was a vimage problem due to its experimental nature. Now that vi= mage is included in the base kernel time for a bug report. Need someone from the vimage kernel project or the pf vimage aware project = to perform their own test of vnet on a gateway host to verify if it works or n= ot. Also have same results if ipfw is the vnet jail firewall. Below is some info about my setup that may help or may not. /root >cat /etc/jail.vnetpf1.conf vnetpf1 {=20 host.hostname =3D "vnetpf1"; path =3D "/usr/jails/vnetpf1"; exec.consolelog =3D "/var/log/jail.vnetpf1.console.log"; mount.devfs; devfs_ruleset =3D "70"; vnet =3D "new"; vnet.interface =3D "epair15b"; exec.start =3D "ifconfig epair15b 10.0.110.25/24"; exec.start +=3D "route add default 10.0.110.2"; exec.start +=3D "/bin/sh /etc/rc"; exec.stop =3D "/bin/sh /etc/rc.shutdown"; } Issued from the host console >netstat -nr4 Routing tables Internet: Destination Gateway Flags Netif Expire default 65.xxx.48.1 UGS vge0 10.0.0.0/8 link#1 U em0 10.0.10.2 link#1 UHS lo0 65.xxx.48.0/20 link#2 U vge0 65.xxx.62.234 link#2 UHS lo0 127.0.0.1 link#3 UH lo0 Issued from the vnet jails console vnetpf1 /root >netstat -nr4 Routing tables Internet: Destination Gateway Flags Netif Expire default 10.0.110.2 UGS epair15b 10.0.110.0/24 link#3 U epair15b 10.0.110.25 link#3 UHS lo0 127.0.0.1 link#1 UH lo0 # devfsrules for pf to function in a vnet jail. [vnet_pf=3D70] add include $devfsrules_hide_all add include $devfsrules_unhide_basic add include $devfsrules_unhide_login add include $devfsrules_jail add path 'bpf*' unhide add path pf unhide add path pflog unhide add path pfsync unhide Issued from the host with the vnet jail running /root >ifconfig -a em0: flags=3D8843 metric 0 mtu 1500 options=3D81249b ether d0:50:99:93:75:98 inet 10.0.10.2 netmask 0xff000000 broadcast 10.255.255.255=20 media: Ethernet autoselect (1000baseT ) status: active nd6 options=3D29 vge0: flags=3D8943=20 metric 0 mtu 1500 options=3D3899 ether 10:00:60:21:00:93 inet 65.xxx.62.234 netmask 0xfffff000 broadcast 255.255.255.255=20 media: Ethernet autoselect (1000baseT ) status: active nd6 options=3D29 pflog0: flags=3D141 metric 0 mtu 33160 groups: pflog=20 bridge10: flags=3D8843 metric 0 mtu= 1500 ether 02:3a:f8:d2:63:0a id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: epair15a flags=3D143 ifmaxaddr 0 port 6 priority 128 path cost 2000 member: vge0 flags=3D143 ifmaxaddr 0 port 2 priority 128 path cost 20000 groups: bridge=20 nd6 options=3D1 epair15a: flags=3D8943=20 metric 0 mtu 1500 options=3D8 ether 02:9b:6a:d0:c6:0a inet6 fe80::9b:6aff:fed0:c60a%epair15a prefixlen 64 scopeid 0x6=20 groups: epair=20 media: Ethernet 10Gbase-T (10Gbase-T ) status: active nd6 options=3D21 #vnet jails pf rules file oif=3Depair15b jip=3D10.0.110.25 pip=3D65.xxx.62.234 set block-policy drop set fail-policy drop set state-policy if-bound scrub in on $oif all set skip on lo0=20=20=20=20=20=20=20=20=20=20=20 nat on $oif from $jip to any -> $pip block out log quick on $oif inet proto tcp from any to any port 43 pass out log (all) quick on $oif from any to any pass in log (all) quick on $oif from any to any --=20 You are receiving this mail because: You are the assignee for the bug.=