From owner-freebsd-questions@freebsd.org Mon Aug 15 15:37:23 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E6D6FBBA744; Mon, 15 Aug 2016 15:37:23 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-io0-x242.google.com (mail-io0-x242.google.com [IPv6:2607:f8b0:4001:c06::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B0B5A1C47; Mon, 15 Aug 2016 15:37:23 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-io0-x242.google.com with SMTP id i199so6022446ioi.1; Mon, 15 Aug 2016 08:37:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-transfer-encoding; bh=N0pD189tSUdH3m7u2y2ICLD+dEt0t/VN9MF/A8VLy4M=; b=uWq0ou/r9Frg8gfWHBYblMA6llQ1VjESWG1uej7BIHS8FxtPq7vxkQ0LalG4+t5q2G kbz6zn7zlFE1G7QZmE0wfE00JeaXeau+FEle1RMIcqkHiZCu9f6PYGtIMNncwXSJqHyY 1aRUX+5XI3YCKPj3vXJdwmwB50GiDDNnbKVtXR0WliH+SviPzYHPtZpknlVNij0+95Gm PkcW0Fn/k5amF6z9boKrRZ1TJIbrFzpWGk+H5qQfrAjJYhlZ2m2SnY4SxUVbVtuMPkPx ZsDHNKIo9vCZ6/r4vzckYg0NOddWPZstDWjk7pmQT+ue1wlefb5OI4vkTCEu+WIKF494 K4sw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-transfer-encoding; bh=N0pD189tSUdH3m7u2y2ICLD+dEt0t/VN9MF/A8VLy4M=; b=F6ElB9ff+p/z0bizk/jXJBRZy2s8IabDC0BH4iEiQC3O08iPdNfmGCS72AUTUJBJF4 6wB0+PUNrU5NX6gKQYr1IkT+riP2yQXuRK6OXt+94Xk78rV/ZJc7Xs5r40ej1D/zOMhY cgSXjwXphPUKH9mO3fm9s9KDdFdoRjqgopUEpFI7i1xyXf1X9uxhqitrqtsdsWggBsVx W5oop0dxxHlhbaQRGBbzSX3cWLciJuC44UVFW05R3gws4KyksMx4NscDW5GK60Dn4RSW TkwXpqrNqmU4SW3t4gFMru6fugA/l8IrVaChd+Y/ogM3/DaWmDyxt3wSuJm+T/sZAlwT rpEA== X-Gm-Message-State: AEkoouum//aVtVplm8OW0vC+QLCVUguZRoGIt0ay8hTIA+fJIG+OEfesjBKJMYvRGSAYnQ== X-Received: by 10.107.128.200 with SMTP id k69mr39443157ioi.65.1471275442888; Mon, 15 Aug 2016 08:37:22 -0700 (PDT) Received: from [10.0.10.3] (cpe-24-165-196-54.neo.res.rr.com. [24.165.196.54]) by smtp.googlemail.com with ESMTPSA id q204sm7630717itc.19.2016.08.15.08.37.22 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 15 Aug 2016 08:37:22 -0700 (PDT) Message-ID: <57B1E1BC.4090205@gmail.com> Date: Mon, 15 Aug 2016 11:37:32 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Freebsd Questions , "freebsd-jail@freebsd.org" Subject: testing 11.0-RC1 vnet jails with ipfilter Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Aug 2016 15:37:24 -0000 Hello list; Running 11.0-RC1 with only option vimage compiled into the generic kernel. I can run ipfilter on the host and start vnet jails containing no firewalls just fine. But when I try to also have ipfilter run in the vnet jail nothing happens. I added this to the vnet jails rc.conf ipfilter_enable="YES" ipfilter_rules="/etc/ipf.boot.rules" ipmon_enable="YES" ipmon_flags="-Ds" Then start the vnet jail and its like those ipfilter statements in the vnet jails rc.conf are not there. The vnet jails /var/log/messages file is not even there. Issuing "ipfstat" inside the running vnet jail to display the jails ipfilter rules gives this error message "open(IPSTATE_NAME): No such file or directory" To me this means ipfilter is not running in the vnet jail even though I requested it in the vnet jails rc.conf file. So my question to this list is, has anyone managed to get ipfilter to run inside a vnet jail using any of the 11.0 alpha, beta, or rc versions? If so would you please share your setup with me? Maybe I am to close to the bleeding edge for there to be other users in the same test loop? Thanks