Date: Wed, 21 Dec 2022 23:19:20 +1300 From: Kristof Provost <kp@freebsd.org> To: "Andrey V. Elsukov" <bu7cher@yandex.ru> Cc: Markus Graf <markus.graf@markusgraf.net>, freebsd-ipfw@freebsd.org Subject: Re: ipfw + bridge + epair + tags for vnet jails after upgrade to 13.1 Message-ID: <50A12FEF-6FF1-4120-9EBF-36BF0888D373@freebsd.org> In-Reply-To: <2e13ff3f-fc55-e3ec-5aff-242ee8135570@yandex.ru> References: <2e13ff3f-fc55-e3ec-5aff-242ee8135570@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 21 Dec 2022, at 22:03, Andrey V. Elsukov <bu7cher@yandex.ru> wrote: >=20 > =EF=BB=BF20.12.2022 13:50, Markus Graf =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >> I upgraded a host from 13.0 to 13.1 >> I can't have a physical interface as member of the jailbridge, because >> this leaks virtual mac addresses of epair interfaces to the outside >> world where my hoster looks unkindly on mac-addresses not belonging to >> the nic of my server. So I have vnet jails behind a common ifbridge. >> All jails have their default routes point to the bridge-interface of >> the host. The host works as a router. >> Tags stopped working across vnet and bridge >> ------------------------------------------- >> On a long running host that is still currently running 13.0 I have >> this line in a vnet jail with an epair interface acme_j: >> allow tag 128 tcp from me to any 80,443 via acme_j setup uid root >> keep-state >> On the host I see the tags: >> # ipfw -a list 570 >> 00570 112 11276 count tagged 128 >> On the updated 13.1 machine the host does not see the tags, or I can't >> get the host to count them. >> with epair0a being a member of the bridge. If I fetch a file in the >> vnet jail containing epair0b the counters of em0 and bridge0 >> increment, but the counter of epair0a does not increment. Tcpdump -i >> epair0a does show the traffic though. >=20 > Hi, >=20 > probably this commit caused your problem https://reviews.freebsd.org/D3266= 3 >=20 I=E2=80=99ve not fully understood the problem, but it that commit =E2=80=9Cc= aused=E2=80=9D it I=E2=80=99m inclined to say the configuration had one vnet= incorrectly relying on tags set in another vnet. That was never expected to= work, and if it did that was a (now fixed) bug.=20 Kristof=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50A12FEF-6FF1-4120-9EBF-36BF0888D373>