From nobody Wed Dec 21 10:19:20 2022 X-Original-To: freebsd-ipfw@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NcTvc26Txz1GBPM for ; Wed, 21 Dec 2022 10:19:40 +0000 (UTC) (envelope-from kp@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NcTvc1dFSz3hg4; Wed, 21 Dec 2022 10:19:40 +0000 (UTC) (envelope-from kp@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1671617980; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Lijpkr5WaR47K1TtwkV8mnOvIYnVFfCaVkRTqSH2PgY=; b=luNjRQErUbyM0UaCdekEwICkdqGQxa/wpq8BtixsNfVZL+nUOX1K9eCUqVql94tbSUWhbd l+6LujpBLw5KPUReRMxsMUNkcOgbtukfbV3nXnCouBQnpGnQywt2Y1Rz6Kaz29M79GBiLV XUmafhdCOxofV+WvJHydeF0vAo7gFm1N/LOPZiwe0qM9UiETyAsIJ7ejBeSximvZ0TLhc1 9eZKslH7m+eudd97NH3Scr8bXJVjfvlVQcUj8QCL5lz+dCWSz51gOTmaYJifev24WlnAor X4mAVtAWvJLCNyMJP4c55JraTV0januzNb3GZuH5lqSJ8rirY59FF0i+qno5Cw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1671617980; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Lijpkr5WaR47K1TtwkV8mnOvIYnVFfCaVkRTqSH2PgY=; b=B5pmcqcvNcnbESu03RC2JqDlaGXet49iVhDDzwE91RWgtf3Tev8yymx0KBLufwkxU/7Ui7 LpjzupAdYB9VBsUo/I4htIzjDUGMWjVASAeTULPls2GzibHF+X2JM7UvkV+YC0oNAI0IA4 glz1HwpzfjAQO9DF9zSQBpoLeMc7LoB+5BpF6kSN8XiJJQ1VALsfD2NfqRzV9tcHLCkuZz CVWeO7GusdsH8dwS5cDtSZi1oV5Px+ItbDENzLdu8t/UWTJNhJUvj5AZmCmSAn8bPrGE8L IUrSuhajd7ZC2diWVo+oHM0DduPyFA2EeEPD7DCXbNsZtZjV6WL9uyxwsxZhLw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1671617980; a=rsa-sha256; cv=none; b=BCAx31jmZVaWk3HayN+fPgKIalh0KWYCO2FNfsXHDUhZUVc/4sO1KeQSrHajkD1Msq0yWo lkrUkDzcZTPSYO4KsNPIv8XOA46o2QFCL0Y7/7q3UJHnY/wsu+EXGimvFN3l03uEajKoZO 935ee0pzAMovLLFVdLaVQmHFY/EFBm3TqxfkKyuSqVA1BTuf5ROcny5ueCJbrN50kdVspU tgy7svC/cffYSrkZ3kMjIZEMrW6i8qof1ANkfaT4aZ/QZCZ1tfMLrBMNiOzRVmRFztG0MO YuoXXzJglD17GSUwYSsdn/hcRaFpTkvmbR9n0EkPHoB88nKgS31XK1jgzTy52w== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4NcTvb73jwzW69; Wed, 21 Dec 2022 10:19:39 +0000 (UTC) (envelope-from kp@freebsd.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 9E176C3B5; Wed, 21 Dec 2022 11:19:36 +0100 (CET) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Kristof Provost List-Id: IPFW Technical Discussions List-Archive: https://lists.freebsd.org/archives/freebsd-ipfw List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ipfw@freebsd.org Mime-Version: 1.0 (1.0) Subject: Re: ipfw + bridge + epair + tags for vnet jails after upgrade to 13.1 Date: Wed, 21 Dec 2022 23:19:20 +1300 Message-Id: <50A12FEF-6FF1-4120-9EBF-36BF0888D373@freebsd.org> References: <2e13ff3f-fc55-e3ec-5aff-242ee8135570@yandex.ru> Cc: Markus Graf , freebsd-ipfw@freebsd.org In-Reply-To: <2e13ff3f-fc55-e3ec-5aff-242ee8135570@yandex.ru> To: "Andrey V. Elsukov" X-Mailer: iPhone Mail (20C65) X-ThisMailContainsUnwantedMimeParts: N > On 21 Dec 2022, at 22:03, Andrey V. Elsukov wrote: >=20 > =EF=BB=BF20.12.2022 13:50, Markus Graf =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >> I upgraded a host from 13.0 to 13.1 >> I can't have a physical interface as member of the jailbridge, because >> this leaks virtual mac addresses of epair interfaces to the outside >> world where my hoster looks unkindly on mac-addresses not belonging to >> the nic of my server. So I have vnet jails behind a common ifbridge. >> All jails have their default routes point to the bridge-interface of >> the host. The host works as a router. >> Tags stopped working across vnet and bridge >> ------------------------------------------- >> On a long running host that is still currently running 13.0 I have >> this line in a vnet jail with an epair interface acme_j: >> allow tag 128 tcp from me to any 80,443 via acme_j setup uid root >> keep-state >> On the host I see the tags: >> # ipfw -a list 570 >> 00570 112 11276 count tagged 128 >> On the updated 13.1 machine the host does not see the tags, or I can't >> get the host to count them. >> with epair0a being a member of the bridge. If I fetch a file in the >> vnet jail containing epair0b the counters of em0 and bridge0 >> increment, but the counter of epair0a does not increment. Tcpdump -i >> epair0a does show the traffic though. >=20 > Hi, >=20 > probably this commit caused your problem https://reviews.freebsd.org/D3266= 3 >=20 I=E2=80=99ve not fully understood the problem, but it that commit =E2=80=9Cc= aused=E2=80=9D it I=E2=80=99m inclined to say the configuration had one vnet= incorrectly relying on tags set in another vnet. That was never expected to= work, and if it did that was a (now fixed) bug.=20 Kristof=