Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 6 Feb 2016 12:57:47 +0500
From:      Alexey Roslyakov <free@oneex.me>
To:        freebsd-net@freebsd.org
Cc:        wow@0x89.net
Subject:   Re: Problem with ipfw, in-kernel NAT and port redirection to jails
Message-ID:  <56B5A77B.2010108@oneex.me>
In-Reply-To: <A88A7FED-B5DD-4B1E-96A4-AE1F3EAB8E30@0x89.net>
References:  <A88A7FED-B5DD-4B1E-96A4-AE1F3EAB8E30@0x89.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hello.
I have same problem when I'm trying redirect incoming traffic into the 
jailed web server.
I repeated my installation few times on different releases - problem 
with redirected ports was here all time (except 9.3 - there was random 
result).
As a temporary solution am using pf nat for redirect ports.

My test configuration:
/etc/rc.conf:
ifconfig_vtnet0="inet 192.168.1.18/24"
defaultrouter="192.168.1.1"
cloned_interfaces="lo1"

/etc/jail.conf:
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
j1 {
         path = /home/jail1;
         mount.devfs;
         host.hostname = j1;
         interface = "lo1";
         ip4.addr = 10.8.0.1;
         persist;
}

rc.firewall:
ipfw nat 1 config if vtnet0 redirect_port tcp 10.8.0.1:80 80
ipfw add 500 nat 1 ip from any to 192.168.1.18 in via vtnet0
ipfw add 600 nat 1 ip from 10.8.0.1 to any out via vtnet0
ipfw add allow ip from any to any

pf.conf:
ext_if = "vtnet0"
int_if = "lo1"
jail_net = $int_if:network
nat on $ext_if from $jail_net to any -> ($ext_if)
rdr pass on $ext_if inet proto tcp from any to ($ext_if:0) port 80 -> 
10.8.0.1 port 80

In jail I'm try nginx, apache24 and nc as source for redirection. Test 
file was generated: dd if/dev/random of=tmp.raw bs=1M count=2
On 10.1 and 10.2 there is no big differences, when using ipfw nat we can 
get only part of file (I'm using curl on different machine: curl 
http://192.168.1.18/tmp.raw > /dev/null):
with nginx: Received = 33045
with apache: Received = 33092
with nc: Received = 16384
and result seems to be very stable in numbers.
On 9.3:
nginx: random bytes received, has no successful downloads
apache: random bytes received, sometimes download entire file
nc: entire file received

My virtual environment is proxmox 3.
Maybe it's related to 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=137346 or just not 
properly configured ipfw nat?

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56B5A77B.2010108>