From owner-freebsd-current@freebsd.org  Sat Oct 31 18:50:17 2015
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D5AFEA1B92B
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Sat, 31 Oct 2015 18:50:17 +0000 (UTC)
 (envelope-from shawn.webb@hardenedbsd.org)
Received: from mail-qg0-x230.google.com (mail-qg0-x230.google.com
 [IPv6:2607:f8b0:400d:c04::230])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 8EF541102
 for <freebsd-current@freebsd.org>; Sat, 31 Oct 2015 18:50:17 +0000 (UTC)
 (envelope-from shawn.webb@hardenedbsd.org)
Received: by qgad10 with SMTP id d10so87041544qga.3
 for <freebsd-current@freebsd.org>; Sat, 31 Oct 2015 11:50:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hardenedbsd_org.20150623.gappssmtp.com; s=20150623;
 h=mime-version:date:message-id:subject:from:to:content-type;
 bh=pDngZpHwYH4jY+ioRmfo6D7NPK8Hz7/UzBVsIQubwkE=;
 b=JMLAnhgYypLpV/Z95HcylfCvJDTeJ6ZtsnrQVSfO0bcKlmueCpxDQDlAiV+hHto9Wi
 H2jC4qVYheKWafM01jzElfAzwJY71piBiy466ng9LjC0kpQ6g7Q7PWeh0Mc5FtdDYsv9
 p/bcOsjTMLq53kzOv0FdC7349iEppdKJ4ibrkLQzaV0LTmtA8uofCPVFR1auAE0j3zU9
 pztkYeG1cDDgw+6bEP3RhGbHntxsfqaqPB8mWI6Pa3/ndDXMK2eKAM5hNIRqUPzDcvyd
 SsCQaRfseNNCxJjdWirRCIBNMzg/hFS34EVAktqdUjI+z3BOGzkKI6+KZHhel7t3FSg6
 o8Hw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:date:message-id:subject:from:to
 :content-type;
 bh=pDngZpHwYH4jY+ioRmfo6D7NPK8Hz7/UzBVsIQubwkE=;
 b=mb1tVB2AxLitPTjR/y9QF4y21X69VRzrBP1f81RSkUH+mHdY+XuamK+NfbHd+jNIcL
 n2CsBREY/5wnwNKjdUcEe5PGwXze0bqGKfTbyTTnoBau/sKQJhGy0FPZNEn/sX38/Dgt
 5lUrQqwowhR2FOKfrywAISshh3pkzWt1JJA/mz/1GSCK766T/dLTDxLTew2xmlcvaGff
 bIrDLMMhgmEW9gr67rcNyeNHP8VIdNJMeqLXoBW6rgB4shBwUEEQ1QPyAWVV00P5OPGs
 cxp5Pv1GCeEwzFEDbltP5Ss7qJYw7aWOSW7mslDUSeVJSbBLAxcb1ozFHwITmY/Gvf1D
 nXVQ==
X-Gm-Message-State: ALoCoQklp1thyJWf/fe3YYe6Jq7peQLWjnwQGuYdAAdYvngy/XDTbXGCBjSqEbFfSjfPq8VrEImo
MIME-Version: 1.0
X-Received: by 10.140.104.243 with SMTP id a106mr18274651qgf.19.1446317416350; 
 Sat, 31 Oct 2015 11:50:16 -0700 (PDT)
Received: by 10.140.29.201 with HTTP; Sat, 31 Oct 2015 11:50:16 -0700 (PDT)
Date: Sat, 31 Oct 2015 14:50:16 -0400
Message-ID: <CAExMvs=jVsASLyiqU9nTpir0Hy_s_DfChgf4XKeGWv-8yojNBw@mail.gmail.com>
Subject: pf NAT and VNET Jails
From: Shawn Webb <shawn.webb@hardenedbsd.org>
To: "freebsd-current@freebsd.org" <freebsd-current@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.20
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Oct 2015 18:50:18 -0000

I'm at r290228 on amd64. I'm not sure which revision I was on last when it
last worked, but it seems VNET jails aren't working anymore.

I've got a bridge, bridge1, with an IP of 192.168.7.1. The VNET jails set
their default route to 192.168.7.1. The host simply NATs outbound from
192.168.7.0/24 to the rest of the world. The various epairs get added to
bridge1 and assigned to each jail. Pretty simple setup. That worked until
today. When I do tcpdump on my public-facing NIC, I see that NAT isn't
applied. When I run `ping 8.8.8.8` from the jail, the jail's 192.168.7.0/24
address gets sent on the wire.

Let me know what I can do to help debug this further.

Thanks,

Shawn Webb