From owner-freebsd-bugs@freebsd.org Fri Aug 19 17:19:54 2016 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8D624BBF302 for ; Fri, 19 Aug 2016 17:19:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 720C21BF6 for ; Fri, 19 Aug 2016 17:19:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u7JHJstT086571 for ; Fri, 19 Aug 2016 17:19:54 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 212000] 11.0-RC1: vimage jail with ipfilter not working Date: Fri, 19 Aug 2016 17:19:54 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-RC1 X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: qjail1@a1poweruser.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Aug 2016 17:19:54 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D212000 Bug ID: 212000 Summary: 11.0-RC1: vimage jail with ipfilter not working Product: Base System Version: 11.0-RC1 Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: qjail1@a1poweruser.com Tested on 11.0-RC1 with only vimage compiled into the kernel. Tested ipfilter in vnet jail and no firewall on host. Tested ipfilter in vnet jail and on the host. Vnet jail used this /etc/devfs.rules rule [devfsrules_vjail_ipf=3D60] add include $devfsrules_jail add path ipl unhide add path ipl0 unhide add path ipf unhide add path ipauth unhide add path ipnat unhide add path ipstate unhide # used by ipstate #add path kmem unhide #add path kernel unhide Testing no ipfilter firewall running on host, just in vnet jail. When starting vnet jail with ipfilter, I check if ipfilter kernel modules a= re loaded, if not them loads them. Auto loading of modules does not happen. Issuing the ipfilter command "ipfstat -hnoi" from the started vnet jail=20 console show this 0 @1 pass out quick on lo0 all 0 @2 block out log quick on epair17b proto tcp from any to any port =3D nic= name 0 @3 pass out log quick on epair17b all 0 @1 pass in quick on lo0 all 0 @2 pass in log quick on epair17b all There are 0 counts because the ipstate command is restricted from accessing kmem & kernel.=20 But this at lease seems to prove ipfilter is running in the vnet jail. Issuing the "ping" command from the started vnet jail console works. Issuing the "whois" command from the started vnet jail console works also, but should not work because of the above block rule on port 43. This indicates that the ipfilter rules in a vnet jail are not functioning. No ipfilter log messages are posted in the vnat jail and no log messages are posted in the hosts log. Testing ipfilter firewall running on host and vnet jail. Issuing the ipfilter command "ipfstat -hnoi" from the host console show this 0 @1 pass out quick on lo0 all 0 @2 pass out log quick on fxp0 all 0 @1 pass in quick on lo0 all 1 @2 pass in log quick on fxp0 all The vnet jail results are the same as above. But the hosts ipfilter log, logs this on vnet jail startup and keeps repeat= ing it for the whole time the vnet jail is running.=20 fxp0 @0:2 p 10.0.10.2,67 -> 10.0.10.12,68 PR udp len 20 328 IN fxp0 @0:2 p :: -> ff02::1:ff00:50b PR icmpv6 len 40 72 icmpv6 neighborsolic= it/0 OUT multicast fxp0 @0:2 p :: -> ff02::16 PR icmpv6 len 48 76 icmpv6 icmpv6type(143)/0 OUT multicast fxp0 @0:2 p :: -> ff02::16 PR icmpv6 len 48 96 icmpv6 icmpv6type(143)/0 OUT multicast fxp0 @0:2 p :: -> ff02::16 PR icmpv6 len 48 76 icmpv6 icmpv6type(143)/0 OUT multicast fxp0 @0:2 p fe80::c1:ff:fe00:50b -> ff02::16 PR icmpv6 len 48 96 icmpv6 icmpv6type(143)/0 OUT multicast fxp0 @0:2 p fe80::d950:d6dc:db92:f20d,546 -> ff02::1:2,547 PR udp len 40 13= 7 IN low-ttl multicast fxp0 @0:2 p fe80::d950:d6dc:db92:f20d,546 -> ff02::1:2,547 PR udp len 40 13= 7 IN low-ttl multicast fxp0 @0:2 p fe80::d950:d6dc:db92:f20d,546 -> ff02::1:2,547 PR udp len 40 13= 7 IN low-ttl multicast fxp0 @0:2 p fe80::d950:d6dc:db92:f20d,546 -> ff02::1:2,547 PR udp len 40 13= 7 IN low-ttl multicast fxp0 @0:2 p fe80::d950:d6dc:db92:f20d,546 -> ff02::1:2,547 PR udp len 40 13= 7 IN low-ttl multicast fxp0 @0:2 p fe80::d950:d6dc:db92:f20d,546 -> ff02::1:2,547 PR udp len 40 13= 7 IN low-ttl multicast fxp0 @0:2 p fe80::d950:d6dc:db92:f20d,546 -> ff02::1:2,547 PR udp len 40 13= 7 IN low-ttl multicast fxp0 @0:2 p 10.0.10.7,68 -> 255.255.255.255,67 PR udp len 20 328 IN broadca= st Issuing the "ping" command from the started vnet jail console works and the hosts ipfilter log shows this fxp0 @0:2 p 10.0.10.7,68 -> 255.255.255.255,67 PR udp len 20 328 IN broadca= st fxp0 @0:2 p 10.11.0.2 -> 8.8.8.8 PR icmp len 20 84 icmp echo/0 OUT fxp0 @0:2 p 8.8.8.8 -> 10.11.0.2 PR icmp len 20 84 icmp echoreply/0 IN fxp0 @0:2 p 10.11.0.2 -> 8.8.8.8 PR icmp len 20 84 icmp echo/0 OUT fxp0 @0:2 p 8.8.8.8 -> 10.11.0.2 PR icmp len 20 84 icmp echoreply/0 IN fxp0 @0:2 p 10.11.0.2 -> 8.8.8.8 PR icmp len 20 84 icmp echo/0 OUT fxp0 @0:2 p 8.8.8.8 -> 10.11.0.2 PR icmp len 20 84 icmp echoreply/0 IN fxp0 @0:2 p 10.11.0.2 -> 8.8.8.8 PR icmp len 20 84 icmp echo/0 OUT fxp0 @0:2 p 8.8.8.8 -> 10.11.0.2 PR icmp len 20 84 icmp echoreply/0 IN The hosts ipfilter firewall is logging the traffic on the fxp0 interface, this is normal and expected. I see 4 things that are strange. 1. Why is the vnet jail issuing all that ipv6 traffic? It should only be generated if the vnet jail interface has a ipv6 ip address coded. 2. Why is ipv4 & ipv6 traffic making it to the host and NOT showing up on the epair11b interface?=20 This is a problem if the host has a few vnet jails running at same time. IE: how am I going to control traffic on host to target correct vnet jai= l. In my case I use the epair number [11] in the ip address of the vnet jai= l. 3. Why are the ipfilter rules in the vnet jail not being enforced? 4. Why in the case of no firewall on the host and ipfilter in the vnet jail= has no logging any place? --=20 You are receiving this mail because: You are the assignee for the bug.=