Date: Mon, 12 Nov 2018 10:19:37 +0100 From: Kristof Provost <kristof@sigsegv.be> To: Ernie Luzar <luzar722@gmail.com> Cc: freebsd-questions@freebsd.org, freebsd-jail@freebsd.org Subject: Re: 12.0-beta3 pf firewall NAT rule syntax for vnet jail using pf Message-ID: <20181112091936.GA73897@vega.codepro.be> In-Reply-To: <5BE86041.9070900@gmail.com> References: <5BE5CE9D.9030503@gmail.com> <CE5DE9B5-C24A-435A-83FE-080F9418EFFD@sigsegv.be> <5BE86041.9070900@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2018-11-11 12:00:49 (-0500), Ernie Luzar <luzar722@gmail.com> wrote: > Kristof Provost wrote: > > > > If so, how can the jail see the vge0 interface? > > Through the bridge? I don't really know. Just guessing. > Think of vnet jails as separate machines. There's no mechanism for pf hosts to exchange that sort of information between machines, so there's no mechanism for them to exchange that between host and vnet jail. In this case your nat rule simply won't do anything, because the vge0 interface does not exist in the jail. > I added pass to the pf nat rule so inbound packets that match entry in > state table get passed automatically. > > Now using this pf nat rule > nat pass on epair2b from 10.0.0.30/24 to any -> (epair2b) > > This is the ifconfig -a on the host after the vnet jail is started. > Your bridge doesn't have an IP address. How do you expect to route traffic arriving on that interface? To be frank, you seem to be very confused on general networking concepts. I'd advise you to study those first, because you're going to keep struggling until you grasp the fundamentals of how IP works. Best regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20181112091936.GA73897>