Date: Sun, 28 Oct 2018 15:56:08 -0400 From: Ernie Luzar <luzar722@gmail.com> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: FreeBSD current <freebsd-current@freebsd.org> Subject: Re: 12.0-BETA1 vnet with pf firewall Message-ID: <5BD61458.9040402@gmail.com> In-Reply-To: <6811B138-54C8-448F-A7F8-76374A077D8A@lists.zabbadoz.net> References: <5BD5D656.4050204@gmail.com> <6811B138-54C8-448F-A7F8-76374A077D8A@lists.zabbadoz.net>
index | next in thread | previous in thread | raw e-mail
Bjoern A. Zeeb wrote: > On 28 Oct 2018, at 15:31, Ernie Luzar wrote: > >> Tested with host running ipfilter and vnet running pf. Tried loading >> pf from host console or from vnet console using kldload pf.ko command >> and get this error message; >> >> linker_load_file: /boot/kernel/pf.ko-unsupported file type. >> >> Looks like the 12.0 version of pf which is suppose to work in vnet >> independent of what firewall is running on the host is not working. > > You cannot load pf from inside a jail (with or without vnet). Kernel > modules are global objects loaded from the base system or you compile > the devices into the kernel; it is their state which is virtualised. > > If you load multiple firewalls they will all be available to the base > system and all jails+vnet. Whichever you configure in which one is up > to you. Just be careful as an unconfigured firewall might have a > default action affecting the outcome of the overall decision. > > For example you could have: > > a base system using ipfilter and setting pf to default accept everything > and a jail+vnet using pf and setting ipfilter there to accept everything. > > > Hope that clarifies some things. > > /bz > Hello Bjoern. What you said is correct for 10.x & 11.x. But I an talking about 12.0-beta1. I have the ipfilter options enabled in rc.conf of the host and on boot ipfilter starts just like it all ways does. Now to prep the host for pf in a vnet jail, I issue from the host console the "kldload pf.ko" command and get this error message; linker_load_file: /boot/kernel/pf.ko-unsupported file type. Something is wrong here. This is not suppose to happen according to your post above. Remember that in 12.0 vimage is included in the base system kernel.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5BD61458.9040402>