Date: Mon, 12 Nov 2018 10:22:56 -0500 From: Ernie Luzar <luzar722@gmail.com> To: Kristof Provost <kristof@sigsegv.be> Cc: freebsd-questions@freebsd.org, freebsd-jail@freebsd.org Subject: Re: 12.0-beta3 pf firewall NAT rule syntax for vnet jail using pf Message-ID: <5BE99AD0.1010105@gmail.com> In-Reply-To: <20181112091936.GA73897@vega.codepro.be> References: <5BE5CE9D.9030503@gmail.com> <CE5DE9B5-C24A-435A-83FE-080F9418EFFD@sigsegv.be> <5BE86041.9070900@gmail.com> <20181112091936.GA73897@vega.codepro.be>
next in thread | previous in thread | raw e-mail | index | archive | help
Kristof Provost wrote: > On 2018-11-11 12:00:49 (-0500), Ernie Luzar <luzar722@gmail.com> wrote: >> Kristof Provost wrote: >>> If so, how can the jail see the vge0 interface? >> Through the bridge? I don't really know. Just guessing. >> > Think of vnet jails as separate machines. There's no mechanism for pf > hosts to exchange that sort of information between machines, so there's > no mechanism for them to exchange that between host and vnet jail. > > In this case your nat rule simply won't do anything, because the vge0 > interface does not exist in the jail. > >> I added pass to the pf nat rule so inbound packets that match entry in >> state table get passed automatically. >> >> Now using this pf nat rule >> nat pass on epair2b from 10.0.0.30/24 to any -> (epair2b) >> >> This is the ifconfig -a on the host after the vnet jail is started. >> > Your bridge doesn't have an IP address. How do you expect to route > traffic arriving on that interface? > > To be frank, you seem to be very confused on general networking > concepts. I'd advise you to study those first, because you're going to > keep struggling until you grasp the fundamentals of how IP works. > > Best regards, > Kristof > I am shocked by your reply. For someone who has a prestigious position as a freebsd developer you should know that this kind of unfriendly reply is NOT what is expected on Freebsd lists. I find your remark insulting and belittling. Other Freebsd core members have been removed for expressing this same type of camouflaged derogatory marks. Shame on you, you should know better. The questions are specific to vnet jails with bridge/epair. The model being employed is what is available from internet documentation as the Freebsd handbook is void of any vnet info. A person in your position should already be aware of these facts. In 12.0 vnet has been upgraded to production status and the pf firewall repaired to function inside of a vnet jail. These new functions are not documented any where so of course questions are going to be asked for help. In all my reading about vnet jails I have never seen an example of the bridge having a ip address assigned directly to it. Only the epair assigned to the vnet jail has an ip address. You can redeem your bad behavior by answering the questions and adding a complete working vnet jail using pf firewall with bridge/pair to the 12.0 release /usr/share/examples/jails so there will be some documentation of these new production features available with 12.0 release when its published. You can not just make changes to the system and not document them. I'm willing to chalk this up to you having a bad day and I caught the ricochet. Lets just move forward.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5BE99AD0.1010105>