From owner-freebsd-questions@freebsd.org Mon Nov 12 15:22:58 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 93982110877A; Mon, 12 Nov 2018 15:22:58 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-it1-x133.google.com (mail-it1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DA87472C70; Mon, 12 Nov 2018 15:22:57 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-it1-x133.google.com with SMTP id k206-v6so13129854ite.0; Mon, 12 Nov 2018 07:22:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=jsQ+wmu2Fj0jfn+LEZ17ufzcLFY1gAmBRQtid9UZPGA=; b=YN7eWeXMEEECKPhCltENaMB2PtaqKzAqYFtMNmqVgEbumLhR1DfvLhz039jrFsAOcY BRvIBF76bfIvBLjG06suShppq9XTWHWx4GAx+p7aSey6tcUrqeZmphIWCJO8B5UxXNj+ fiVwGyHQvyM+sSkCCXatG/ghScdWgIY67abuxFjhS8Ve31Bb0wI+TG9yJTURSw3zMjSx kJgYStFlw9ddoBKKG168uOnMfF73ZnyjqgfldETyF15MFxBvEuAgRhY2Om8sbepo/Ksn HLcOrA0iUgkeDCKE7TxW6WFYZDRZW0DeOrFA+aYj8pIHjHT/KvJgIdiirL625VQS6bh/ hDxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=jsQ+wmu2Fj0jfn+LEZ17ufzcLFY1gAmBRQtid9UZPGA=; b=e2Lb3lpIeIHzFKtA2tj2msvQuG1oavsWUGq+n/1OhB0086M+MNrsAHVmOzp/fSQYGh UVDlYgQUcTZ3JILpj/9fI5RpKsLT47mmznx9Unwbx0fhbw3O4JX1lmiybrM1WJCwBCSb myHchQAk6z9W7LdBPy35gBNfthBNvSFrxjOpKagpxRUOeGmSMVqsU9ytBINjfyNo/1OY ceivrPvmOY2EbKPbX0lKH7lSq+pccZojtzN1WfRplXhp+U1kral1Iqj4fMLz/RvC7x8U PSq1IjIJM9dx+mxs5kS3noJktCyr0+I8whkoZuOC6wroFDm2npmmUHT8/Li4TD6KNoHU cr6Q== X-Gm-Message-State: AGRZ1gJhm225cLY/TF00094WlXgq9xF6QyOt8cQzqBxJuBjc4scI8uVY AOprucYjgj+IbhkChO4ABCZDf5F3 X-Google-Smtp-Source: AJdET5e8/cLWwiuRyI8VmZb+nOhByNTAb1HYP7Id27YPWXNrv62jlHxkf5ePlP/KxIKUPkBh41i3Uw== X-Received: by 2002:a02:9b74:: with SMTP id g49mr1134688jal.76.1542036177209; Mon, 12 Nov 2018 07:22:57 -0800 (PST) Received: from [10.0.10.7] (cpe-65-25-48-31.neo.res.rr.com. [65.25.48.31]) by smtp.googlemail.com with ESMTPSA id c10-v6sm5080634itc.2.2018.11.12.07.22.56 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 12 Nov 2018 07:22:56 -0800 (PST) Message-ID: <5BE99AD0.1010105@gmail.com> Date: Mon, 12 Nov 2018 10:22:56 -0500 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Kristof Provost CC: freebsd-questions@freebsd.org, freebsd-jail@freebsd.org Subject: Re: 12.0-beta3 pf firewall NAT rule syntax for vnet jail using pf References: <5BE5CE9D.9030503@gmail.com> <5BE86041.9070900@gmail.com> <20181112091936.GA73897@vega.codepro.be> In-Reply-To: <20181112091936.GA73897@vega.codepro.be> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: DA87472C70 X-Spamd-Result: default: False [-6.80 / 200.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; IP_SCORE(-2.80)[ip: (-9.03), ipnet: 2607:f8b0::/32(-2.93), asn: 15169(-1.96), country: US(-0.09)]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_DN_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; NEURAL_HAM_SHORT(-0.99)[-0.987,0]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Nov 2018 15:22:58 -0000 Kristof Provost wrote: > On 2018-11-11 12:00:49 (-0500), Ernie Luzar wrote: >> Kristof Provost wrote: >>> If so, how can the jail see the vge0 interface? >> Through the bridge? I don't really know. Just guessing. >> > Think of vnet jails as separate machines. There's no mechanism for pf > hosts to exchange that sort of information between machines, so there's > no mechanism for them to exchange that between host and vnet jail. > > In this case your nat rule simply won't do anything, because the vge0 > interface does not exist in the jail. > >> I added pass to the pf nat rule so inbound packets that match entry in >> state table get passed automatically. >> >> Now using this pf nat rule >> nat pass on epair2b from 10.0.0.30/24 to any -> (epair2b) >> >> This is the ifconfig -a on the host after the vnet jail is started. >> > Your bridge doesn't have an IP address. How do you expect to route > traffic arriving on that interface? > > To be frank, you seem to be very confused on general networking > concepts. I'd advise you to study those first, because you're going to > keep struggling until you grasp the fundamentals of how IP works. > > Best regards, > Kristof > I am shocked by your reply. For someone who has a prestigious position as a freebsd developer you should know that this kind of unfriendly reply is NOT what is expected on Freebsd lists. I find your remark insulting and belittling. Other Freebsd core members have been removed for expressing this same type of camouflaged derogatory marks. Shame on you, you should know better. The questions are specific to vnet jails with bridge/epair. The model being employed is what is available from internet documentation as the Freebsd handbook is void of any vnet info. A person in your position should already be aware of these facts. In 12.0 vnet has been upgraded to production status and the pf firewall repaired to function inside of a vnet jail. These new functions are not documented any where so of course questions are going to be asked for help. In all my reading about vnet jails I have never seen an example of the bridge having a ip address assigned directly to it. Only the epair assigned to the vnet jail has an ip address. You can redeem your bad behavior by answering the questions and adding a complete working vnet jail using pf firewall with bridge/pair to the 12.0 release /usr/share/examples/jails so there will be some documentation of these new production features available with 12.0 release when its published. You can not just make changes to the system and not document them. I'm willing to chalk this up to you having a bad day and I caught the ricochet. Lets just move forward.