Date: Thu, 05 Nov 2015 11:25:07 -0500 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Kristof Provost <kp@freebsd.org> Cc: freebsd-current@freebsd.org Subject: Re: pf NAT and VNET Jails Message-ID: <13324720.omGDCH0sVj@hbsd-dev-laptop> In-Reply-To: <089B842B-FE96-4016-BE6E-A63182422A9C@FreeBSD.org> References: <CAExMvs=jVsASLyiqU9nTpir0Hy_s_DfChgf4XKeGWv-8yojNBw@mail.gmail.com> <20151798.z4nmEG8eZc@hbsd-dev-laptop> <089B842B-FE96-4016-BE6E-A63182422A9C@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart3780583.PlkWkpDkmM Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" On Tuesday, 03 November 2015 12:44:19 AM Kristof Provost wrote: > > On 02 Nov 2015, at 15:07, Shawn Webb <shawn.webb@hardenedbsd.org> w= rote: > >=20 > > On Monday, 02 November 2015 02:59:03 PM Kristof Provost wrote: > >> Can you add your pf.conf too? > >>=20 > >> I=E2=80=99ll try upgrading my machine to something beyond 290228 t= o see if I can > >> reproduce it. It=E2=80=99s on r289635 now, and seems to be fine. M= y VNET jails > >> certainly get their traffic NATed. > >=20 > > Sorry about that! I should've included it. It's pasted here: > > http://ix.io/lLI > >=20 > > It's probably not the most concise. This is a laptop that can have = one of > > three interfaces online: re0 (ethernet on the laptop), wlan0 (you c= an > > guess > > what that is), or ue0 (usb tethering from my phone). I used to be a= ble to > > specify NATing like that and pf would automatically figure out whic= h > > outgoing device to use. Seems like that's broken now. >=20 > I=E2=80=99ve updated my machine and things still seem to be working. > As you said, it=E2=80=99s probably related to the multiple nat entrie= s. >=20 > I=E2=80=99ll have to make a test setup, which=E2=80=99ll take a bit o= f time, especially > since I=E2=80=99m messing with the host machine at the moment. I've figured it out. I've removed all rules and went with a barebones c= onfig. Right now, the laptop I'm using for NAT has an outbound interface of wl= an0=20 with an IP of 129.6.251.181 (from DHCP). The following line works: nat on wlan0 from any to any -> 129.6.251.181 The following line doesn't: nat on wlan0 from any to any -> (wlan0) Nor does this: nat on wlan0 from any to any -> wlan0 From=20the Handbook, the lines that don't work are prefered especially th= e first=20 non-working line, since using (wlan0) would cause pf to pick up wlan0's= IP=20 dynamically (which is good, since wlan0 is DHCP'd). So it seems at some point of time, doing NAT dynamically broke. =2D-=20 Shawn Webb HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --nextPart3780583.PlkWkpDkmM Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCAAGBQJWO4LjAAoJEGqEZY9SRW7uSacP/RC2KhcfaStJhh5liGLWy97a 1pBf9IlcjCg8n89AeQSC6SJrR/v9u7b8WrhH6y0NcFgc9cE8yextXLz6SSUb/yxH TSbXJM0/AL0pHz3hYO6h+8k2lSfaDgJ0atSBuiPU8nyfzG7/asKUm5yOgfEHJcOG dOAfJfdS1Y/MQcaj9wcHnHW25Vh4mPxiztNcMJEpSZR7pj5DjtntanGn7agDwjDx MwhI0DzxTWrIu2O54KOHoTPOjnuO164GvGFckRGRhehc2l4hATE051TSzcZCid0p 1mi4nbF/aoM/dij7kX1fP2FAdEWI1uiGpGRxufxdqa3gSn14ohnqhru62lYH2UeQ yoj5aoJ0AvHs3qtv3f127aJi2vDlHKQFNRe0bbEAszO1NqHP8xJyFQVho0ELD3qB onSZX2ZfdKQhuKqTKTqWXe81lW0NhuddAGsNeqYy9YVWz0VIrZcBjJZSY4WlPTt9 bqs1FCCoCgUoj2tDf9nvVYbWIBTEMcVFLnZp2XyzNU2TvSXWgU9M6CCvixpzJTxG nDVlbnVbuDKjkZ0yoo/cw5+bro70nB1YudqE7Ol2u7NQZ61oYACmHAwBqH4GJwHz Lv6ERYkQ+lzxbKtDCEXYrAaoPnVAzYyvOqbNNT6B58/ZmFzWfhyhWUTu7tMenIfF SHWzgiMuqI5Lcoqaw4qt =EQr+ -----END PGP SIGNATURE----- --nextPart3780583.PlkWkpDkmM--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?13324720.omGDCH0sVj>