Date: Mon, 9 Nov 2015 21:47:01 -0500 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Kristof Provost <kp@freebsd.org> Cc: freebsd-current@freebsd.org Subject: Re: pf NAT and VNET Jails Message-ID: <20151110024701.GA2694@mutt-hardenedbsd> In-Reply-To: <5815854.WJiA8b3P58@hbsd-dev-laptop> References: <CAExMvs=jVsASLyiqU9nTpir0Hy_s_DfChgf4XKeGWv-8yojNBw@mail.gmail.com> <13324720.omGDCH0sVj@hbsd-dev-laptop> <D8AAC66A-ED1D-4A6C-9CCF-447CA788073A@FreeBSD.org> <5815854.WJiA8b3P58@hbsd-dev-laptop>
next in thread | previous in thread | raw e-mail | index | archive | help
--5mCyUwZo2JvN/JJP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Nov 09, 2015 at 08:18:32AM -0500, Shawn Webb wrote:
> I'm using iocage for jailing.
>=20
> It's now looking like pf is back to being broken for me. I've tried every=
=20
> combination possible, even hardcoding the values:
>=20
> nat on wlan0 from {192.168.6.0/24, 192.168.7.0/24} to any -> 129.6.251.181
> pass in
> pass out
>=20
> I have zero idea why this isn't working. It seems that from the documenta=
tion,=20
> I'm doing everything right. I can see from tcpdump that the packets are=
=20
> getting forwarded, but without the src IP address being rewritten to=20
> 129.6.251.181.
>=20
> tcpdump output for a single ICMP packet, pinging to 8.8.8.8:
>=20
> 08:12:30.544462 IP 192.168.7.3 > 8.8.8.8: ICMP echo request, id 28131, se=
q 0,=20
> length 64
>=20
> That src IP should say 129.6.251.181.
I found the problem: it seems that the new Intel Haswell graphics
support (which I've been running with) is at odds somehow with pf NAT.
Removing Haswell graphics support means working pf NAT.
Thanks,
--=20
Shawn Webb
HardenedBSD
GPG Key ID: 0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE
--5mCyUwZo2JvN/JJP
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWQVqiAAoJEGqEZY9SRW7u0IMQAJ2oEf8Kyez1rYP3bzuI8C/o
FwrRSgEcsoKoeKlGjeQG+RSLmKUcngNVnnj9wWHVOD4aN7CnhY0YXBNKFbFFRfjy
vbdNjBxDCCxTwvl17QjA/eb6PiRyPO9KyYoTHXccgy8YsRrXtMREFOMAAiowdqix
Lg/xB29TvO8BmzBrwQUTVXkbzMEAPOYD/Gmthj67rWG9bP0/Z/TRILaSjZKhYTG6
J8Z/xI5DYEU2mlUKeb+PSkW7MpJYIzk9Azalu6YBsVgi1MQb+ibxMSLKthsMClT+
33uSlv0NqbW0mM+X/s5gna+Kw1T3TjI2NX0byGgdUcD9QrPtZ9DoU/THmi4mFHHD
tm93Bf0atviYy6mUbM7Qy7f0vj9Uso1lSVmJdQnXu5hMWe7ZbZoNTRbFExXdsHk3
H/obU3Mg0AYOYH0dz9pETiwhh8GvP8yap6ExXmVIitL+mfVf4cbgLaA96wTbMkju
rxb1JCQAdcRN8coEVhIx0nyBye/Il9cCXCcTbRKRaEbu/sdg3BPmpTzdf3rnThXb
AwKiefF0pPZb9zlSX6tChGoepFoc0kzlJRHn1NWkRVl+WSPWP95wBTAsSrV8Zqit
3KJz8B0OADUVWswdhv7wRl64T7XP3aIeRp6vcsTRTEYJtzQZC/v63NS4QXWuO8EP
Z4pkV83MxOqqevkRxh0U
=HniM
-----END PGP SIGNATURE-----
--5mCyUwZo2JvN/JJP--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151110024701.GA2694>