Date: Mon, 10 Apr 2017 09:50:16 -0400 From: Ernie Luzar <luzar722@gmail.com> To: peter.blok@bsd4all.org Cc: Pavel Timofeev <timp87@gmail.com>, "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>, freebsd-current <freebsd-current@freebsd.org> Subject: Re: VNET branch destiny Message-ID: <58EB8D98.5050904@gmail.com> In-Reply-To: <24B3E322-5B92-470D-A1D6-10DF8EF79490@bsd4all.org> References: <CAAoTqfuAvZfoC-j8JFTvrpxqFMM5DjxyDXgMhMZLj3DO2pCYTw@mail.gmail.com> <0136F3BE-4B47-4677-8D81-3FE0F5E67E79@lists.zabbadoz.net> <CAAoTqfvJ013NTQB75JeVCysfk-xk-hac-f73gXfvCt5bBo_QXA@mail.gmail.com> <CAAoTqfuQXvKAQNOwshY5mkt0dG7Z1jKC6Aae9TF4hum1aUrJsA@mail.gmail.com> <24B3E322-5B92-470D-A1D6-10DF8EF79490@bsd4all.org>
next in thread | previous in thread | raw e-mail | index | archive | help
peter.blok@bsd4all.org wrote: > There have been issues with pf if I recall correctly. I currently have issues with stable, pf and vnet. There is an issue with pf table entries when an interface is moved to a different vnet. > > Does anyone no if there is a specific fix for this that hasn’t been ported to stable? I haven’t had the time to test this on current. > > Peter PF was fixed in 11.0 to not panic when run on a host that has vimage compiled into the kernel. On 11.0 you can configure pf to run in a vnet jail but it really does not enforce any firewall rules because pf needs access to the kernel which jail(8) is blocking by design. As far as I know this is a show shopper that can not be fixed without a pf rewrite changing the way it works internally. This PR gives all the details https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212013
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?58EB8D98.5050904>