Date: Sun, 28 Oct 2018 15:56:08 -0400 From: Ernie Luzar <luzar722@gmail.com> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: FreeBSD current <freebsd-current@freebsd.org> Subject: Re: 12.0-BETA1 vnet with pf firewall Message-ID: <5BD61458.9040402@gmail.com> In-Reply-To: <6811B138-54C8-448F-A7F8-76374A077D8A@lists.zabbadoz.net> References: <5BD5D656.4050204@gmail.com> <6811B138-54C8-448F-A7F8-76374A077D8A@lists.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Bjoern A. Zeeb wrote: > On 28 Oct 2018, at 15:31, Ernie Luzar wrote: > >> Tested with host running ipfilter and vnet running pf. Tried loading >> pf from host console or from vnet console using kldload pf.ko command >> and get this error message; >> >> linker_load_file: /boot/kernel/pf.ko-unsupported file type. >> >> Looks like the 12.0 version of pf which is suppose to work in vnet >> independent of what firewall is running on the host is not working. > > You cannot load pf from inside a jail (with or without vnet). Kernel > modules are global objects loaded from the base system or you compile > the devices into the kernel; it is their state which is virtualised. > > If you load multiple firewalls they will all be available to the base > system and all jails+vnet. Whichever you configure in which one is up > to you. Just be careful as an unconfigured firewall might have a > default action affecting the outcome of the overall decision. > > For example you could have: > > a base system using ipfilter and setting pf to default accept everything > and a jail+vnet using pf and setting ipfilter there to accept everything. > > > Hope that clarifies some things. > > /bz > Hello Bjoern. What you said is correct for 10.x & 11.x. But I an talking about 12.0-beta1. I have the ipfilter options enabled in rc.conf of the host and on boot ipfilter starts just like it all ways does. Now to prep the host for pf in a vnet jail, I issue from the host console the "kldload pf.ko" command and get this error message; linker_load_file: /boot/kernel/pf.ko-unsupported file type. Something is wrong here. This is not suppose to happen according to your post above. Remember that in 12.0 vimage is included in the base system kernel.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5BD61458.9040402>