Date: Sun, 28 Oct 2018 15:50:46 +0000 From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: "Ernie Luzar" <luzar722@gmail.com> Cc: "FreeBSD current" <freebsd-current@freebsd.org> Subject: Re: 12.0-BETA1 vnet with pf firewall Message-ID: <6811B138-54C8-448F-A7F8-76374A077D8A@lists.zabbadoz.net> In-Reply-To: <5BD5D656.4050204@gmail.com> References: <5BD5D656.4050204@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 28 Oct 2018, at 15:31, Ernie Luzar wrote: > Tested with host running ipfilter and vnet running pf. Tried loading > pf from host console or from vnet console using kldload pf.ko command > and get this error message; > > linker_load_file: /boot/kernel/pf.ko-unsupported file type. > > Looks like the 12.0 version of pf which is suppose to work in vnet > independent of what firewall is running on the host is not working. You cannot load pf from inside a jail (with or without vnet). Kernel modules are global objects loaded from the base system or you compile the devices into the kernel; it is their state which is virtualised. If you load multiple firewalls they will all be available to the base system and all jails+vnet. Whichever you configure in which one is up to you. Just be careful as an unconfigured firewall might have a default action affecting the outcome of the overall decision. For example you could have: a base system using ipfilter and setting pf to default accept everything and a jail+vnet using pf and setting ipfilter there to accept everything. Hope that clarifies some things. /bz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6811B138-54C8-448F-A7F8-76374A077D8A>