Date: Mon, 2 Nov 2015 14:59:03 +0100 From: Kristof Provost <kp@FreeBSD.org> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: freebsd-current@freebsd.org Subject: Re: pf NAT and VNET Jails Message-ID: <D9FD5254-DA54-40B0-B4D6-71F65EB3B84A@FreeBSD.org> In-Reply-To: <6607014.lfu2kQizLV@hbsd-dev-laptop> References: <CAExMvs=jVsASLyiqU9nTpir0Hy_s_DfChgf4XKeGWv-8yojNBw@mail.gmail.com> <56354BD2.5060608@freebsd.org> <6607014.lfu2kQizLV@hbsd-dev-laptop>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 02 Nov 2015, at 14:47, Shawn Webb <shawn.webb@hardenedbsd.org> = wrote: >=20 > On Sunday, 01 November 2015 07:16:34 AM Julian Elischer wrote: >> On 11/1/15 2:50 AM, Shawn Webb wrote: >>> I'm at r290228 on amd64. I'm not sure which revision I was on last = when it >>> last worked, but it seems VNET jails aren't working anymore. >>>=20 >>> I've got a bridge, bridge1, with an IP of 192.168.7.1. The VNET = jails set >>> their default route to 192.168.7.1. The host simply NATs outbound = from >>> 192.168.7.0/24 to the rest of the world. The various epairs get = added to >>> bridge1 and assigned to each jail. Pretty simple setup. That worked = until >>> today. When I do tcpdump on my public-facing NIC, I see that NAT = isn't >>> applied. When I run `ping 8.8.8.8` from the jail, the jail's >>> 192.168.7.0/24 >>> address gets sent on the wire. >>>=20 >>> Let me know what I can do to help debug this further. >>=20 >> send the list your setup script/settings? >=20 > I'm using iocage to start up the jails. Here's a pasted output of = `iocage get=20 > all mutt-hardenedbsd`: http://ix.io/lLG Can you add your pf.conf too? I=E2=80=99ll try upgrading my machine to something beyond 290228 to see = if I can reproduce it. It=E2=80=99s on r289635 now, and seems to be fine. My VNET jails = certainly get their traffic NATed. Thanks, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D9FD5254-DA54-40B0-B4D6-71F65EB3B84A>