Date: Mon, 02 Nov 2015 09:07:27 -0500 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Kristof Provost <kp@freebsd.org> Cc: freebsd-current@freebsd.org Subject: Re: pf NAT and VNET Jails Message-ID: <20151798.z4nmEG8eZc@hbsd-dev-laptop> In-Reply-To: <D9FD5254-DA54-40B0-B4D6-71F65EB3B84A@FreeBSD.org> References: <CAExMvs=jVsASLyiqU9nTpir0Hy_s_DfChgf4XKeGWv-8yojNBw@mail.gmail.com> <6607014.lfu2kQizLV@hbsd-dev-laptop> <D9FD5254-DA54-40B0-B4D6-71F65EB3B84A@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart4758233.7oiUq5Sv66 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" On Monday, 02 November 2015 02:59:03 PM Kristof Provost wrote: > > On 02 Nov 2015, at 14:47, Shawn Webb <shawn.webb@hardenedbsd.org> w= rote: > >=20 > > On Sunday, 01 November 2015 07:16:34 AM Julian Elischer wrote: > >> On 11/1/15 2:50 AM, Shawn Webb wrote: > >>> I'm at r290228 on amd64. I'm not sure which revision I was on las= t when > >>> it > >>> last worked, but it seems VNET jails aren't working anymore. > >>>=20 > >>> I've got a bridge, bridge1, with an IP of 192.168.7.1. The VNET j= ails > >>> set > >>> their default route to 192.168.7.1. The host simply NATs outbound= from > >>> 192.168.7.0/24 to the rest of the world. The various epairs get a= dded to > >>> bridge1 and assigned to each jail. Pretty simple setup. That work= ed > >>> until > >>> today. When I do tcpdump on my public-facing NIC, I see that NAT = isn't > >>> applied. When I run `ping 8.8.8.8` from the jail, the jail's > >>> 192.168.7.0/24 > >>> address gets sent on the wire. > >>>=20 > >>> Let me know what I can do to help debug this further. > >>=20 > >> send the list your setup script/settings? > >=20 > > I'm using iocage to start up the jails. Here's a pasted output of `= iocage > > get all mutt-hardenedbsd`: http://ix.io/lLG >=20 > Can you add your pf.conf too? >=20 > I=E2=80=99ll try upgrading my machine to something beyond 290228 to s= ee if I can > reproduce it. It=E2=80=99s on r289635 now, and seems to be fine. My V= NET jails > certainly get their traffic NATed. Sorry about that! I should've included it. It's pasted here: http://ix.= io/lLI It's probably not the most concise. This is a laptop that can have one = of=20 three interfaces online: re0 (ethernet on the laptop), wlan0 (you can g= uess=20 what that is), or ue0 (usb tethering from my phone). I used to be able = to=20 specify NATing like that and pf would automatically figure out which ou= tgoing=20 device to use. Seems like that's broken now. Thanks, =2D-=20 Shawn Webb HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --nextPart4758233.7oiUq5Sv66 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCAAGBQJWN24fAAoJEGqEZY9SRW7uaMIP/Aqlsj1wuBVup9HJcXQyuFEW hQxNqX8gFkTmwZQvf/B/FNP2hNWtGh1bOg/INI6aVv8eqgrHTas3Cuv4avMGkVo0 Lx9EOiUK0gFY/IwHeqB4bPmO4iRqCEpo6axETWXju7ZarPt28h77MTYB+TYyY1BK XOAwCfuSzPS5id4+O9VqU5RgDDtqJ9S1wwSHXYtF5az+MICUU6ajMN7C91SJ2nJK QvRePSeAc4j1/O8JD7OzuxWTgy2SObiTbtpJvh3Y6Uffo8f13ISaFQvscEXxh9Td czUOdGCKhP29chcfF2gZSNmoXyA2dIZschOsoREIBfFB67keXY7H1kyjwSJ7zk8N 7Jg0CjqusuVkLOH49H1xmcoOP3C0W94qhD9N72JohWX3WryhwtDoRv9WXxiRtEAA bfMSLq5NYbJyKWchXyW8WEK2CQCTg81tKw6Y00aipx5Eal5XAorl6GakKlWQ4E1Y Kpg4rvuyHOvdjJSky19/H3wMsyZdepVtBBgVwP3p4PQthjQqpVnOj1e6yXqk5wt0 2a7okvxPcdMvUuSU92UuQhUczn4ljG3vDXGDTtRHXUxXTFOiIti1zglW8MMknqvd Lu28GbaKpfinnovcSvmdGc9drTFntMT8bwHn8a+4AiImGBhgpHXIo5+6gyb3Rw97 8WvCLyktP3vBNOyTbIFK =ES0G -----END PGP SIGNATURE----- --nextPart4758233.7oiUq5Sv66--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151798.z4nmEG8eZc>