From owner-freebsd-jail@FreeBSD.ORG Mon Aug 2 11:07:03 2010 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E07D11065673 for ; Mon, 2 Aug 2010 11:07:03 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CDD248FC14 for ; Mon, 2 Aug 2010 11:07:03 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o72B73i5035135 for ; Mon, 2 Aug 2010 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o72B73OW035133 for freebsd-jail@FreeBSD.org; Mon, 2 Aug 2010 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 2 Aug 2010 11:07:03 GMT Message-Id: <201008021107.o72B73OW035133@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Aug 2010 11:07:04 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/149050 jail [jail] rcorder ``nojail'' too coarse for Jail+VNET o kern/147162 jail [jail] [panic] Page Fault / Kernel panic when jail sta s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 8 problems total. From owner-freebsd-jail@FreeBSD.ORG Tue Aug 3 10:38:17 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 49CBB10656B0 for ; Tue, 3 Aug 2010 10:38:17 +0000 (UTC) (envelope-from stef-list@memberwebs.com) Received: from mail.npubs.com (mail.npubs.com [74.82.45.72]) by mx1.freebsd.org (Postfix) with ESMTP id C16788FC0A for ; Tue, 3 Aug 2010 10:38:15 +0000 (UTC) Received: from mail.npubs.com (blocker.npubs.com [74.82.45.71]) by mail.npubs.com (Postfix) with ESMTP id 4D39F245CF9 for ; Tue, 3 Aug 2010 10:21:01 +0000 (UTC) Received: from (Authenticated sender: sean) by mail.npubs.com (Postfix) with ESMTPA id B683E245CF8 for ; Tue, 3 Aug 2010 10:21:00 +0000 (UTC) Message-ID: <4C57ED8A.9000405@memberwebs.com> From: Stef Walter User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100713 Thunderbird/3.0.6 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Date: Tue, 3 Aug 2010 10:38:17 +0000 (UTC) Subject: segfault after recvmsg in 32-bit jail running on 64-bit kernel X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: stef@memberwebs.com List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Aug 2010 10:38:17 -0000 I'm running older 32-bit jails on a new 64-bit kernels for some clients. Ran into a problem with certain applications that use recvmsg (in this case clamd from security/clamav port). recvmsg() uses struct msghdr for in/out data. However in many cases the msg_controllen is not properly set after calling recvmsg() from from a 32-bit process running on a 64-bit kernel. Just wanted to give folks a heads up in case anyone runs into the same issue. PR filed with details, patch and test program to reproduce problem: http://www.freebsd.org/cgi/query-pr.cgi?pr=149227 Cheers, Stef PS: I'm travelling and this computer is not receiving email from the list, so please include me on any responses to this thread. From owner-freebsd-jail@FreeBSD.ORG Tue Aug 3 15:11:25 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C87BC106567B for ; Tue, 3 Aug 2010 15:11:25 +0000 (UTC) (envelope-from stef-list@memberwebs.com) Received: from mail.npubs.com (mail.npubs.com [74.82.45.72]) by mx1.freebsd.org (Postfix) with ESMTP id B387A8FC17 for ; Tue, 3 Aug 2010 15:11:25 +0000 (UTC) Received: from mail.npubs.com (blocker.npubs.com [74.82.45.71]) by mail.npubs.com (Postfix) with ESMTP id 44F2E245C4B; Tue, 3 Aug 2010 15:11:25 +0000 (UTC) Received: from (Authenticated sender: sean) by mail.npubs.com (Postfix) with ESMTPA id 7276924586B; Tue, 3 Aug 2010 15:11:24 +0000 (UTC) Message-ID: <4C583199.8060609@memberwebs.com> From: Stef Walter User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100713 Thunderbird/3.0.6 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP Date: Tue, 3 Aug 2010 15:11:25 +0000 (UTC) Cc: jhb@freebsd.org Subject: ifconfig and sysctl() PF_ROUTE fix for 32-bit jail running on 64-bit kernel X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: stef@memberwebs.com List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Aug 2010 15:11:25 -0000 Another patch for 32-bit compatibility on 64-bit kernel. I'm running this way for some clients with older jails... This bug makes ifconfig output look like: : flags=8802 mtu 1500 : flags=8843 mtu 1500 ��: flags=8843 mtu 1500 inet X.X.X.X netmask 0xffffffff broadcast X.X.X.X : flags=8801 mtu 65536 : flags=8049 mtu 16384 Notice how the interface names are all screwed up. This bug can also cause certain processes using PF_ROUTE to read invalid memory and crash. Recently code was added by jhb (thanks!) to sys/net/rtsock.c [1] which handles compatibility of 32-bit processes. I posted a patch to freebsd-net about this a while back [2]. However there's one minor issue with the new compat shims, and that is that the ifi_datalen member of struct if_data is not set correctly. It's supposed to be set to the size of the if_data struct, but in this case it's set to the size of the 64-bit struct instead of the 32-bit one. Just wanted to give folks a heads up in case anyone runs into the same issue. PR filed with details, patch and test program to reproduce problem: http://www.freebsd.org/cgi/query-pr.cgi?pr=149240 Cheers, Stef PS: I'm traveling and this computer is not receiving email from the list, so please CC stef@memberwebs.com on any responses to this thread. [1] http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/net/rtsock.c?rev=1.187;content-type=text/x-cvsweb-markup [2] http://www.mail-archive.com/freebsd-net@freebsd.org/msg30230.html From owner-freebsd-jail@FreeBSD.ORG Wed Aug 4 21:14:44 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0931C1065679 for ; Wed, 4 Aug 2010 21:14:44 +0000 (UTC) (envelope-from mlmichael70@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 856E18FC25 for ; Wed, 4 Aug 2010 21:14:43 +0000 (UTC) Received: by bwz12 with SMTP id 12so3460675bwz.13 for ; Wed, 04 Aug 2010 14:14:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=NbdXvv9EVqO9ndiFyu5h+hmz9OTHxkP+8pptUPF6Agg=; b=AqNGALvR+Mh+l5u3AP4UsC2qVVcEWWubbewq44dUpMEGtN8q6PDZrXiYnXPAP8Dol7 dk3Y12QF+AuvyCZxiiyyEafjzRTCEgm0ZLtzGKT26bG16OivYctPmF3T/FOESIH+kfip PQj7mu0MxhsM3gAO0PZQU3Q6gCpxcJRi+/SKQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=YVAy7O2nQ4hxarSXcvMDwW/pG+iLSMqpNj+Rz/b8sKpMkSSiKD6ciGkgJ6U5ge/T87 B0mSERb7rL+SfwC9vOU5qkmRFLIRPEmJFbJLFzZ8NJPnzZdW9kzBcJ8YYq5QUM/yBdZm YBlApIkDXahykJIE5xEthOBabP8CNNEQHcd3M= Received: by 10.204.84.92 with SMTP id i28mr6727240bkl.57.1280956477530; Wed, 04 Aug 2010 14:14:37 -0700 (PDT) Received: from prime.nonspace (94-193-57-116.zone7.bethere.co.uk [94.193.57.116]) by mx.google.com with ESMTPS id y2sm6251892bkx.20.2010.08.04.14.14.26 (version=SSLv3 cipher=RC4-MD5); Wed, 04 Aug 2010 14:14:29 -0700 (PDT) Message-ID: <4C59D871.1010506@gmail.com> Date: Wed, 04 Aug 2010 22:15:29 +0100 From: Michael User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.11) Gecko/20100721 Thunderbird/3.0.6 MIME-Version: 1.0 To: freebsd-jail@freebsd.org References: <20100801021347.O34284@sola.nimnet.asn.au> In-Reply-To: <20100801021347.O34284@sola.nimnet.asn.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: smithi@nimnet.asn.au Subject: Re: trouble getting Jail with IPFW+NAT to work X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Aug 2010 21:14:44 -0000 On 31/07/2010 17:44, Ian Smith wrote: > On Sat, 31 Jul 2010, Rick van der Zwet wrote: > > But mainly, you have no nat rule for the response packets coming in on > the outside interface, which is where they need to get mapped back to > the internal address/es. Generally better to not use 'via' but be more > specific (ie clear) about direction on nat rules: > > ${fwcmd} add nat 200 all from 10.0.0.0/24 to any out xmit re0 > ${fwcmd} add nat 200 all from any to ${outside_addr} in recv re0 > > $outside_addr can be 'any', if you're not routing other addresses. I have run into some troubles using above rules. At first it looks all good (to me) and works fine. Here are my rules: $cmd_nat nat 1 config reset if $if_ext log same_ports $cmd_nat 10 add nat 1 udp from $jail_ip to $dns out xmit $if_ext jail $jail_jid $cmd_nat 20 add nat 1 udp from $dns to me in recv $if_ext The problem is that rule 20 can not distinguish between replies to jail and replies to localhost. In other words it catches answers both to host system and to jailed system. I can tell that after checking counters on rule 20. They go up even when I run "host freebsd.org" on localhost (host environment for jails). Note that this problem doesn't applies to rule 10 because of "jail" match pattern. Unfortunately this rule option doesn't work for incoming packets, i.e. this rule is not working: $cmd_nat 20 add nat 1 udp from $dns to me in recv $if_ext jail $jail_jid What am I missing? How can ipfw distinguish between incoming packets for jailed system (in which case they should be NATed) and incoming packets for host system (in which case they shouldn't be NATed)? Thank you in advance. Michael From owner-freebsd-jail@FreeBSD.ORG Thu Aug 5 06:12:46 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6FAE91065674 for ; Thu, 5 Aug 2010 06:12:46 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id C72158FC15 for ; Thu, 5 Aug 2010 06:12:45 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id o756Ch8J056601; Thu, 5 Aug 2010 16:12:44 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 5 Aug 2010 16:12:43 +1000 (EST) From: Ian Smith To: Michael In-Reply-To: <4C59D871.1010506@gmail.com> Message-ID: <20100805144424.P34284@sola.nimnet.asn.au> References: <20100801021347.O34284@sola.nimnet.asn.au> <4C59D871.1010506@gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-jail@freebsd.org Subject: Re: trouble getting Jail with IPFW+NAT to work X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Aug 2010 06:12:46 -0000 On Wed, 4 Aug 2010, Michael wrote: > On 31/07/2010 17:44, Ian Smith wrote: > > On Sat, 31 Jul 2010, Rick van der Zwet wrote: > > > > But mainly, you have no nat rule for the response packets coming in on > > the outside interface, which is where they need to get mapped back to > > the internal address/es. Generally better to not use 'via' but be more > > specific (ie clear) about direction on nat rules: > > > > ${fwcmd} add nat 200 all from 10.0.0.0/24 to any out xmit re0 > > ${fwcmd} add nat 200 all from any to ${outside_addr} in recv re0 > > > > $outside_addr can be 'any', if you're not routing other addresses. > > I have run into some troubles using above rules. At first it looks all good > (to me) and works fine. Here are my rules: > > $cmd_nat nat 1 config reset if $if_ext log same_ports > $cmd_nat 10 add nat 1 udp from $jail_ip to $dns out xmit $if_ext jail $jail_jid > $cmd_nat 20 add nat 1 udp from $dns to me in recv $if_ext > > The problem is that rule 20 can not distinguish between replies to jail and > replies to localhost. In other words it catches answers both to host system > and to jailed system. > > I can tell that after checking counters on rule 20. They go up even when I > run "host freebsd.org" on localhost (host environment for jails). > > Note that this problem doesn't applies to rule 10 because of "jail" match > pattern. Unfortunately this rule option doesn't work for incoming packets, > i.e. this rule is not working: > > $cmd_nat 20 add nat 1 udp from $dns to me in recv $if_ext jail $jail_jid > > What am I missing? How can ipfw distinguish between incoming packets for > jailed system (in which case they should be NATed) and incoming packets for > host system (in which case they shouldn't be NATed)? First checking your assumptions: you want the jail, ie packets from $jail_ip, to be able to communicate to the outside only on UDP, and only to address $dns? (or dns="$address 53")? If you pass incoming packets to NAT that match with its table of source address/port, destination address/port and protocol, established when an outgoing packet was mapped from an inside to the outside address, then they will be mapped back to the original address/port. Otherwise, they will be unaffected and so delivered to the address specified (here, to the current address of $if_ext). It should be clear that rule 20 can't distinguish on $jail_jid _before_ the NAT translation; at this stage all packets are addressed to $extIP and nothing else is known, so it's not "doesn't work" but "couldn't". You need another rule _after_ doing inbound NAT to allow/deny/whatever packets that are NOW from $dns destined for $jail_ip (plus $jail_jid if you like, but that's implied by $jail_ip anyway). Basically, using NAT you have to pass all inbound ip4 packets received on your external interface to NAT (unless you're receiving packets for more than one external IP); only after NAT can you distinguish packets then destined for different addresses. Only on packets going out from your external address can you restrict NATing to only certain flows. HTH, Ian PS if it gets more complicated, maybe freebsd-ipfw is the better list? From owner-freebsd-jail@FreeBSD.ORG Thu Aug 5 21:49:01 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8EA4B1065676 for ; Thu, 5 Aug 2010 21:49:01 +0000 (UTC) (envelope-from mlmichael70@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 1A8958FC13 for ; Thu, 5 Aug 2010 21:49:00 +0000 (UTC) Received: by wwa36 with SMTP id 36so7208751wwa.31 for ; Thu, 05 Aug 2010 14:49:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=6ZtaFx/CWzuvay1LC9xBDYH8SRJxvrhb+udvidnEhWQ=; b=PUnTkULcGR5e1hQPrIqSmb5+PVxOi3Lwp/66609hHNb/rTAmDSfOvxwVA5wEd/7wTl Wl48eVdvGzuGBLUTahIy0rHKSs/iz4ivXELQ00saUHauwkoc/8qt90NMp1+Nvy3qxwdw rSIOJNCrI8tOHJamLFJfwRAv+hcIp30Mzunk8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=o+QVK1GjNxKvYPqKKpeSUnp4Ep8XKF3bFnDzVeV64BwqwhvnbUOAdZ4QIS304kb28z GpzN+cJ4uzg4FLADQiSBBXVTebxHnMGBoDHygxc4QMRz0bJEMbRot1/IDnZvbjBA+CXs +EvPbdoAb7sQkg8V2DMwy1M9J810DiCsZ/lsw= Received: by 10.227.137.149 with SMTP id w21mr9655484wbt.169.1281044939961; Thu, 05 Aug 2010 14:48:59 -0700 (PDT) Received: from prime.nonspace (94-193-57-116.zone7.bethere.co.uk [94.193.57.116]) by mx.google.com with ESMTPS id i25sm595202wbi.22.2010.08.05.14.48.54 (version=SSLv3 cipher=RC4-MD5); Thu, 05 Aug 2010 14:48:55 -0700 (PDT) Message-ID: <4C5B3206.1000900@gmail.com> Date: Thu, 05 Aug 2010 22:49:58 +0100 From: Michael User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.11) Gecko/20100721 Thunderbird/3.0.6 MIME-Version: 1.0 To: smithi@nimnet.asn.au References: <20100801021347.O34284@sola.nimnet.asn.au> <4C59D871.1010506@gmail.com> <20100805144424.P34284@sola.nimnet.asn.au> In-Reply-To: <20100805144424.P34284@sola.nimnet.asn.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org Subject: Re: trouble getting Jail with IPFW+NAT to work X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Aug 2010 21:49:01 -0000 On 05/08/2010 07:12, Ian Smith wrote: > > First checking your assumptions: you want the jail, ie packets from > $jail_ip, to be able to communicate to the outside only on UDP, and only > to address $dns? (or dns="$address 53")? No no :) It was just exempt from my ruleset. I'm a great believer in least privilege principle and fine-grained filtering so I am using rules like that: $cmd 66 add nat 1 udp from $jail $ports_range_bc to $dns 53 out xmit $if_ext jail $jail_jid uid $user_jail But it only makes things complicated so let's start from scratch with a simplified ruleset: cmd="/sbin/ipfw -q add" cmd_nat="/sbin/ipfw -q" jail="127.127.127.1" /sbin/ipfw -q -f flush $cmd 10 allow all from 127.0.0.1 to 127.0.0.1 via lo0 $cmd_nat nat 1 config reset if wlan0 log same_ports $cmd_nat 21 add nat 1 udp from $jail to any out xmit wlan0 jail 1 $cmd_nat 22 add nat 1 udp from any to any in recv wlan0 $cmd 31 allow udp from me to any out via wlan0 jail 1 $cmd 32 allow udp from any to $jail in via wlan0 jail 1 $cmd 41 allow udp from me to any out via wlan0 $cmd 42 allow udp from any to me in via wlan0 $cmd 51 allow tcp from me to any out via wlan0 $cmd 52 allow tcp from any to me in via wlan0 The purpose of which is to allow both host and jailed system to perform a DNS lookup. They seem to be good but rule 22 causes big problems. > Basically, using NAT you have to pass all inbound ip4 packets received > on your external interface to NAT (unless you're receiving packets for I was not aware of that, as you see my understanding of networks is not too deep. Thanks for your explanation. I guess I was confused by pf rules where I had to specify only one NAT rule - for outgoing traffic. Ok so I'm making a DNS lookup from the host system. It goes out via rule 41. Replies goes into NAT and that is why counters on rule 22 go up. Then it goes to rule number 42 and everything works fine. I have a big problem with this kind of catch-all NAT rule - the ruleset above doesn't work for changing IP address on wlan0. Let's say it was loaded while DHCP server was down and wlan0 had no IP address assigned yet. After a while DHCP server became available and wlan0 got it's address. When I do the same lookup from the host system it goes out via rule number 41. Then again it falls into NAT rule 22. Now after that it simply gets blocked by default rule and never gets into rule 42. The same applies for any UDP traffic that is catched by incoming NAT rule. TCP connections (rule 51 and 52) that are not NATed are working fine. Manually reloading my ruleset fixes the problem but it's not a solution. Any ideas what is going on? Michael From owner-freebsd-jail@FreeBSD.ORG Sat Aug 7 17:10:07 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 92FDD1065679 for ; Sat, 7 Aug 2010 17:10:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [IPv6:2001:4068:10::3]) by mx1.freebsd.org (Postfix) with ESMTP id 3D3908FC13 for ; Sat, 7 Aug 2010 17:10:07 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 9541041C750; Sat, 7 Aug 2010 19:10:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([192.168.74.103]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id x7par5j6Jtdo; Sat, 7 Aug 2010 19:10:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id BD99E41C71D; Sat, 7 Aug 2010 19:10:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 965434448EC; Sat, 7 Aug 2010 17:05:52 +0000 (UTC) Date: Sat, 7 Aug 2010 17:05:52 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Isaac Levy In-Reply-To: <201007221934.o6MJYA7f020607@rs54.luxsci.com> Message-ID: <20100807165417.M48418@maildrop.int.zabbadoz.net> References: <201007221934.o6MJYA7f020607@rs54.luxsci.com> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@freebsd.org Subject: Re: sysvipc in jails + CURRENT X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Aug 2010 17:10:07 -0000 On Thu, 22 Jul 2010, Isaac Levy wrote: Hi ike, long time no see. > I could be doing something stupid, or I've dug up an old bug, = > (http://www.mail-archive.com/freebsd-jail@freebsd.org/msg00859.html). > > I cannot get good ol' trusty enforce_statfs to work, allowing me to see = > different mounts from within a jail. > > -- > The example jail command I'm using, (new-style), > jail -c path=3D$JDIR host.hostname=3D$JHOSTNAME ip4.addr=3D"$INET" = > enforce_statfs=3D1 command=3D/bin/sh /etc/rc > > I've tried everything- including attempting to change my sysctls over = > and over, (including /etc/sysctl.conf with rebooting). > Interestingly: > The old standard 'security.jail.enforce_statfs' was not something I = > could modify, *until* I put a sysctl value in /etc/sysctl.conf which was = > not 0 (1 or 2 both will let me set the sysctl value once the system is = > booted). > If I have "security.jail.enforce_statfs=3D0", to my surprise, I cannot = > change that sysctl on the host system as I would usually expect. > (This is what makes me think this smells like a bug) > > My extra mounts are UFS volumes, mounted right into the jail directory, = > (on another ufs volume). > > What follows, are just machine stats if anyone wants them? > > I'd love any thoughts, urls, no matter how brief... I am confused but maybe I can help you with some explanation: 1) do not change the sysctl anywhere; that is neither in sysctl.conf nor by other magic or by hand. The default on 8 and 9 should be 2. You can check that with sysctl security.jail.enforce_statfs still I think. 2) Creating a new jail > jail -c path=/jail/j1 persist I can see: > jexec 1 mount 192.168.5.1:/zoo/bz/HEAD on / (nfs) And > jls -s -j 1 enforce_statfs enforce_statfs=2 confirms the default. 3) modifying the jail: > jail -m jid=1 enforce_statfs=1 I can now see: > jexec 1 mount 192.168.5.1:/zoo/bz/HEAD on / (nfs) devfs on /dev (devfs, local, multilabel) 192.168.5.1:/zoo/bz on /zoo/bz (nfs) And jls confirms that the modfication was successful: > jls -s -j 1 enforce_statfs enforce_statfs=1 4) If you lower the default by changing the sysctl, all your jails that have a higher level will be lowered as well. 5) But if you up the default again, they won't change back up. I think that you are right, that there is a bug here, as 4) and 5) should be working the other way round I think. Anyway, the summary is: if you don't change the default a jail -c enforce_statfs=1 ... should just work fine. Hope this helps. /bz -- Bjoern A. Zeeb This signature is about you not me.