From owner-freebsd-pf@freebsd.org Sun Dec 9 21:00:07 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 19635132F684 for ; Sun, 9 Dec 2018 21:00:07 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id A42177B62D for ; Sun, 9 Dec 2018 21:00:06 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: by mailman.ysv.freebsd.org (Postfix) id 61E63132F677; Sun, 9 Dec 2018 21:00:06 +0000 (UTC) Delivered-To: pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5002B132F673 for ; Sun, 9 Dec 2018 21:00:06 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 22D7F7B621 for ; Sun, 9 Dec 2018 21:00:05 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 5596F32D0 for ; Sun, 9 Dec 2018 21:00:04 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id wB9L047M068987 for ; Sun, 9 Dec 2018 21:00:04 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id wB9L04vf068986 for pf@FreeBSD.org; Sun, 9 Dec 2018 21:00:04 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201812092100.wB9L04vf068986@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 9 Dec 2018 21:00:04 +0000 MIME-Version: 1.0 X-Rspamd-Queue-Id: A42177B62D X-Spamd-Result: default: False [-2.98 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.99)[-0.991,0]; ASN(0.00)[asn:10310, ipnet:2001:1900:2254::/48, country:US]; NEURAL_HAM_LONG(-0.99)[-0.993,0] X-Rspamd-Server: mx1.freebsd.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Dec 2018 21:00:07 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. From owner-freebsd-pf@freebsd.org Wed Dec 12 18:30:29 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0AA461318248 for ; Wed, 12 Dec 2018 18:30:29 +0000 (UTC) (envelope-from architpandeynitk@gmail.com) Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5200B717DA for ; Wed, 12 Dec 2018 18:30:28 +0000 (UTC) (envelope-from architpandeynitk@gmail.com) Received: by mail-pl1-x62b.google.com with SMTP id t13so8966318ply.13 for ; Wed, 12 Dec 2018 10:30:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=vdN9g6dyIGU+o5D2dyITSQPvpFHd0ddGmEmgLpbnRVM=; b=MC76eIfgcRq01LhyBw7eb7IbcZM7DYOJni5p49fU5ScM8qkM65+DGfsYd28DEW1WoZ Duk1c6JmCNTTimlXI7Z5gmTq9uGD9SyR3F0C4+NCDRBoo0fQIaJefB51x4rMCJXuxUky lqvOIKyL+rG17WlPD6GmcSPeApp50Qgn+7PujniU7ZkOUbR8uIPPc0xN7j5RP2oWdZSM ueNGJadkn4TUFvCaKj3SG7vkhVoYpHmyvQZu7YJwlChAyqQX9UtlFZh8tMLYHteQ4Zsz hxzdkYPO+7zbXPKI0NnE60Lyqpv75E1TFSfcxJ5oHpfcrr7a+bxU/clgVUndKPXKVqoe 7jWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=vdN9g6dyIGU+o5D2dyITSQPvpFHd0ddGmEmgLpbnRVM=; b=TOOEZpUZ1suo9EZVsW+pLkzfwvyGHEmeDsnUt0OrqOtDe9t+/lrG8M3DZScxBJ/F+a NojhtlTArNyEzKDIGIZPVT9zYGdJCZ8YlT1U5sXalcHibzYgo5DB57h0owGsklQq+UJx sp+fzBAR1+/zwAIZdYW4QHQd20GugmUhDlgMkOHMzL7QDHJ43EYGPMbT95iBp9jr3RtV HVFk1g2wBRsEhjQwsyqMl+5gqgXjjgardczTbN8+FBDz4pmQAlq7mlf7SAypA0JKUR5r jIspWeiCiM+XJDm4NuY3YGjG4I5aszMd6vsV4DkEEXiou+sC9ecNQvaFkxOfhSgvE6+W SCPg== X-Gm-Message-State: AA+aEWYFngbpM8e+F/RokDHJZ2NfCEgZXdNfG/TLuc6f0cKLDHzA5o0b ibahqRR3jdq68VEaU6hfrNwWJTsA11jWNBMlYlUbZdbv X-Google-Smtp-Source: AFSGD/WWYKbIRYZOjsJkL8lGH7QgiTryEWITjo6m5JNnz4K+k0hlYEn0XWSCQa+jV6R3npmpe8RhNKhfP0jD42irgxE= X-Received: by 2002:a17:902:3281:: with SMTP id z1mr21144075plb.296.1544639427045; Wed, 12 Dec 2018 10:30:27 -0800 (PST) MIME-Version: 1.0 From: Archit Pandey Date: Thu, 13 Dec 2018 00:00:13 +0530 Message-ID: Subject: Using Callout with ALTQ To: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 5200B717DA X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=MC76eIfg; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of architpandeynitk@gmail.com designates 2607:f8b0:4864:20::62b as permitted sender) smtp.mailfrom=architpandeynitk@gmail.com X-Spamd-Result: default: False [-3.20 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.93)[-0.929,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[b.2.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; IP_SCORE(-0.59)[ipnet: 2607:f8b0::/32(-1.57), asn: 15169(-1.29), country: US(-0.09)]; NEURAL_HAM_SHORT(-0.67)[-0.670,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Dec 2018 18:30:29 -0000 Hello all! I had a query regarding the altq subsystem of the freebsd kernel code. Is it advisable to use callout calls in altq code which in turn works with pf? I'm working on implementing ADAPTIVE-RED altq for freebsd, if that helps. Thanks in advance for any help! Regards, Archit Pandey. -- Junior Year Undergraduate Department of Computer Science and Engineering National Institute of Technology Karnataka Surathkal, India From owner-freebsd-pf@freebsd.org Thu Dec 13 00:02:42 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 38ED5132ABBD for ; Thu, 13 Dec 2018 00:02:42 +0000 (UTC) (envelope-from meka@tilda.center) Received: from mail.tilda.center (srv02.tilda.center [199.247.21.11]) by mx1.freebsd.org (Postfix) with ESMTP id 145528827F for ; Thu, 13 Dec 2018 00:02:40 +0000 (UTC) (envelope-from meka@tilda.center) Received: from thinker.home.meka.rs (109-93-224-120.dynamic.isp.telekom.rs [109.93.224.120]) by mail.tilda.center (Postfix) with ESMTPSA id 71BE21FABC for ; Thu, 13 Dec 2018 01:02:33 +0100 (CET) Date: Thu, 13 Dec 2018 01:02:32 +0100 From: Goran =?utf-8?B?TWVracSH?= To: freebsd-pf@freebsd.org Subject: VNET jails and PF service Message-ID: <20181213000232.vk4qoapuqyqly2jx@thinker.home.meka.rs> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="fjdo62hkmit72vr5" Content-Disposition: inline User-Agent: NeoMutt/20180716 X-Rspamd-Queue-Id: 145528827F X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of meka@tilda.center designates 199.247.21.11 as permitted sender) smtp.mailfrom=meka@tilda.center X-Spamd-Result: default: False [-3.14 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-0.78)[-0.784,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[tilda.center]; NEURAL_SPAM_SHORT(0.08)[0.083,0]; MX_GOOD(-0.01)[mail.tilda.center]; SIGNED_PGP(-2.00)[]; RCVD_NO_TLS_LAST(0.10)[]; RECEIVED_SPAMHAUS_PBL(0.00)[120.224.93.109.zen.spamhaus.org : 127.0.0.11]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; ASN(0.00)[asn:20473, ipnet:199.247.16.0/21, country:US]; RCVD_COUNT_TWO(0.00)[2]; IP_SCORE(-0.13)[asn: 20473(-0.58), country: US(-0.09)]; FROM_EQ_ENVFROM(0.00)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Dec 2018 00:02:42 -0000 --fjdo62hkmit72vr5 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Hello, I can't start PF as service from vnet jail. I have devfs rule to unhide bpf (for dhclient) and pf that the jail is using. I can run "pfctl -e -f /etc/pf.conf" but "service pf start" fails with: kldload: can't load pf: Operation not permitted /etc/rc.d/pf: WARNING: Unable to load kernel module pf That's expected given https://svnweb.freebsd.org/base/releng/12.0/libexec/rc/rc.d/pf?view=markup#l25 in the rc file. What is the proper way to enable PF in VNET jail? Regards, meka --fjdo62hkmit72vr5 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE1WIFkXy2ZeMKjjKEWj1TknovrLYFAlwRoZUACgkQWj1Tknov rLZqcA/+I3CYPBnOrH7FTAfcRi6/E8JYUojzB02dRTgA5XgWTzM40MgLz+OhO6qo qnyNd2Omz/AEHHsnIewuW6qgjcMfdxzk6aStX6ZTF0NKiWthrM7dMAFyJN3GMA2Q x9f653MR8sBMdlmVCtBhE/arXdFQNHthOQJokps5tuBv891AFU1A2g4Fr4jUHB1u rcrjZ/qN1naB3/z2CQbMGLb93nndiNo4QD9ufR69G8bB6A/ejX0Cx4Xc1UipGIOb jxLrYyA0AkHdkpsHxRGJboRWKuNHalnHq8PzishzjFYPw6/e8Eslr/VDMALYLWN3 AVVS2+4KrqbyN6iVeEfEsfLBIROt3CONA4KyfsOQ2pUcVP5krlYV9Uh0hEDrU5U5 E4j8cMqk6aYhWgRU0zrmYkftTE5btisRN7GL0gzAYDkEe4eDuB6f5tGlFtEbqpCO NR3B80XU+0QAusW/HJXlCAw30QICo7irwqiEagy+WxdAC/zscRYWXRltBHgZAnfE UBndQSa5BLQvF272O2+6IuDPbudRlVGRHV3tyXgZrjTx/fK0NRBzxrYh2uDdr5qb JtAOgukVFSofUtcZTFOoGHUAQK1ODAr29vijM2aTIIw5ZVijZdkiP+UDzAriFYFg VGhZzMjWuYO5MjmCXYCJRW67KTfOkxqvwOtQIP2tXGlayZBcOuU= =jazT -----END PGP SIGNATURE----- --fjdo62hkmit72vr5-- From owner-freebsd-pf@freebsd.org Thu Dec 13 00:46:57 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AB6FB132C50F for ; Thu, 13 Dec 2018 00:46:57 +0000 (UTC) (envelope-from SRS0=RpOD=OW=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2937B89AA6 for ; Thu, 13 Dec 2018 00:46:57 +0000 (UTC) (envelope-from SRS0=RpOD=OW=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id BAD2228428; Thu, 13 Dec 2018 01:46:52 +0100 (CET) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id C7CDF28417; Thu, 13 Dec 2018 01:46:49 +0100 (CET) Subject: Re: VNET jails and PF service To: =?UTF-8?Q?Goran_Meki=c4=87?= , freebsd-pf@freebsd.org References: <20181213000232.vk4qoapuqyqly2jx@thinker.home.meka.rs> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: Date: Thu, 13 Dec 2018 01:46:46 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 In-Reply-To: <20181213000232.vk4qoapuqyqly2jx@thinker.home.meka.rs> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 2937B89AA6 X-Spamd-Bar: +++ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [3.77 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_SPAM_SHORT(0.85)[0.853,0]; IP_SCORE(0.73)[ip: (1.92), ipnet: 94.124.104.0/21(0.96), asn: 42000(0.77), country: CZ(0.02)]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[quip.cz]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(1.00)[0.999,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: elsa.codelab.cz]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[4.105.124.94.list.dnswl.org : 127.0.10.0]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=RpOD=OW=quip.cz=000.fbsd@elsa.codelab.cz]; RECEIVED_SPAMHAUS_PBL(0.00)[209.16.49.86.zen.spamhaus.org : 127.0.0.11]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=RpOD=OW=quip.cz=000.fbsd@elsa.codelab.cz]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Dec 2018 00:46:57 -0000 Goran Mekić wrote on 2018/12/13 01:02: > Hello, > > I can't start PF as service from vnet jail. I have devfs rule to unhide > bpf (for dhclient) and pf that the jail is using. I can run "pfctl -e -f > /etc/pf.conf" but "service pf start" fails with: > > kldload: can't load pf: Operation not permitted > /etc/rc.d/pf: WARNING: Unable to load kernel module pf > > That's expected given https://svnweb.freebsd.org/base/releng/12.0/libexec/rc/rc.d/pf?view=markup#l25 > in the rc file. What is the proper way to enable PF in VNET jail? Do you have PF compiled in to your kernel or loaded as module pf.ko in the host? Miroslav Lachman From owner-freebsd-pf@freebsd.org Thu Dec 13 08:30:15 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BE008130E982 for ; Thu, 13 Dec 2018 08:30:15 +0000 (UTC) (envelope-from srs0=hdnw=ow=vega.codepro.be=kp@codepro.be) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.codepro.be", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B9E6574293 for ; Thu, 13 Dec 2018 08:30:14 +0000 (UTC) (envelope-from srs0=hdnw=ow=vega.codepro.be=kp@codepro.be) Received: from vega.codepro.be (unknown [172.16.1.3]) by venus.codepro.be (Postfix) with ESMTP id BE48E3FD3B; Thu, 13 Dec 2018 09:30:12 +0100 (CET) Received: by vega.codepro.be (Postfix, from userid 1001) id BA1F93BE42; Thu, 13 Dec 2018 09:30:12 +0100 (CET) Date: Thu, 13 Dec 2018 09:30:12 +0100 From: Kristof Provost To: Goran =?utf-8?B?TWVracSH?= Cc: freebsd-pf@freebsd.org Subject: Re: VNET jails and PF service Message-ID: <20181213083012.GA49515@vega.codepro.be> References: <20181213000232.vk4qoapuqyqly2jx@thinker.home.meka.rs> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20181213000232.vk4qoapuqyqly2jx@thinker.home.meka.rs> X-Checked-By-NSA: Probably User-Agent: Mutt/1.10.1 (2018-07-13) X-Rspamd-Queue-Id: B9E6574293 X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of srs0=hdnw=ow=vega.codepro.be=kp@codepro.be designates 2a01:4f8:162:1127::2 as permitted sender) smtp.mailfrom=srs0=hdnw=ow=vega.codepro.be=kp@codepro.be X-Spamd-Result: default: False [-5.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a01:4f8:162:1127::2]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[freebsd.org]; NEURAL_HAM_SHORT(-0.99)[-0.989,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_MED(-0.20)[2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.2.1.1.2.6.1.0.8.f.4.0.1.0.a.2.list.dnswl.org : 127.0.9.2]; RCPT_COUNT_TWO(0.00)[2]; MX_GOOD(-0.01)[mx2.codepro.be,mx1.codepro.be]; IP_SCORE(-2.80)[ip: (-8.18), ipnet: 2a01:4f8::/29(-3.31), asn: 24940(-2.53), country: DE(-0.01)]; FORGED_SENDER(0.30)[kp@freebsd.org,srs0=hdnw=ow=vega.codepro.be=kp@codepro.be]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; FROM_NEQ_ENVFROM(0.00)[kp@freebsd.org, srs0=hdnw=ow=vega.codepro.be=kp@codepro.be] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Dec 2018 08:30:15 -0000 On 2018-12-13 01:02:32 (+0100), Goran Mekić wrote: > I can't start PF as service from vnet jail. I have devfs rule to unhide > bpf (for dhclient) and pf that the jail is using. I can run "pfctl -e -f > /etc/pf.conf" but "service pf start" fails with: > > kldload: can't load pf: Operation not permitted > /etc/rc.d/pf: WARNING: Unable to load kernel module pf > Yes, jails can't load kernel modules, for obvious reasons. Your host needs to load the pf module, then the jail will be able to use it. Regards, Kristof From owner-freebsd-pf@freebsd.org Thu Dec 13 11:35:09 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D2F4813186D0 for ; Thu, 13 Dec 2018 11:35:09 +0000 (UTC) (envelope-from meka@tilda.center) Received: from mail.tilda.center (srv02.tilda.center [199.247.21.11]) by mx1.freebsd.org (Postfix) with ESMTP id 62681840DB; Thu, 13 Dec 2018 11:35:08 +0000 (UTC) (envelope-from meka@tilda.center) Received: from hal9000.home.meka.rs (109-93-224-120.dynamic.isp.telekom.rs [109.93.224.120]) by mail.tilda.center (Postfix) with ESMTPSA id DA6961FCD5; Thu, 13 Dec 2018 12:35:04 +0100 (CET) Date: Thu, 13 Dec 2018 12:35:05 +0100 From: Goran =?utf-8?B?TWVracSH?= To: Kristof Provost Cc: freebsd-pf@freebsd.org Subject: Re: VNET jails and PF service Message-ID: <20181213113505.7utf6ddl3rkr7zsd@hal9000.home.meka.rs> References: <20181213000232.vk4qoapuqyqly2jx@thinker.home.meka.rs> <20181213083012.GA49515@vega.codepro.be> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="zlry4lfd4z44kbzd" Content-Disposition: inline In-Reply-To: <20181213083012.GA49515@vega.codepro.be> User-Agent: NeoMutt/20180716 X-Rspamd-Queue-Id: 62681840DB X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of meka@tilda.center designates 199.247.21.11 as permitted sender) smtp.mailfrom=meka@tilda.center X-Spamd-Result: default: False [-3.79 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-0.96)[-0.960,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DMARC_NA(0.00)[tilda.center]; IP_SCORE(-0.17)[asn: 20473(-0.75), country: US(-0.09)]; MX_GOOD(-0.01)[cached: mail.tilda.center]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.35)[-0.352,0]; SIGNED_PGP(-2.00)[]; RCVD_NO_TLS_LAST(0.10)[]; RECEIVED_SPAMHAUS_PBL(0.00)[120.224.93.109.zen.spamhaus.org : 127.0.0.11]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; ASN(0.00)[asn:20473, ipnet:199.247.16.0/21, country:US]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Dec 2018 11:35:10 -0000 --zlry4lfd4z44kbzd Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Dec 13, 2018 at 09:30:12AM +0100, Kristof Provost wrote: > On 2018-12-13 01:02:32 (+0100), Goran Meki=C4=87 wrot= e: > > I can't start PF as service from vnet jail. I have devfs rule to unhide > > bpf (for dhclient) and pf that the jail is using. I can run "pfctl -e -f > > /etc/pf.conf" but "service pf start" fails with: > > > > kldload: can't load pf: Operation not permitted > > /etc/rc.d/pf: WARNING: Unable to load kernel module pf > > > Yes, jails can't load kernel modules, for obvious reasons. > Your host needs to load the pf module, then the jail will be able to use > it. I did load it on the host, that's why "pfctl -e -f /etc/pf.conf" works in the jail, but "service pf start" doesn't. --zlry4lfd4z44kbzd Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE1WIFkXy2ZeMKjjKEWj1TknovrLYFAlwSQ+UACgkQWj1Tknov rLb/Kg/+JBEJSxZpSSKDEd4r/tcWuNEYmLFUFeq5878de8tiPF9A7CmbsZlJxj+V cPZ8uZ2IqRU1OO7Gd33qOPr2TbePg+CPMhpZUxdHkT9fFMjI8JlijJIFWwtSxrJs yg8tRvkOojmJ8du82NSOO22q5zrukYosQBUOT0MtIbRrTE5CAKtF+vWcMI3oJmX7 A3ZA08TTnf7psNx+XixtT2wbu0QJDHqWT7HVb4EqrIAblH8Os9S9JoIkdazdCZ7C IZEGag52mRDLvV7TLQP5vQNTz4VeXxgDmobUWoXHsVdSLg/F1Nle0TEDlihi4Wro fDT7u4QwgEo9U9mTYq4B/qsENa2/ol4sCTqlRUtPJVQudI2HTmx3XRTo5YO8Ioui 6FdBhlitOltl5qjOO6yNkoEUznwjHTfgYjfrW6MtjcQabcP83YJ7nRe3Z+XnaTpt UP2b5qbXyX1YTBAPUrNS4/kD4u5ZPfolXLPwLG5qmI8iIvI/lqF3i9xRxQPqi02g FO+/hgl5kmwuXALoo2GIQ/+bsurZjvi7suv+xeX8jqhdm2Gaqf/qDS2GjJfsxLcX bEkc/NHQvtL+p6Lo4BSlHrVKJmhBUdr8xBvq5SZN5raPN4f25MklPZgTJH5W9phe L73VETKmidIf5kxKo8vcJF2s5d+pcQf9UPObZwaRW8me2xHFK80= =CoDI -----END PGP SIGNATURE----- --zlry4lfd4z44kbzd-- From owner-freebsd-pf@freebsd.org Thu Dec 13 11:58:10 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C787A1318F52 for ; Thu, 13 Dec 2018 11:58:10 +0000 (UTC) (envelope-from meka@tilda.center) Received: from mail.tilda.center (srv02.tilda.center [199.247.21.11]) by mx1.freebsd.org (Postfix) with ESMTP id 5817E84B1D for ; Thu, 13 Dec 2018 11:58:09 +0000 (UTC) (envelope-from meka@tilda.center) Received: from hal9000.home.meka.rs (109-93-224-120.dynamic.isp.telekom.rs [109.93.224.120]) by mail.tilda.center (Postfix) with ESMTPSA id BECA51FD17; Thu, 13 Dec 2018 12:58:07 +0100 (CET) Date: Thu, 13 Dec 2018 12:58:07 +0100 From: Goran =?utf-8?B?TWVracSH?= To: Miroslav Lachman <000.fbsd@quip.cz> Cc: freebsd-pf@freebsd.org Subject: Re: VNET jails and PF service Message-ID: <20181213115807.ndaitswxqsixyjmg@hal9000.home.meka.rs> References: <20181213000232.vk4qoapuqyqly2jx@thinker.home.meka.rs> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="7qntmsxsx4f2flvf" Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20180716 X-Rspamd-Queue-Id: 5817E84B1D X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of meka@tilda.center designates 199.247.21.11 as permitted sender) smtp.mailfrom=meka@tilda.center X-Spamd-Result: default: False [-3.96 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-0.97)[-0.974,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DMARC_NA(0.00)[tilda.center]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: mail.tilda.center]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.50)[-0.496,0]; SIGNED_PGP(-2.00)[]; RCVD_NO_TLS_LAST(0.10)[]; RECEIVED_SPAMHAUS_PBL(0.00)[120.224.93.109.zen.spamhaus.org : 127.0.0.11]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; ASN(0.00)[asn:20473, ipnet:199.247.16.0/21, country:US]; RCVD_COUNT_TWO(0.00)[2]; IP_SCORE(-0.18)[asn: 20473(-0.83), country: US(-0.09)]; FROM_EQ_ENVFROM(0.00)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Dec 2018 11:58:10 -0000 --7qntmsxsx4f2flvf Content-Type: text/plain; charset=utf-8 Content-Disposition: inline On Thu, Dec 13, 2018 at 01:46:46AM +0100, Miroslav Lachman wrote: > Do you have PF compiled in to your kernel or loaded as module pf.ko in the > host? It's GENERIC, came with 12.0-RELEASE --7qntmsxsx4f2flvf Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE1WIFkXy2ZeMKjjKEWj1TknovrLYFAlwSSUsACgkQWj1Tknov rLZkxg/+PosObO/llYzSEko0ihLBI3Vq0H10j34KT8eXgWdnqMJsyzwGx/KWpFfs 0Nt6OmKSs6Q/rUggd31/wggCIWWWrgGWgbeM5TvT+lV6jgenjjLtWOfOKkeY4a1T /aWZtKAjAZqziSenJkDMQIHvVh3s+GdDLZSF9ZB9nWSzurz5Trn/fmlXdKaOz2IM 8zKX6ihJxjIzkmujp7joc2gdMG6TqA/f0d1EA3UIcTX7eCTl7h+6/mWGQICCeCq4 LZVEBJtlokhx7VZn4JTWIwBBcCR8hHGn9unI9/pJaJU4G5id5QK4ekrU9i/58rWU DNgIKAtWaHbCkyy1yStJOW2oHx2n1xQSTLFredJaanhzUp8oP+QDStCjm3X1N3Cw XIksVquUuhP1idwtrkN07jEnJsOEB/blc5ikDhmbx3i7uMN7IcdG4yoA+i13lRNW TfX1q6/kYrTkHtpsrw63uDqIqkwzc19mmw0osLgwN6kTh9/ZfFoagAbFcD5F5UoU +0FHi0esnYt9o45dezNvlThu/MQqg3TncdnCOjCW7WLQ3lC1RcfaXUM/r9E5uNC7 x8aG2onOCrsgyrsReEvPgq1K3bOYBMoUlfgkegJBlIpHsDPSMAz50dulBCRybW0h E5KgDy49pX/w7HXWS0Cl4pW8Mtdg9un7XfiXGv8mMwsr+071F4U= =kka3 -----END PGP SIGNATURE----- --7qntmsxsx4f2flvf-- From owner-freebsd-pf@freebsd.org Thu Dec 13 12:06:04 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0CFC11321EAC for ; Thu, 13 Dec 2018 12:06:04 +0000 (UTC) (envelope-from srs0=hdnw=ow=vega.codepro.be=kp@codepro.be) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.codepro.be", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8C19885275 for ; Thu, 13 Dec 2018 12:06:02 +0000 (UTC) (envelope-from srs0=hdnw=ow=vega.codepro.be=kp@codepro.be) Received: from vega.codepro.be (unknown [172.16.1.3]) by venus.codepro.be (Postfix) with ESMTP id 9863B4037E; Thu, 13 Dec 2018 13:06:00 +0100 (CET) Received: by vega.codepro.be (Postfix, from userid 1001) id 793E23C325; Thu, 13 Dec 2018 13:06:00 +0100 (CET) Date: Thu, 13 Dec 2018 13:06:00 +0100 From: Kristof Provost To: Goran =?utf-8?B?TWVracSH?= Cc: freebsd-pf@freebsd.org Subject: Re: VNET jails and PF service Message-ID: <20181213120559.GB49515@vega.codepro.be> References: <20181213000232.vk4qoapuqyqly2jx@thinker.home.meka.rs> <20181213083012.GA49515@vega.codepro.be> <20181213113505.7utf6ddl3rkr7zsd@hal9000.home.meka.rs> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20181213113505.7utf6ddl3rkr7zsd@hal9000.home.meka.rs> X-Checked-By-NSA: Probably User-Agent: Mutt/1.10.1 (2018-07-13) X-Rspamd-Queue-Id: 8C19885275 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dmarc=fail reason="" header.from=sigsegv.be (policy=none); spf=pass (mx1.freebsd.org: domain of srs0=hdnw=ow=vega.codepro.be=kp@codepro.be designates 2a01:4f8:162:1127::2 as permitted sender) smtp.mailfrom=srs0=hdnw=ow=vega.codepro.be=kp@codepro.be X-Spamd-Result: default: False [-4.88 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a01:4f8:162:1127::2]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: mx2.codepro.be]; RCVD_IN_DNSWL_MED(-0.20)[2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.2.1.1.2.6.1.0.8.f.4.0.1.0.a.2.list.dnswl.org : 127.0.9.2]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.98)[-0.981,0]; IP_SCORE(-2.79)[ip: (-8.11), ipnet: 2a01:4f8::/29(-3.31), asn: 24940(-2.52), country: DE(-0.01)]; FORGED_SENDER(0.30)[kristof@sigsegv.be,srs0=hdnw=ow=vega.codepro.be=kp@codepro.be]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; FROM_NEQ_ENVFROM(0.00)[kristof@sigsegv.be,srs0=hdnw=ow=vega.codepro.be=kp@codepro.be]; DMARC_POLICY_SOFTFAIL(0.10)[sigsegv.be : SPF not aligned (relaxed), No valid DKIM, none] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Dec 2018 12:06:04 -0000 On 2018-12-13 12:35:05 (+0100), Goran Mekić wrote: > On Thu, Dec 13, 2018 at 09:30:12AM +0100, Kristof Provost wrote: > > On 2018-12-13 01:02:32 (+0100), Goran Mekić wrote: > > > I can't start PF as service from vnet jail. I have devfs rule to unhide > > > bpf (for dhclient) and pf that the jail is using. I can run "pfctl -e -f > > > /etc/pf.conf" but "service pf start" fails with: > > > > > > kldload: can't load pf: Operation not permitted > > > /etc/rc.d/pf: WARNING: Unable to load kernel module pf > > > > > Yes, jails can't load kernel modules, for obvious reasons. > > Your host needs to load the pf module, then the jail will be able to use > > it. > > I did load it on the host, that's why "pfctl -e -f /etc/pf.conf" works > in the jail, but "service pf start" doesn't. I can't seem to reproduce that. How did you start your jail? (The output of 'jls -na' might be helpful too) Regards, Kristof From owner-freebsd-pf@freebsd.org Thu Dec 13 15:15:27 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 90B6413285AC for ; Thu, 13 Dec 2018 15:15:27 +0000 (UTC) (envelope-from srs0=hdnw=ow=vega.codepro.be=kp@codepro.be) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.codepro.be", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7F45D8BF83 for ; Thu, 13 Dec 2018 15:15:26 +0000 (UTC) (envelope-from srs0=hdnw=ow=vega.codepro.be=kp@codepro.be) Received: from vega.codepro.be (unknown [172.16.1.3]) by venus.codepro.be (Postfix) with ESMTP id 817524070D; Thu, 13 Dec 2018 16:15:24 +0100 (CET) Received: by vega.codepro.be (Postfix, from userid 1001) id 7D7B03C4F8; Thu, 13 Dec 2018 16:15:24 +0100 (CET) Date: Thu, 13 Dec 2018 16:15:24 +0100 From: Kristof Provost To: Goran =?utf-8?B?TWVracSH?= Cc: freebsd-pf@freebsd.org Subject: Re: VNET jails and PF service Message-ID: <20181213151524.GC49515@vega.codepro.be> References: <20181213000232.vk4qoapuqyqly2jx@thinker.home.meka.rs> <20181213083012.GA49515@vega.codepro.be> <20181213113505.7utf6ddl3rkr7zsd@hal9000.home.meka.rs> <20181213120559.GB49515@vega.codepro.be> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20181213120559.GB49515@vega.codepro.be> X-Checked-By-NSA: Probably User-Agent: Mutt/1.10.1 (2018-07-13) X-Rspamd-Queue-Id: 7F45D8BF83 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of srs0=hdnw=ow=vega.codepro.be=kp@codepro.be designates 2a01:4f8:162:1127::2 as permitted sender) smtp.mailfrom=srs0=hdnw=ow=vega.codepro.be=kp@codepro.be X-Spamd-Result: default: False [-4.96 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a01:4f8:162:1127::2]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[freebsd.org]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: mx2.codepro.be]; RCVD_IN_DNSWL_MED(-0.20)[2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.2.1.1.2.6.1.0.8.f.4.0.1.0.a.2.list.dnswl.org : 127.0.9.2]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.94)[-0.943,0]; IP_SCORE(-2.80)[ip: (-8.16), ipnet: 2a01:4f8::/29(-3.32), asn: 24940(-2.53), country: DE(-0.01)]; FORGED_SENDER(0.30)[kp@freebsd.org,srs0=hdnw=ow=vega.codepro.be=kp@codepro.be]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; FROM_NEQ_ENVFROM(0.00)[kp@freebsd.org, srs0=hdnw=ow=vega.codepro.be=kp@codepro.be] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Dec 2018 15:15:27 -0000 On 2018-12-13 13:06:00 (+0100), Kristof Provost wrote: > On 2018-12-13 12:35:05 (+0100), Goran Mekić wrote: > > On Thu, Dec 13, 2018 at 09:30:12AM +0100, Kristof Provost wrote: > > > On 2018-12-13 01:02:32 (+0100), Goran Mekić wrote: > > > > I can't start PF as service from vnet jail. I have devfs rule to unhide > > > > bpf (for dhclient) and pf that the jail is using. I can run "pfctl -e -f > > > > /etc/pf.conf" but "service pf start" fails with: > > > > > > > > kldload: can't load pf: Operation not permitted > > > > /etc/rc.d/pf: WARNING: Unable to load kernel module pf > > > > > > > Yes, jails can't load kernel modules, for obvious reasons. > > > Your host needs to load the pf module, then the jail will be able to use > > > it. > > > > I did load it on the host, that's why "pfctl -e -f /etc/pf.conf" works > > in the jail, but "service pf start" doesn't. > > I can't seem to reproduce that. How did you start your jail? > > (The output of 'jls -na' might be helpful too) > At least on CURRENT that all does what I'd expect it to do: % sudo kldload pfsync % sudo jail -c name=alcatraz persist vnet % sudo jexec alcatraz /bin/sh # service pf onestart Enabling pf. # pfctl -s all FILTER RULES: scrub in all fragment reassemble pass out all flags S/SA keep state block drop in log all pass in inet proto tcp from any to any port = ssh flags S/SA keep state INFO: Status: Enabled for 0 days 00:00:03 Debug: Urgent ... Regards, Kristof