From owner-freebsd-stable@FreeBSD.ORG Sat Nov 24 06:44:51 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3446E95A for ; Sat, 24 Nov 2012 06:44:51 +0000 (UTC) (envelope-from morgan.s.reed@gmail.com) Received: from mail-ie0-f182.google.com (mail-ie0-f182.google.com [209.85.223.182]) by mx1.freebsd.org (Postfix) with ESMTP id E35EB8FC08 for ; Sat, 24 Nov 2012 06:44:50 +0000 (UTC) Received: by mail-ie0-f182.google.com with SMTP id s9so9820148iec.13 for ; Fri, 23 Nov 2012 22:44:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=dR4RS7OzQ9/YQqj963lCbTF6r9FwmN73b2G0xknLdTs=; b=Op04AVfyP+Cg6dL/NiohuYVijP4lkDG9I25Tx3Ldho1hNoD4wCRQgBLBynR6k/Uhhj BKGZrQU1n0C61TmlykgFrCKdWhuAd8fYFsudARHukauXbTGFchS54rKe6vcvUrZUvp9i hV1yk1PBqr3iM1qykRcaPLeTGkElUaTu83fxQh1W4ajKfYLGZ7i/1mWfCmoyrrsjYWSC lFmw6vYh4HAR0SjsrM4tPovxuxJ2WBz7N7o3QFW92u7xTiMQjCcPEKxBbQIH2p+fk9BB YK2G85E4p9pgV/MSMMmykEPd7IR2hJlCvLb4HWhBag8Zhs+wD5HfDYl14NrtWG7tqnT3 9LiQ== Received: by 10.50.5.205 with SMTP id u13mr5589449igu.37.1353739490293; Fri, 23 Nov 2012 22:44:50 -0800 (PST) MIME-Version: 1.0 Received: by 10.64.6.71 with HTTP; Fri, 23 Nov 2012 22:44:30 -0800 (PST) In-Reply-To: References: From: Morgan Reed Date: Sat, 24 Nov 2012 17:44:30 +1100 Message-ID: Subject: Re: natd in a jail To: Dewayne Geraghty , freebsd-stable@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Nov 2012 06:44:51 -0000 On Fri, Nov 23, 2012 at 5:16 PM, Morgan Reed wrote: > So it turns out I'd not bought bpf into the jails, however even with > that and raw_sockets enabled I'm still having no joy with natd. > > I've been looking at ipfw a bit today but I've run into an issue, > loading ipfw_nat causes my kernel to instantly panic, I need to > recompile with KDB and DDB turned on so I can actually catch the trace > though... Might look at netgraph before going too far down that path. Rebuilt the kernel with option IPFIREWALL and friends turned on (including IPFILTER_DEFAULT_TO_ACCEPT or whatever it is). Throw ipfw_nat_load="YES" and ipdivert_load="YES" into /boot/loader.conf so the modules are available for the jails. Run a quick and dirty ipfw script (running out of an 'up' script I wrote into the OpenVPN config); ipfw nat 1 config if tun0 reset same_ports deny_in ipfw add 500 nat 1 ip from any to any via tun0 Works like a charm, just one last thing I'd like to get squared away here though, currently OpenVPN is using a dynamically created tun device, I'd like to have a static /dev/tun0 exist prior to the /etc/rc.d/natd start launching (because as it is I have to restart natd after the openvpn tunnel comes up), not sure what the best way to achieve this is in a jailed environment though. The next trick will be migrating from my spaghetti script into rc launched jails...