Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 24 Nov 2012 19:26:37 +1100 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        Morgan Reed <morgan.s.reed@gmail.com>
Cc:        freebsd-stable@freebsd.org, Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au>
Subject:   Re: natd in a jail
Message-ID:  <20121124183549.R21191@sola.nimnet.asn.au>
In-Reply-To: <CAKnh_Yt4TiPEgdaZQ0J=meKDP_WiUWgUwodEMBqdzCNBNcOAHQ@mail.gmail.com>
References:  <CAKnh_YtF5f_0-vuGO0ov%2BJDKa_gxF%2Bf80-DCcfxPYyew0_ZG7Q@mail.gmail.com> <D0670FDB8ED04E92BD4A44BB347E786F@white> <CAKnh_YtaY8uMo0W=LQ8L=Ntz6j9bVv8bOkQ_xFoAtz86qLZKDA@mail.gmail.com> <CAKnh_YteQ8YO5HFWGeFNgZqBx6-EK0BX7uujnAoqLi-JJ-yk_g@mail.gmail.com> <CAKnh_Yt4TiPEgdaZQ0J=meKDP_WiUWgUwodEMBqdzCNBNcOAHQ@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 24 Nov 2012 17:44:30 +1100, Morgan Reed wrote:
 > On Fri, Nov 23, 2012 at 5:16 PM, Morgan Reed <morgan.s.reed@gmail.com> wrote:
 > > So it turns out I'd not bought bpf into the jails, however even with
 > > that and raw_sockets enabled I'm still having no joy with natd.
 > >
 > > I've been looking at ipfw a bit today but I've run into an issue,
 > > loading ipfw_nat causes my kernel to instantly panic, I need to
 > > recompile with KDB and DDB turned on so I can actually catch the trace
 > > though... Might look at netgraph before going too far down that path.
 > 
 > Rebuilt the kernel with option IPFIREWALL and friends turned on
 > (including IPFILTER_DEFAULT_TO_ACCEPT or whatever it is).

Unless you needed to include FIREWALL_FORWARD, you really didn't need to 
build ipfw into the kernel, it's all loadable by module.  No harm, but.

 > Throw ipfw_nat_load="YES" and ipdivert_load="YES" into
 > /boot/loader.conf so the modules are available for the jails.

And with ipfw nat you won't be needing ipdivert.  Again, no harm.

 > Run a quick and dirty ipfw script (running out of an 'up' script I
 > wrote into the OpenVPN config);
 > ipfw nat 1 config if tun0 reset same_ports deny_in
 > ipfw add 500 nat 1 ip from any to any via tun0
 > 
 > Works like a charm, just one last thing I'd like to get squared away
 > here though, currently OpenVPN is using a dynamically created tun
 > device, I'd like to have a static /dev/tun0 exist prior to the
 > /etc/rc.d/natd start launching (because as it is I have to restart
 > natd after the openvpn tunnel comes up), not sure what the best way to
 > achieve this is in a jailed environment though.

If the address of the tunX interface is fixed in the jail, you can 
specify it by IP instead of the interface in the nat setup, like:

	ipfw nat 1 config ip $address same_ports deny_in
	ipfw add 500 nat 1 ip from any to any via $address

Your use of 'reset' in nat config makes me wonder if it's a variable
address though?  If IP varies you will need to specify the interface.

 > The next trick will be migrating from my spaghetti script into rc
 > launched jails...

cheers, Ian



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121124183549.R21191>