From owner-freebsd-stable@FreeBSD.ORG Sat Nov 24 08:26:47 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4B0D4AA5 for ; Sat, 24 Nov 2012 08:26:47 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 7ED9B8FC0C for ; Sat, 24 Nov 2012 08:26:45 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id qAO8QbhP066870; Sat, 24 Nov 2012 19:26:37 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 24 Nov 2012 19:26:37 +1100 (EST) From: Ian Smith To: Morgan Reed Subject: Re: natd in a jail In-Reply-To: Message-ID: <20121124183549.R21191@sola.nimnet.asn.au> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-stable@freebsd.org, Dewayne Geraghty X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Nov 2012 08:26:47 -0000 On Sat, 24 Nov 2012 17:44:30 +1100, Morgan Reed wrote: > On Fri, Nov 23, 2012 at 5:16 PM, Morgan Reed wrote: > > So it turns out I'd not bought bpf into the jails, however even with > > that and raw_sockets enabled I'm still having no joy with natd. > > > > I've been looking at ipfw a bit today but I've run into an issue, > > loading ipfw_nat causes my kernel to instantly panic, I need to > > recompile with KDB and DDB turned on so I can actually catch the trace > > though... Might look at netgraph before going too far down that path. > > Rebuilt the kernel with option IPFIREWALL and friends turned on > (including IPFILTER_DEFAULT_TO_ACCEPT or whatever it is). Unless you needed to include FIREWALL_FORWARD, you really didn't need to build ipfw into the kernel, it's all loadable by module. No harm, but. > Throw ipfw_nat_load="YES" and ipdivert_load="YES" into > /boot/loader.conf so the modules are available for the jails. And with ipfw nat you won't be needing ipdivert. Again, no harm. > Run a quick and dirty ipfw script (running out of an 'up' script I > wrote into the OpenVPN config); > ipfw nat 1 config if tun0 reset same_ports deny_in > ipfw add 500 nat 1 ip from any to any via tun0 > > Works like a charm, just one last thing I'd like to get squared away > here though, currently OpenVPN is using a dynamically created tun > device, I'd like to have a static /dev/tun0 exist prior to the > /etc/rc.d/natd start launching (because as it is I have to restart > natd after the openvpn tunnel comes up), not sure what the best way to > achieve this is in a jailed environment though. If the address of the tunX interface is fixed in the jail, you can specify it by IP instead of the interface in the nat setup, like: ipfw nat 1 config ip $address same_ports deny_in ipfw add 500 nat 1 ip from any to any via $address Your use of 'reset' in nat config makes me wonder if it's a variable address though? If IP varies you will need to specify the interface. > The next trick will be migrating from my spaghetti script into rc > launched jails... cheers, Ian