[Bug 212013] 11.0-RC1: vimage jail with pf not working

bugzilla-noreply Sun, 21 Aug 2016 06:37:52 -0700

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212013


Joe Barbish <qja...@a1poweruser.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |b...@freebsd.org,
                   |                            |qja...@a1poweruser.com

--- Comment #2 from Joe Barbish <qja...@a1poweruser.com> ---
I changed "in" to "out" in the vnet jail pf rules file. Here is the rules from
inside of the vnet jail

pfctl -sr -vv
No ALTQ support in kernel
ALTQ related functions disabled
@0 block drop out quick on epair23b inet proto tcp from any to any port =
nicnam
e
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0    
]
  [ Inserted: uid 0 pid 1171 State Creations: 0     ]
@1 pass log (all) quick on epair23b all flags S/SA keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0    
]
  [ Inserted: uid 0 pid 1171 State Creations: 0     ]

With pf on the host and in the vnet jail issuing the "whois" command from
within the vnet jail still worked, and it should have not worked. The vnet pf
firewall rules are not being enforced.

Here is a snip it from the host pf log.

pass out on fxp0: 10.23.0.2.29486 > 192.0.32.59.43:
pass in on fxp0: 192.0.32.59.43 > 10.23.0.2.29486:
pass in on bridge0: 192.0.32.59.43 > 10.23.0.2.29486:
pass out on fxp0: 10.23.0.2.29486 > 192.0.32.59.43:
pass in on fxp0: 192.0.32.59.43 > 10.23.0.2.29486:
pass in on bridge0: 192.0.32.59.43 > 10.23.0.2.29486:
pass out on fxp0: 10.23.0.2.29486 > 192.0.32.59.43:
pass out on fxp0: 10.23.0.2.29486 > 192.0.32.59.43:
pass in on fxp0: 192.0.32.59.43 > 10.23.0.2.29486:
pass in on bridge0: 192.0.32.59.43 > 10.23.0.2.29486:
pass in on fxp0: 192.0.32.59.43 > 10.23.0.2.29486:
pass in on bridge0: 192.0.32.59.43 > 10.23.0.2.29486:

In a net shell nothing changed from the first post.

Those ipv6 packets are still being generated. The following is info for maybe
debugging this problem.

This is how I create the epair setup
ifconfig ${nicname} alias 10.${vnetid}.0.1
ifconfig epair${vnetid} create 
ifconfig bridge0 addm epair${vnetid}a
ifconfig epair${vnetid}a up

This is the output of ifconfig -a command on the host after the vnet jail has
started.
/root >ifconfig -a
fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu
15
00
        options=2009<RXCSUM,VLAN_MTU,WOL_MAGIC>
        ether 00:0c:f1:cd:55:ea
        inet 10.0.10.12 netmask 0xfffffff0 broadcast 10.0.10.15
        inet 10.23.0.1 netmask 0xff000000 broadcast 10.255.255.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33184
        groups: pflog
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:8f:94:84:0c:00
        nd6 options=9<PERFORMNUD,IFDISABLED>
        groups: bridge
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: epair23a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 5 priority 128 path cost 2000
        member: fxp0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 1 priority 128 path cost 200000
epair23a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0
mt
u 1500
        options=8<VLAN_MTU>
        ether 02:c1:00:00:05:0a
        inet6 fe80::c1:ff:fe00:50a%epair23a prefixlen 64 scopeid 0x5
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        groups: epair

Here is the output of ifconfig -a command issued from within the started vnet
jail.

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
pflog0: flags=0<> metric 0 mtu 33184
        groups: pflog
epair23b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:c1:00:00:06:0b
        inet 10.23.0.2 netmask 0xff000000 broadcast 10.255.255.255
        inet6 fe80::c1:ff:fe00:60b%epair23b prefixlen 64 scopeid 0x3
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        groups: epair

-- 
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

[Bug 212013] 11.0-RC1: vimage jail with pf not working

Reply via email to