Bjoern A. Zeeb wrote:
In 11-RC* it is present for all 3 firewalls; like VIMAGE due to memory
footprint you might have to compile the firewall into the kernel rather
than kldload it (especially ipfilter).
/bzvnet
The 11.0-RC1 host has vimage and ipfilter compiled into the kernel. Vnet
jail can ping public network. Host ipf log shows pings from vnet jail as
they pass the host firewall on external interface using the ip address
assigned to the vnet jail. Codding rules on the host firewall using the
vnet jail's assigned ip address does work. But this is not what vimage
literature says how vnet firewalls are suppose to work.
Issuing "ipf -FS -Fa" command from within the vnet jail gives this
message, "open device:no such file or directory. User kernel version
check failed.
Issuing "ipfstat -hnio command from within the vnet jail gives this
message, open(IPSTATE_NAME):no such file or directory.
Running the host on a kernel with just vimage compiled in gets same
results as above.
Only differences between 10.x systems and 11.0 is a vimage kernel no
longer panics if the host is running ipfilter and the lost memory
message at stopping a vimage jail is gone.
Ipfilter does NOT start in a vimage jail. This is a major show stopper.
_______________________________________________
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
