On Fri, Nov 23, 2012 at 5:16 PM, Morgan Reed <morgan.s.r...@gmail.com> wrote: > So it turns out I'd not bought bpf into the jails, however even with > that and raw_sockets enabled I'm still having no joy with natd. > > I've been looking at ipfw a bit today but I've run into an issue, > loading ipfw_nat causes my kernel to instantly panic, I need to > recompile with KDB and DDB turned on so I can actually catch the trace > though... Might look at netgraph before going too far down that path.
Rebuilt the kernel with option IPFIREWALL and friends turned on (including IPFILTER_DEFAULT_TO_ACCEPT or whatever it is). Throw ipfw_nat_load="YES" and ipdivert_load="YES" into /boot/loader.conf so the modules are available for the jails. Run a quick and dirty ipfw script (running out of an 'up' script I wrote into the OpenVPN config); ipfw nat 1 config if tun0 reset same_ports deny_in ipfw add 500 nat 1 ip from any to any via tun0 Works like a charm, just one last thing I'd like to get squared away here though, currently OpenVPN is using a dynamically created tun device, I'd like to have a static /dev/tun0 exist prior to the /etc/rc.d/natd start launching (because as it is I have to restart natd after the openvpn tunnel comes up), not sure what the best way to achieve this is in a jailed environment though. The next trick will be migrating from my spaghetti script into rc launched jails... _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
