pf NAT and VNET Jails
Shawn Webb
shawn.webb at hardenedbsd.org
Tue Nov 10 02:47:05 UTC 2015
On Mon, Nov 09, 2015 at 08:18:32AM -0500, Shawn Webb wrote:
> I'm using iocage for jailing.
>
> It's now looking like pf is back to being broken for me. I've tried every
> combination possible, even hardcoding the values:
>
> nat on wlan0 from {192.168.6.0/24, 192.168.7.0/24} to any -> 129.6.251.181
> pass in
> pass out
>
> I have zero idea why this isn't working. It seems that from the documentation,
> I'm doing everything right. I can see from tcpdump that the packets are
> getting forwarded, but without the src IP address being rewritten to
> 129.6.251.181.
>
> tcpdump output for a single ICMP packet, pinging to 8.8.8.8:
>
> 08:12:30.544462 IP 192.168.7.3 > 8.8.8.8: ICMP echo request, id 28131, seq 0,
> length 64
>
> That src IP should say 129.6.251.181.
I found the problem: it seems that the new Intel Haswell graphics
support (which I've been running with) is at odds somehow with pf NAT.
Removing Haswell graphics support means working pf NAT.
Thanks,
--
Shawn Webb
HardenedBSD
GPG Key ID: 0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20151109/d744c17e/attachment.bin>
More information about the freebsd-current
mailing list