testing 11.0-RC1 vnet jails with ipfilter

[krad]

is ipfilter supported in vnet jails? Last time I looked and tried pf didnt
work (kernel panics), and only ipfw was supported.

On 15 August 2016 at 17:59, Bjoern A. Zeeb <bzeeb-lists at lists.zabbadoz.net>
wrote:

> On 15 Aug 2016, at 15:37, Ernie Luzar wrote:
>
> Hello list;
>>
>> Running 11.0-RC1 with only option vimage compiled into the generic kernel.
>>
>> I can run ipfilter on the host and start vnet jails containing no
>> firewalls just fine. But when I try to also have ipfilter run in the vnet
>> jail nothing happens. I added this to the vnet jails rc.conf
>> ipfilter_enable="YES"
>> ipfilter_rules="/etc/ipf.boot.rules"
>> ipmon_enable="YES"
>> ipmon_flags="-Ds"
>>
>> Then start the vnet jail and its like those ipfilter statements in the
>> vnet jails rc.conf are not there. The vnet jails /var/log/messages file is
>> not even there. Issuing "ipfstat" inside the running vnet jail to display
>> the jails ipfilter rules gives this error message "open(IPSTATE_NAME): No
>> such file or directory"
>> To me this means ipfilter is not running in the vnet jail even though I
>> requested it in the vnet jails rc.conf file.
>>
>> So my question to this list is, has anyone managed to get ipfilter to run
>> inside a vnet jail using any of the 11.0 alpha, beta, or rc versions? If so
>> would you please share your setup with me?
>>
>> Maybe I am to close to the bleeding edge for there to be other users in
>> the same test loop?
>>
>
>
> The startup script contains “nojail”.   I think someone opened a bug
> report the other day but I can’t find it anymore;  so the startup script
> won’t automatically run inside a jail.   Can you remove that line and try
> again?
>
>
> /bz
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe
> @freebsd.org"
>