Re: ipfw + bridge + epair + tags for vnet jails after upgrade to 13.1
- In reply to: Andrey V. Elsukov: "Re: ipfw + bridge + epair + tags for vnet jails after upgrade to 13.1"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 21 Dec 2022 10:19:20 UTC
> On 21 Dec 2022, at 22:03, Andrey V. Elsukov <bu7cher@yandex.ru> wrote: > > 20.12.2022 13:50, Markus Graf пишет: >> I upgraded a host from 13.0 to 13.1 >> I can't have a physical interface as member of the jailbridge, because >> this leaks virtual mac addresses of epair interfaces to the outside >> world where my hoster looks unkindly on mac-addresses not belonging to >> the nic of my server. So I have vnet jails behind a common ifbridge. >> All jails have their default routes point to the bridge-interface of >> the host. The host works as a router. >> Tags stopped working across vnet and bridge >> ------------------------------------------- >> On a long running host that is still currently running 13.0 I have >> this line in a vnet jail with an epair interface acme_j: >> allow tag 128 tcp from me to any 80,443 via acme_j setup uid root >> keep-state >> On the host I see the tags: >> # ipfw -a list 570 >> 00570 112 11276 count tagged 128 >> On the updated 13.1 machine the host does not see the tags, or I can't >> get the host to count them. >> with epair0a being a member of the bridge. If I fetch a file in the >> vnet jail containing epair0b the counters of em0 and bridge0 >> increment, but the counter of epair0a does not increment. Tcpdump -i >> epair0a does show the traffic though. > > Hi, > > probably this commit caused your problem https://reviews.freebsd.org/D32663 > I’ve not fully understood the problem, but it that commit “caused” it I’m inclined to say the configuration had one vnet incorrectly relying on tags set in another vnet. That was never expected to work, and if it did that was a (now fixed) bug. Kristof