[Bug 196699] pf starts blocking traffic from jails (with VIMAGE) needs to be stooped and reloaded

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Jan 13 23:26:50 UTC 2015 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=196699

            Bug ID: 196699
           Summary: pf starts blocking traffic from jails (with VIMAGE)
                    needs to be stooped and reloaded
           Product: Base System
           Version: 9.2-STABLE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: miguelmclara at gmail.com

I'm not seeing any panic, and I left my jail with no firewall to test.

So the only firewall running is PF and only on host.
Its set to skip "brigde" and "epair", but for some random  reason (could be
related to network inactivity but I'm not sure) it starts blocking traffic.

Ex:

tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535
bytes
23:00:53.704965 rule 4..16777216/0(match): block out on xn0: x.x.x10.53 >
x.x.x25.20602: 4690
6 0/1/0 (112)

Note that the jail resolv.conf point to the host ip, because I'm running
dnscrypt-proxy+unbound on the host, but even if I take dnscrypt out of the
equation and point it to the router/isp dns I get the same issue.

More importantly I explicitly allow packets to/form any port "domain"

pass out on xn0 proto tcp from any to any port = domain flags S/SA keep state
pass out on xn0 proto udp from any to any port = domain keep state
pass in quick on xn0 inet proto tcp from x.x.x0/24 to any port = domain flags
S/SA keep state
pass in quick on xn0 inet proto udp from x.x.x0/24 to any port = domain keep
state

When this happens if I do a dns query from the host it works fine, so the issue
is related to the jail ip only.

Also, I've just update my kernel and world (on host and jail):
FreeBSD host.local 9.3-STABLE FreeBSD 9.3-STABLE #0 r277102: Tue Jan 13
16:33:46 WET 2015     root at host.local:/usr/obj/usr/src/sys/VIMAGE  amd64

The issue was already happening, I just wanted to make sure I was not missing
any patch, I see some work is being done on patching VIMAGE/PF support, but
probably its not yet in 9-stable

Last lines of dmesg show this:
epair0a: Ethernet address: 02:6a:22:00:06:0a                                   
                     epair0b: Ethernet address: 02:6a:22:00:07:0b
epair0a: link state changed to UP                                              
                     epair0b: link state changed to UP
epair0a: promiscuous mode enabled                                              
                     arp: x.x.x10 moved from 02:6a:22:00:06:0a to
00:16:3e:52:3e:cf on epair0b
arp: x.x.x10 moved from 02:6a:22:00:06:0a to 00:16:3e:52:3e:cf on epair0b
arp: x.x.x10 moved from 02:6a:22:00:06:0a to 00:16:3e:52:3e:cf on epair0b


And not sure if relevant, but:
# arp hostIP
? (x.x.x.10) at 00:16:3e:52:3e:cf on xn0 permanent [ethernet]
# arp jailIP
? (x.x.x.25) at 02:6a:22:00:07:0b on epair0a expires in 70 seconds [ethernet]

Is it normal to see the mac address expire?

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list