[Bug 196699] pf starts blocking traffic from jails (with VIMAGE) needs to be stooped and reloaded
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Jan 13 23:26:50 UTC 2015
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=196699
Bug ID: 196699
Summary: pf starts blocking traffic from jails (with VIMAGE)
needs to be stooped and reloaded
Product: Base System
Version: 9.2-STABLE
Hardware: amd64
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: miguelmclara at gmail.com
I'm not seeing any panic, and I left my jail with no firewall to test.
So the only firewall running is PF and only on host.
Its set to skip "brigde" and "epair", but for some random reason (could be
related to network inactivity but I'm not sure) it starts blocking traffic.
Ex:
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535
bytes
23:00:53.704965 rule 4..16777216/0(match): block out on xn0: x.x.x10.53 >
x.x.x25.20602: 4690
6 0/1/0 (112)
Note that the jail resolv.conf point to the host ip, because I'm running
dnscrypt-proxy+unbound on the host, but even if I take dnscrypt out of the
equation and point it to the router/isp dns I get the same issue.
More importantly I explicitly allow packets to/form any port "domain"
pass out on xn0 proto tcp from any to any port = domain flags S/SA keep state
pass out on xn0 proto udp from any to any port = domain keep state
pass in quick on xn0 inet proto tcp from x.x.x0/24 to any port = domain flags
S/SA keep state
pass in quick on xn0 inet proto udp from x.x.x0/24 to any port = domain keep
state
When this happens if I do a dns query from the host it works fine, so the issue
is related to the jail ip only.
Also, I've just update my kernel and world (on host and jail):
FreeBSD host.local 9.3-STABLE FreeBSD 9.3-STABLE #0 r277102: Tue Jan 13
16:33:46 WET 2015 root at host.local:/usr/obj/usr/src/sys/VIMAGE amd64
The issue was already happening, I just wanted to make sure I was not missing
any patch, I see some work is being done on patching VIMAGE/PF support, but
probably its not yet in 9-stable
Last lines of dmesg show this:
epair0a: Ethernet address: 02:6a:22:00:06:0a
epair0b: Ethernet address: 02:6a:22:00:07:0b
epair0a: link state changed to UP
epair0b: link state changed to UP
epair0a: promiscuous mode enabled
arp: x.x.x10 moved from 02:6a:22:00:06:0a to
00:16:3e:52:3e:cf on epair0b
arp: x.x.x10 moved from 02:6a:22:00:06:0a to 00:16:3e:52:3e:cf on epair0b
arp: x.x.x10 moved from 02:6a:22:00:06:0a to 00:16:3e:52:3e:cf on epair0b
And not sure if relevant, but:
# arp hostIP
? (x.x.x.10) at 00:16:3e:52:3e:cf on xn0 permanent [ethernet]
# arp jailIP
? (x.x.x.25) at 02:6a:22:00:07:0b on epair0a expires in 70 seconds [ethernet]
Is it normal to see the mac address expire?
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list