[Bug 212000] 11.0-RC1: vimage jail with ipfilter not working

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Aug 19 17:19:54 UTC 2016


https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212000

            Bug ID: 212000
           Summary: 11.0-RC1: vimage jail with ipfilter not working
           Product: Base System
           Version: 11.0-RC1
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: qjail1 at a1poweruser.com

Tested on 11.0-RC1 with only vimage compiled into the kernel.
Tested ipfilter in vnet jail and no firewall on host.
Tested ipfilter in vnet jail and on the host.

Vnet jail used this /etc/devfs.rules rule

[devfsrules_vjail_ipf=60]
add include $devfsrules_jail
add path ipl     unhide
add path ipl0    unhide
add path ipf     unhide
add path ipauth  unhide
add path ipnat   unhide
add path ipstate unhide
# used by ipstate
#add path kmem    unhide
#add path kernel  unhide


Testing no ipfilter firewall running on host, just in vnet jail.

When starting vnet jail with ipfilter, I check if ipfilter kernel modules are
loaded, if not them loads them. Auto loading of modules does not happen.

Issuing the ipfilter command "ipfstat -hnoi" from the started vnet jail 
console show this

0 @1 pass out quick on lo0 all
0 @2 block out log quick on epair17b proto tcp from any to any port = nicname
0 @3 pass out log quick on epair17b all
0 @1 pass in quick on lo0 all
0 @2 pass in log quick on epair17b all

There are 0 counts because the ipstate command is restricted from accessing
kmem & kernel. 
But this at lease seems to prove ipfilter is running in the vnet jail.

Issuing the "ping" command from the started vnet jail console works.

Issuing the "whois" command from the started vnet jail console works also,
but should not work because of the above block rule on port 43.

This indicates that the ipfilter rules in a vnet jail are not functioning.
No ipfilter log messages are posted in the vnat jail and no log messages
are posted in the hosts log.


Testing ipfilter firewall running on host and vnet jail.
Issuing the ipfilter command "ipfstat -hnoi" from the host console show this

0 @1 pass out quick on lo0 all
0 @2 pass out log quick on fxp0 all
0 @1 pass in quick on lo0 all
1 @2 pass in log quick on fxp0 all

The vnet jail results are the same as above.
But the hosts ipfilter log, logs this on vnet jail startup and keeps repeating
it for the whole time the vnet jail is running. 

fxp0 @0:2 p 10.0.10.2,67 -> 10.0.10.12,68 PR udp len 20 328 IN
fxp0 @0:2 p :: -> ff02::1:ff00:50b PR icmpv6 len 40 72 icmpv6 neighborsolicit/0
OUT multicast
fxp0 @0:2 p :: -> ff02::16 PR icmpv6 len 48 76 icmpv6 icmpv6type(143)/0 OUT
multicast
fxp0 @0:2 p :: -> ff02::16 PR icmpv6 len 48 96 icmpv6 icmpv6type(143)/0 OUT
multicast
fxp0 @0:2 p :: -> ff02::16 PR icmpv6 len 48 76 icmpv6 icmpv6type(143)/0 OUT
multicast
fxp0 @0:2 p fe80::c1:ff:fe00:50b -> ff02::16 PR icmpv6 len 48 96 icmpv6
icmpv6type(143)/0 OUT multicast
fxp0 @0:2 p fe80::d950:d6dc:db92:f20d,546 -> ff02::1:2,547 PR udp len 40 137 IN
low-ttl multicast
fxp0 @0:2 p fe80::d950:d6dc:db92:f20d,546 -> ff02::1:2,547 PR udp len 40 137 IN
low-ttl multicast
fxp0 @0:2 p fe80::d950:d6dc:db92:f20d,546 -> ff02::1:2,547 PR udp len 40 137 IN
low-ttl multicast
fxp0 @0:2 p fe80::d950:d6dc:db92:f20d,546 -> ff02::1:2,547 PR udp len 40 137 IN
low-ttl multicast
fxp0 @0:2 p fe80::d950:d6dc:db92:f20d,546 -> ff02::1:2,547 PR udp len 40 137 IN
low-ttl multicast
fxp0 @0:2 p fe80::d950:d6dc:db92:f20d,546 -> ff02::1:2,547 PR udp len 40 137 IN
low-ttl multicast
fxp0 @0:2 p fe80::d950:d6dc:db92:f20d,546 -> ff02::1:2,547 PR udp len 40 137 IN
low-ttl multicast
fxp0 @0:2 p 10.0.10.7,68 -> 255.255.255.255,67 PR udp len 20 328 IN broadcast

Issuing the "ping" command from the started vnet jail console works and the
hosts ipfilter log shows this

fxp0 @0:2 p 10.0.10.7,68 -> 255.255.255.255,67 PR udp len 20 328 IN broadcast
fxp0 @0:2 p 10.11.0.2 -> 8.8.8.8 PR icmp len 20 84 icmp echo/0 OUT
fxp0 @0:2 p 8.8.8.8 -> 10.11.0.2 PR icmp len 20 84 icmp echoreply/0 IN
fxp0 @0:2 p 10.11.0.2 -> 8.8.8.8 PR icmp len 20 84 icmp echo/0 OUT
fxp0 @0:2 p 8.8.8.8 -> 10.11.0.2 PR icmp len 20 84 icmp echoreply/0 IN
fxp0 @0:2 p 10.11.0.2 -> 8.8.8.8 PR icmp len 20 84 icmp echo/0 OUT
fxp0 @0:2 p 8.8.8.8 -> 10.11.0.2 PR icmp len 20 84 icmp echoreply/0 IN
fxp0 @0:2 p 10.11.0.2 -> 8.8.8.8 PR icmp len 20 84 icmp echo/0 OUT
fxp0 @0:2 p 8.8.8.8 -> 10.11.0.2 PR icmp len 20 84 icmp echoreply/0 IN

The hosts ipfilter firewall is logging the traffic on the fxp0 interface,
this is normal and expected.

I see 4 things that are strange.
1. Why is the vnet jail issuing all that ipv6 traffic? It should only be
   generated if the vnet jail interface has a ipv6 ip address coded.
2. Why is ipv4 & ipv6 traffic making it to the host and NOT showing up on
   the epair11b interface? 
   This is a problem if the host has a few vnet jails running at same time.
   IE: how am I going to control traffic on host to target correct vnet jail.
   In my case I use the epair number [11] in the ip address of the vnet jail.
3. Why are the ipfilter rules in the vnet jail not being enforced?
4. Why in the case of no firewall on the host and ipfilter in the vnet jail has
   no logging any place?

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the freebsd-bugs mailing list