[Bug 234021] 12.0 gateway host with vnet jail running pf firewall & NAT has no internet access
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Fri Dec 14 20:56:20 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234021
Bug ID: 234021
Summary: 12.0 gateway host with vnet jail running pf firewall &
NAT has no internet access
Product: Base System
Version: 12.0-STABLE
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: bugs at FreeBSD.org
Reporter: qjail1 at a1poweruser.com
Trying to get a vnet jail to access the public internet. Issuing "ping -c 2
8.8.8.8" returns 100.0% packet loss message.
The host running the vnet jail is a gateway host ie: connected directly to my
ISP. The pf firewall is running on the host and in the vnet jail. The host and
the lan behind it are functioning normally. The pf rules in the vnet jail are
doing NAT. The pflog in the vnet jail shows outbound packets only, never a
inbound reply. gateway_enable is in the vnet jails rc.conf plus the normal pf
enable statements. Not using the "service jail" command for starting or
stopping the vnet jail. I start and stop the vnet jail using the native jail(8)
jail command. Using bridge/epair method for vnet jail networking. Tried a
second variation where I ran ipfilter on the host and pf in the vnet jail with
the same out come.
Running this same setup on a LAN host works. IE; the vnet jail can ping the
public internet.
Reviewing google search results shows all the vnet jail examples are vnet jails
on lan hosts. Have suspicion that gateway vnet jails have never worked because
I have tested it my self in 10.x and 11.x. Never posted a bug report because
thought it was a vimage problem due to its experimental nature. Now that vimage
is included in the base kernel time for a bug report.
Need someone from the vimage kernel project or the pf vimage aware project to
perform their own test of vnet on a gateway host to verify if it works or not.
Also have same results if ipfw is the vnet jail firewall.
Below is some info about my setup that may help or may not.
/root >cat /etc/jail.vnetpf1.conf
vnetpf1 {
host.hostname = "vnetpf1";
path = "/usr/jails/vnetpf1";
exec.consolelog = "/var/log/jail.vnetpf1.console.log";
mount.devfs;
devfs_ruleset = "70";
vnet = "new";
vnet.interface = "epair15b";
exec.start = "ifconfig epair15b 10.0.110.25/24";
exec.start += "route add default 10.0.110.2";
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
}
Issued from the host console
>netstat -nr4
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 65.xxx.48.1 UGS vge0
10.0.0.0/8 link#1 U em0
10.0.10.2 link#1 UHS lo0
65.xxx.48.0/20 link#2 U vge0
65.xxx.62.234 link#2 UHS lo0
127.0.0.1 link#3 UH lo0
Issued from the vnet jails console
vnetpf1 /root >netstat -nr4
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 10.0.110.2 UGS epair15b
10.0.110.0/24 link#3 U epair15b
10.0.110.25 link#3 UHS lo0
127.0.0.1 link#1 UH lo0
# devfsrules for pf to function in a vnet jail.
[vnet_pf=70]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add include $devfsrules_jail
add path 'bpf*' unhide
add path pf unhide
add path pflog unhide
add path pfsync unhide
Issued from the host with the vnet jail running
/root >ifconfig -a
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=81249b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LRO,
WOL_MAGIC,VLAN_HWFILTER>
ether d0:50:99:93:75:98
inet 10.0.10.2 netmask 0xff000000 broadcast 10.255.255.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vge0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
metric 0 mtu 1500
options=3899<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,
WOL_MCAST,WOL_MAGIC>
ether 10:00:60:21:00:93
inet 65.xxx.62.234 netmask 0xfffff000 broadcast 255.255.255.255
media: Ethernet autoselect (1000baseT <full-duplex,master>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
groups: pflog
bridge10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 02:3a:f8:d2:63:0a
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: epair15a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 6 priority 128 path cost 2000
member: vge0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 2 priority 128 path cost 20000
groups: bridge
nd6 options=1<PERFORMNUD>
epair15a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:9b:6a:d0:c6:0a
inet6 fe80::9b:6aff:fed0:c60a%epair15a prefixlen 64 scopeid 0x6
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
#vnet jails pf rules file
oif=epair15b
jip=10.0.110.25
pip=65.xxx.62.234
set block-policy drop
set fail-policy drop
set state-policy if-bound
scrub in on $oif all
set skip on lo0
nat on $oif from $jip to any -> $pip
block out log quick on $oif inet proto tcp from any to any port 43
pass out log (all) quick on $oif from any to any
pass in log (all) quick on $oif from any to any
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list