[Bug 248109] ipfilter ipf.rules & ipnat.rules not loading when vnet jail starts

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sun Jul 19 15:51:00 UTC 2020 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248109

            Bug ID: 248109
           Summary: ipfilter ipf.rules & ipnat.rules not loading when vnet
                    jail starts
           Product: Base System
           Version: 12.1-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: joeb1 at a1poweruser.com

Running 12.1 on real hardware.
Vnet jails using bridge/epair method.

The rc.conf in the vnet jail is populated with the normal ipfilter lines to
start ipfilter at vnet jail start up.

ipfilter_enable="YES"
ipmon_enable="YES"
ipmon_flags="-D"
ipfilter_rules="/etc/ipf.rules"
ipnat_enable="YES"
ipnat_rules="/etc/ipf.nat.rules"

The ipf.rules files has this content
pass in  quick on lo0 all
pass out quick on lo0 all
block out log quick on epair41b proto tcp from any to any port = 43 
pass in  log quick on epair41b all
pass out log quick on epair41b all

The ipf.nat.rules files has this content
map epair41b 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp
map epair41b 0.0.0.0/0 -> 0/32

I use the native jail command to start and stop the vnet jail.
jail -cv jailname  jail -rv jailname 

After logging into the jails console as root.
ipfstat -hnoi  replies with
empty list for ipfilter(out)
empty list for ipfilter(in)

ipnat -l replies with
List of active MAP/Redirects filters:
and then a blank line.

Then I issue this command from the vnet jails command line to load the rules
ipf -FS -Fa -f /etc/ipf.rules  followed by
ipfstat -hnoi  and the filter rules are shown and functioning.
You may ask how do I know the rules are functioning?
The whois command is blocked by the rule on port 43 and it will not work when I
issue it from the vnet console.

The same thing is true for ipnat rules when I issue the command to load them
ipnat -FC -f /etc/ipf.nat.rules  then this command shows results
ipnat -l

Sure hopping a fix can make it into 12.2 and/or 13.0

For your feedback, I may be the first person to really test ipfilter in side of
a vnet jail since ipfilter became vimage aware.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list