12.0-BETA1 vnet with pf firewall
Marek Zarychta
zarychtam at plan-b.pwste.edu.pl
Sun Oct 28 22:08:07 UTC 2018
W dniu 28.10.2018 o 22:39, Rodney W. Grimes pisze:
>> Bjoern A. Zeeb wrote:
>>> On 28 Oct 2018, at 15:31, Ernie Luzar wrote:
>>>
>>>> Tested with host running ipfilter and vnet running pf. Tried loading
>>>> pf from host console or from vnet console using kldload pf.ko command
>>>> and get this error message;
>>>>
>>>> linker_load_file: /boot/kernel/pf.ko-unsupported file type.
>>>>
>>>> Looks like the 12.0 version of pf which is suppose to work in vnet
>>>> independent of what firewall is running on the host is not working.
>>> You cannot load pf from inside a jail (with or without vnet). Kernel
>>> modules are global objects loaded from the base system or you compile
>>> the devices into the kernel; it is their state which is virtualised.
>>>
>>> If you load multiple firewalls they will all be available to the base
>>> system and all jails+vnet. Whichever you configure in which one is up
>>> to you. Just be careful as an unconfigured firewall might have a
>>> default action affecting the outcome of the overall decision.
>>>
>>> For example you could have:
>>>
>>> a base system using ipfilter and setting pf to default accept everything
>>> and a jail+vnet using pf and setting ipfilter there to accept everything.
>>>
>>>
>>> Hope that clarifies some things.
>>>
>>> /bz
>>>
>> Hello Bjoern.
>>
>> What you said is correct for 10.x & 11.x. But I an talking about
>> 12.0-beta1. I have the ipfilter options enabled in rc.conf of the host
>> and on boot ipfilter starts just like it all ways does. Now to prep the
>> host for pf in a vnet jail, I issue from the host console the
>> "kldload pf.ko" command and get this error message;
>>
>> linker_load_file: /boot/kernel/pf.ko-unsupported file type.
>>
>> Something is wrong here. This is not suppose to happen according to your
>> post above.
>>
>> Remember that in 12.0 vimage is included in the base system kernel.
> Confirmed, if I boot a clean install and issue:
> kldload ipfilter.ko
> kldload pf.ko
> my dmesg has:
> IP Filter: v5.1.2 initialized. Default = pass all, Logging = enabled
> linker_load_file: /boot/kernel/pf.ko - unsupported file type
>
The same when loading pf.ko combined with ipsec.ko, both can't be loaded
on the same running kernel
# kldload ipsec && echo ok || echo fail ; kldload pf && echo ok || echo fail
ok
kldload: an error occurred while loading module pf. Please check
dmesg(8) for more details.
fail
Another try in reverse order (both modules unloaded first):
# kldload pf && echo ok || echo fail ; kldload ipsec && echo ok || echo
fail
ok
kldload: an error occurred while loading module ipsec. Please check
dmesg(8) for more details.
fail
Some time ago I submitted a PR about this, but I was unaware that the
case of failure during loading ipsec.ko is caused by the presence of
already loaded pf.ko
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228854
--
Marek Zarychta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20181028/3c5c654c/attachment.sig>
More information about the freebsd-current
mailing list