testing 11.0-RC1 vnet jails with ipfilter
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Mon Aug 15 16:59:39 UTC 2016
On 15 Aug 2016, at 15:37, Ernie Luzar wrote:
> Hello list;
>
> Running 11.0-RC1 with only option vimage compiled into the generic
> kernel.
>
> I can run ipfilter on the host and start vnet jails containing no
> firewalls just fine. But when I try to also have ipfilter run in the
> vnet jail nothing happens. I added this to the vnet jails rc.conf
> ipfilter_enable="YES"
> ipfilter_rules="/etc/ipf.boot.rules"
> ipmon_enable="YES"
> ipmon_flags="-Ds"
>
> Then start the vnet jail and its like those ipfilter statements in the
> vnet jails rc.conf are not there. The vnet jails /var/log/messages
> file is not even there. Issuing "ipfstat" inside the running vnet jail
> to display the jails ipfilter rules gives this error message
> "open(IPSTATE_NAME): No such file or directory"
> To me this means ipfilter is not running in the vnet jail even though
> I requested it in the vnet jails rc.conf file.
>
> So my question to this list is, has anyone managed to get ipfilter to
> run inside a vnet jail using any of the 11.0 alpha, beta, or rc
> versions? If so would you please share your setup with me?
>
> Maybe I am to close to the bleeding edge for there to be other users
> in the same test loop?
The startup script contains “nojail”. I think someone opened a bug
report the other day but I can’t find it anymore; so the startup
script won’t automatically run inside a jail. Can you remove that
line and try again?
/bz
More information about the freebsd-questions
mailing list