testing 11.0-RC1 vnet jails with ipfilter
luzar722 at gmail.com
Tue Aug 16 20:21:05 UTC 2016
Bjoern A. Zeeb wrote:
> In 11-RC* it is present for all 3 firewalls; like VIMAGE due to memory
> footprint you might have to compile the firewall into the kernel rather
> than kldload it (especially ipfilter).
The 11.0-RC1 host has vimage and ipfilter compiled into the kernel. Vnet
jail can ping public network. Host ipf log shows pings from vnet jail as
they pass the host firewall on external interface using the ip address
assigned to the vnet jail. Codding rules on the host firewall using the
vnet jail's assigned ip address does work. But this is not what vimage
literature says how vnet firewalls are suppose to work.
Issuing "ipf -FS -Fa" command from within the vnet jail gives this
message, "open device:no such file or directory. User kernel version
Issuing "ipfstat -hnio command from within the vnet jail gives this
message, open(IPSTATE_NAME):no such file or directory.
Running the host on a kernel with just vimage compiled in gets same
results as above.
Only differences between 10.x systems and 11.0 is a vimage kernel no
longer panics if the host is running ipfilter and the lost memory
message at stopping a vimage jail is gone.
Ipfilter does NOT start in a vimage jail. This is a major show stopper.
More information about the freebsd-questions