testing 11.0-RC1 vnet jails with ipfilter

Ernie Luzar luzar722 at gmail.com
Tue Aug 16 20:21:05 UTC 2016

Bjoern A. Zeeb wrote:

> In 11-RC* it is present for all 3 firewalls;  like VIMAGE due to memory 
> footprint you might have to compile the firewall into the kernel rather 
> than kldload it (especially ipfilter).
> /bzvnet 

The 11.0-RC1 host has vimage and ipfilter compiled into the kernel. Vnet 
jail can ping public network. Host ipf log shows pings from vnet jail as 
they pass the host firewall on external interface using the ip address 
assigned to the vnet jail. Codding rules on the host firewall using the 
vnet jail's assigned ip address does work. But this is not what vimage 
literature says how vnet firewalls are suppose to work.

Issuing "ipf -FS -Fa" command from within the vnet jail gives this 
message, "open device:no such file or directory. User kernel version 
check failed.

Issuing "ipfstat -hnio command from within the vnet jail gives this 
message, open(IPSTATE_NAME):no such file or directory.

Running the host on a kernel with just vimage compiled in gets same 
results as above.

Only differences between 10.x systems and 11.0 is a vimage kernel no 
longer panics if the host is running ipfilter and the lost memory 
message at stopping a vimage jail is gone.

Ipfilter does NOT start in a vimage jail. This is a major show stopper.

More information about the freebsd-questions mailing list