testing 11.0-RC1 vnet jails with ipfilter

Ernie Luzar luzar722 at gmail.com
Wed Aug 17 15:28:43 UTC 2016


Here is my new rules file. I have tested it with the commented out lines 
and with the comments removed. Tested on vimage/ipfilter kernel and 
vimage only kernel. In all 4 combinations the "ipf" and "ipstat" 
commands work. I can see the ipf firewall rules.

The problem is when issuing the ping command from within the vnet jail 
nothing happens. The count of packets shown by the ipstat command stay 
at zero. The var/log/messages in the vnet jail is not populated. The 
ipf.log on the host only has ipv6 multcast packets from when the vnet 
jail is started. No ipv4 ping packets.

ipfilter in a vnet/vimage jail is broken. If anyone has suggestions to 
try let me know.

[devfsrules_vjail_ipf=5]
add include $devfsrules_jail
add path ipl     unhide
add path ipl0    unhide
add path ipf     unhide
add path ipauth  unhide
add path ipnat   unhide
add path ipstate unhide
# used by ipstate
#add path kmem    unhide
#add path kernel  unhide
# full list of ioctl used by ipf
#add path SIOCIPFFB unhide
#add path FIONREAD  unhide
#add path SIOCADDFR unhide
#add path SIOCDELFR unhide
#add path SIOCIPFFR unhide
#add path SIOCADAFR unhide
#add path SIOCRMAFR unhide
#add path SIOCADIFR unhide
#add path SIOCRMIFR unhide
#add path SIOCINAFR unhide
#add path SIOCINIFR unhide
#add path SIOCSETFF unhide
#add path SIOGGETFF unhide
#add path SIOCGETFS unhide
#add path SIOCIPFFL unhide
#add path SIOCIPFFB unhide
#add path SIOCSWAPA unhide
#add path SIOCFRENB unhide
#add path SIOCFRSYN unhide
#add path SIOCFRZST unhide
#add path SIOCZRLST unhide
#add path SIOCAUTHW unhide
#add path SIOCAUTHR unhide
#add path SIOCATHST unhide






More information about the freebsd-questions mailing list