testing 11.0-RC1 vnet jails with ipfilter
Ernie Luzar
luzar722 at gmail.com
Wed Aug 17 15:28:43 UTC 2016
Here is my new rules file. I have tested it with the commented out lines
and with the comments removed. Tested on vimage/ipfilter kernel and
vimage only kernel. In all 4 combinations the "ipf" and "ipstat"
commands work. I can see the ipf firewall rules.
The problem is when issuing the ping command from within the vnet jail
nothing happens. The count of packets shown by the ipstat command stay
at zero. The var/log/messages in the vnet jail is not populated. The
ipf.log on the host only has ipv6 multcast packets from when the vnet
jail is started. No ipv4 ping packets.
ipfilter in a vnet/vimage jail is broken. If anyone has suggestions to
try let me know.
[devfsrules_vjail_ipf=5]
add include $devfsrules_jail
add path ipl unhide
add path ipl0 unhide
add path ipf unhide
add path ipauth unhide
add path ipnat unhide
add path ipstate unhide
# used by ipstate
#add path kmem unhide
#add path kernel unhide
# full list of ioctl used by ipf
#add path SIOCIPFFB unhide
#add path FIONREAD unhide
#add path SIOCADDFR unhide
#add path SIOCDELFR unhide
#add path SIOCIPFFR unhide
#add path SIOCADAFR unhide
#add path SIOCRMAFR unhide
#add path SIOCADIFR unhide
#add path SIOCRMIFR unhide
#add path SIOCINAFR unhide
#add path SIOCINIFR unhide
#add path SIOCSETFF unhide
#add path SIOGGETFF unhide
#add path SIOCGETFS unhide
#add path SIOCIPFFL unhide
#add path SIOCIPFFB unhide
#add path SIOCSWAPA unhide
#add path SIOCFRENB unhide
#add path SIOCFRSYN unhide
#add path SIOCFRZST unhide
#add path SIOCZRLST unhide
#add path SIOCAUTHW unhide
#add path SIOCAUTHR unhide
#add path SIOCATHST unhide
More information about the freebsd-questions
mailing list