Re: pf NAT and VNET Jails

On Monday, 02 November 2015 02:59:03 PM Kristof Provost wrote:
> > On 02 Nov 2015, at 14:47, Shawn Webb <shawn.webb_at_hardenedbsd.org> wrote:
> > 
> > On Sunday, 01 November 2015 07:16:34 AM Julian Elischer wrote:
> >> On 11/1/15 2:50 AM, Shawn Webb wrote:
> >>> I'm at r290228 on amd64. I'm not sure which revision I was on last when
> >>> it
> >>> last worked, but it seems VNET jails aren't working anymore.
> >>> 
> >>> I've got a bridge, bridge1, with an IP of 192.168.7.1. The VNET jails
> >>> set
> >>> their default route to 192.168.7.1. The host simply NATs outbound from
> >>> 192.168.7.0/24 to the rest of the world. The various epairs get added to
> >>> bridge1 and assigned to each jail. Pretty simple setup. That worked
> >>> until
> >>> today. When I do tcpdump on my public-facing NIC, I see that NAT isn't
> >>> applied. When I run `ping 8.8.8.8` from the jail, the jail's
> >>> 192.168.7.0/24
> >>> address gets sent on the wire.
> >>> 
> >>> Let me know what I can do to help debug this further.
> >> 
> >> send the list your setup script/settings?
> > 
> > I'm using iocage to start up the jails. Here's a pasted output of `iocage
> > get all mutt-hardenedbsd`: http://ix.io/lLG
> 
> Can you add your pf.conf too?
> 
> I’ll try upgrading my machine to something beyond 290228 to see if I can
> reproduce it. It’s on r289635 now, and seems to be fine. My VNET jails
> certainly get their traffic NATed.

Sorry about that! I should've included it. It's pasted here: http://ix.io/lLI

It's probably not the most concise. This is a laptop that can have one of 
three interfaces online: re0 (ethernet on the laptop), wlan0 (you can guess 
what that is), or ue0 (usb tethering from my phone). I used to be able to 
specify NATing like that and pf would automatically figure out which outgoing 
device to use. Seems like that's broken now.

Thanks,

-- 
Shawn Webb
HardenedBSD

GPG Key ID:                0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE