Re: pf NAT and VNET Jails

From: Shawn Webb <shawn.webb_at_hardenedbsd.org>
Date: Mon, 09 Nov 2015 08:18:32 -0500
On Thursday, 05 November 2015 11:45:25 PM Kristof Provost wrote:
> > On 05 Nov 2015, at 17:25, Shawn Webb <shawn.webb_at_hardenedbsd.org> wrote:
> > I've figured it out. I've removed all rules and went with a barebones
> > config.
> > 
> > Right now, the laptop I'm using for NAT has an outbound interface of wlan0
> > with an IP of 129.6.251.181 (from DHCP). The following line works:
> > 
> > nat on wlan0 from any to any -> 129.6.251.181
> > 
> > The following line doesn't:
> > 
> > nat on wlan0 from any to any -> (wlan0)
> > 
> > Nor does this:
> > 
> > nat on wlan0 from any to any -> wlan0
> > 
> > From the Handbook, the lines that don't work are prefered especially the
> > first non-working line, since using (wlan0) would cause pf to pick up
> > wlan0's IP dynamically (which is good, since wlan0 is DHCP'd).
> > 
> > So it seems at some point of time, doing NAT dynamically broke.
> 
> So far I’ve had no luck reproducing this.
> With pf.conf:
> nat on vtnet0 from any to any -> (vtnet0)
> pass in
> pass out
> 
> And setup code:
> ifconfig bridge0 create
> ifconfig epair0 create
> ifconfig epair0a up
> ifconfig epair0b up
> ifconfig bridge0 addm epair0a
> 
> jail -c name=test host.hostname=test vnet persist
> ifconfig epair0b vnet test
> 
> ifconfig bridge0 inet 10.0.0.1/24
> 
> jexec test ifconfig epair0b 10.0.0.2/23
> jexec test route add default 10.0.0.1
> 
> # Activate routing
> sysctl net.inet.ip.forwarding=1
> 
> pfctl -e
> pfctl -g -f pf.conf
> 
> Then I run exec test ping 8.8.8.8, which works as expected.
> 
> My home routing is running CURRENT, used vnet jails and also doesn’t seem to
> be triggering the problem.
> 
> Perhaps we’re still missing a component of the problem, but right now I have
> no idea what that would be.
> 
> Hmm. Perhaps… do you happen to know in what order things are done during
> startup? Perhaps it’s related to the fact that wlan0 is both wifi and DHCP,
> in the sense that pf is configured before the IP is assigned to the
> interface.
> 
> Can you try reloading pf with the (wlan0) rule? (Just pfctl -g -f
> /etc/pf.conf should do the trick).

I'm using iocage for jailing.

It's now looking like pf is back to being broken for me. I've tried every 
combination possible, even hardcoding the values:

nat on wlan0 from {192.168.6.0/24, 192.168.7.0/24} to any -> 129.6.251.181
pass in
pass out

I have zero idea why this isn't working. It seems that from the documentation, 
I'm doing everything right. I can see from tcpdump that the packets are 
getting forwarded, but without the src IP address being rewritten to 
129.6.251.181.

tcpdump output for a single ICMP packet, pinging to 8.8.8.8:

08:12:30.544462 IP 192.168.7.3 > 8.8.8.8: ICMP echo request, id 28131, seq 0, 
length 64

That src IP should say 129.6.251.181.

Thanks,

-- 
Shawn Webb
HardenedBSD

GPG Key ID:                0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE
Received on Mon Nov 09 2015 - 12:18:38 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:00 UTC