W dniu 28.10.2018 o 22:39, Rodney W. Grimes pisze: >> Bjoern A. Zeeb wrote: >>> On 28 Oct 2018, at 15:31, Ernie Luzar wrote: >>> >>>> Tested with host running ipfilter and vnet running pf. Tried loading >>>> pf from host console or from vnet console using kldload pf.ko command >>>> and get this error message; >>>> >>>> linker_load_file: /boot/kernel/pf.ko-unsupported file type. >>>> >>>> Looks like the 12.0 version of pf which is suppose to work in vnet >>>> independent of what firewall is running on the host is not working. >>> You cannot load pf from inside a jail (with or without vnet). Kernel >>> modules are global objects loaded from the base system or you compile >>> the devices into the kernel; it is their state which is virtualised. >>> >>> If you load multiple firewalls they will all be available to the base >>> system and all jails+vnet. Whichever you configure in which one is up >>> to you. Just be careful as an unconfigured firewall might have a >>> default action affecting the outcome of the overall decision. >>> >>> For example you could have: >>> >>> a base system using ipfilter and setting pf to default accept everything >>> and a jail+vnet using pf and setting ipfilter there to accept everything. >>> >>> >>> Hope that clarifies some things. >>> >>> /bz >>> >> Hello Bjoern. >> >> What you said is correct for 10.x & 11.x. But I an talking about >> 12.0-beta1. I have the ipfilter options enabled in rc.conf of the host >> and on boot ipfilter starts just like it all ways does. Now to prep the >> host for pf in a vnet jail, I issue from the host console the >> "kldload pf.ko" command and get this error message; >> >> linker_load_file: /boot/kernel/pf.ko-unsupported file type. >> >> Something is wrong here. This is not suppose to happen according to your >> post above. >> >> Remember that in 12.0 vimage is included in the base system kernel. > Confirmed, if I boot a clean install and issue: > kldload ipfilter.ko > kldload pf.ko > my dmesg has: > IP Filter: v5.1.2 initialized. Default = pass all, Logging = enabled > linker_load_file: /boot/kernel/pf.ko - unsupported file type > The same when loading pf.ko combined with ipsec.ko, both can't be loaded on the same running kernel # kldload ipsec && echo ok || echo fail ; kldload pf && echo ok || echo fail ok kldload: an error occurred while loading module pf. Please check dmesg(8) for more details. fail Another try in reverse order (both modules unloaded first): # kldload pf && echo ok || echo fail ; kldload ipsec && echo ok || echo fail ok kldload: an error occurred while loading module ipsec. Please check dmesg(8) for more details. fail Some time ago I submitted a PR about this, but I was unaware that the case of failure during loading ipsec.ko is caused by the presence of already loaded pf.ko https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228854 -- Marek Zarychta
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:19 UTC