Bug 248109

Summary: ipfilter ipf.rules & ipnat.rules not loading when vnet jail starts
Product: Base System Reporter: joeb1
Component: kernAssignee: Cy Schubert <cy>
Status: Closed FIXED    
Severity: Affects Some People CC: cy
Priority: Normal    
Version: 12.1-RELEASE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Fix none

Description joeb1 2020-07-19 15:50:59 UTC 
Running 12.1 on real hardware.
Vnet jails using bridge/epair method.

The rc.conf in the vnet jail is populated with the normal ipfilter lines to start ipfilter at vnet jail start up.

ipfilter_enable="YES"
ipmon_enable="YES"
ipmon_flags="-D"
ipfilter_rules="/etc/ipf.rules"
ipnat_enable="YES"
ipnat_rules="/etc/ipf.nat.rules"

The ipf.rules files has this content
pass in  quick on lo0 all
pass out quick on lo0 all
block out log quick on epair41b proto tcp from any to any port = 43 
pass in  log quick on epair41b all
pass out log quick on epair41b all

The ipf.nat.rules files has this content
map epair41b 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp
map epair41b 0.0.0.0/0 -> 0/32

I use the native jail command to start and stop the vnet jail.
jail -cv jailname  jail -rv jailname 

After logging into the jails console as root.
ipfstat -hnoi  replies with
empty list for ipfilter(out)
empty list for ipfilter(in)

ipnat -l replies with
List of active MAP/Redirects filters:
and then a blank line.

Then I issue this command from the vnet jails command line to load the rules
ipf -FS -Fa -f /etc/ipf.rules  followed by
ipfstat -hnoi  and the filter rules are shown and functioning.
You may ask how do I know the rules are functioning?
The whois command is blocked by the rule on port 43 and it will not work when I issue it from the vnet console.

The same thing is true for ipnat rules when I issue the command to load them
ipnat -FC -f /etc/ipf.nat.rules  then this command shows results
ipnat -l

Sure hopping a fix can make it into 12.2 and/or 13.0

For your feedback, I may be the first person to really test ipfilter in side of a vnet jail since ipfilter became vimage aware.
Comment 1 Cy Schubert freebsd_committer freebsd_triage 2020-07-20 05:19:36 UTC 
In the jail's /etc/rc.d/ipfilter, change
Comment 2 Cy Schubert freebsd_committer freebsd_triage 2020-07-20 05:29:01 UTC 
In the jail's /etc/rc.d/ipfilter, change KEYWORD: nojail to KEYWORD: jail.
Comment 3 Cy Schubert freebsd_committer freebsd_triage 2020-07-20 05:35:58 UTC 
Simply delete the line.
Comment 4 Cy Schubert freebsd_committer freebsd_triage 2020-07-20 05:50:11 UTC 
Created attachment 216593 [details]
Fix

If you're into mergemaster or etcupdate, apply this patch to your src tree or directly to /etc/rc.d.
Comment 5 joeb1 2020-07-20 16:10:22 UTC 
Comment on attachment 216593 [details]
Fix

I tested this by changing the files by hand inside of a vnet jail and restarted the vnet jail.  The ipf.rules and ipnat.rules were auto loaded at vnet jail start time. Not using ippool so not tested.

Sure hope to see this fix included in 12.2 and 13.0 when they get published.

You did good job getting this fixed so fast. Thank you Cy.
Comment 6 commit-hook freebsd_committer freebsd_triage 2020-07-23 17:40:02 UTC 
A commit references this bug:

Author: cy
Date: Thu Jul 23 17:39:46 UTC 2020
New revision: 363452
URL: https://svnweb.freebsd.org/changeset/base/363452

Log:
  Load ipfilter, ipnat, and ippool rules, and start ipmon in a vnet jail.

  PR:		248109
  Reported by:	joeb1@a1poweruser.com
  MFC after:	2 weeks

Changes:
  head/libexec/rc/rc.d/ipfilter
  head/libexec/rc/rc.d/ipmon
  head/libexec/rc/rc.d/ipnat
  head/libexec/rc/rc.d/ippool
Comment 7 joeb1 2020-07-25 22:33:17 UTC 
Good news I manually hand changed the ipfilter, ipmon, ipnat, ippool scripts in /etc/rc.d replacing the nojail with nojailvnet. Restarted the vnet jail and the ipmon log is now logging to the /var/log/security file in side of the vnet jail just like I wanted. Looks like the solution for this pr not only causes the ipf.rules file and ipnat.rules file to be loaded at vnet jail start time but also fixed the ipmon log problem described in 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248112
Comment 8 commit-hook freebsd_committer freebsd_triage 2020-08-02 04:26:14 UTC 
A commit references this bug:

Author: cy
Date: Sun Aug  2 04:25:14 UTC 2020
New revision: 363768
URL: https://svnweb.freebsd.org/changeset/base/363768

Log:
  MFC r363284-r363285, r363452, r363670

  r363284:
  pfil_run_hooks() can be called recursively, so we have to
  define FASTROUTE_RECURSION in fil.c

  Submitted by:	christos@NetBSD.org
  Reported by:	christos@NetBSD.org
  Obtained from:	NetBSD r1.31

  r363285:
  Fix incorrect byte order in ipfstat -f output.
  - make sure frag is initialized to 0
  - initialize ipfr_p field

  NetBSD PR:	55137
  Submitted by:	christos@NetBSD.org
  Reported by:	christos@NetBSD.org
  Obtained from:	NetBSD fil.c r1.32, ip_frag.c r1.8

  r363452:
  Load ipfilter, ipnat, and ippool rules, and start ipmon in a vnet jail.

  PR:		248109
  Reported by:	joeb1@a1poweruser.com

  r363670:
  Continued ipfilter #ifdef cleanup. The r343701 log entry contains a
  complete description.

Changes:
_U  stable/12/
  stable/12/contrib/ipfilter/iplang/iplang_y.y
  stable/12/contrib/ipfilter/ipsend/arp.c
  stable/12/contrib/ipfilter/ipsend/ipresend.c
  stable/12/contrib/ipfilter/ipsend/ipsend.c
  stable/12/contrib/ipfilter/ipsend/iptest.c
  stable/12/contrib/ipfilter/ipsend/iptests.c
  stable/12/contrib/ipfilter/ipsend/sock.c
  stable/12/libexec/rc/rc.d/ipfilter
  stable/12/libexec/rc/rc.d/ipmon
  stable/12/libexec/rc/rc.d/ipnat
  stable/12/libexec/rc/rc.d/ippool
  stable/12/sys/contrib/ipfilter/netinet/fil.c
  stable/12/sys/contrib/ipfilter/netinet/ip_frag.c
Comment 9 Cy Schubert freebsd_committer freebsd_triage 2020-09-27 01:37:53 UTC 
fixed