196699 – pf starts blocking traffic from jails (with VIMAGE) needs to be stooped and reloaded

Bug 196699 - pf starts blocking traffic from jails (with VIMAGE) needs to be stooped and reloaded

Summary: pf starts blocking traffic from jails (with VIMAGE) needs to be stooped and r...

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	9.2-STABLE
Hardware:	amd64 Any

Importance:	--- Affects Many People
Assignee:	freebsd-pf (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-01-13 23:26 UTC by miguelmclara
Modified:	2018-10-19 23:36 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description miguelmclara 2015-01-13 23:26:49 UTC

I'm not seeing any panic, and I left my jail with no firewall to test.

So the only firewall running is PF and only on host.
Its set to skip "brigde" and "epair", but for some random  reason (could be related to network inactivity but I'm not sure) it starts blocking traffic.

Ex:

tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes
23:00:53.704965 rule 4..16777216/0(match): block out on xn0: x.x.x10.53 > x.x.x25.20602: 4690
6 0/1/0 (112)

Note that the jail resolv.conf point to the host ip, because I'm running dnscrypt-proxy+unbound on the host, but even if I take dnscrypt out of the equation and point it to the router/isp dns I get the same issue.

More importantly I explicitly allow packets to/form any port "domain"

pass out on xn0 proto tcp from any to any port = domain flags S/SA keep state
pass out on xn0 proto udp from any to any port = domain keep state
pass in quick on xn0 inet proto tcp from x.x.x0/24 to any port = domain flags S/SA keep state
pass in quick on xn0 inet proto udp from x.x.x0/24 to any port = domain keep state

When this happens if I do a dns query from the host it works fine, so the issue is related to the jail ip only.

Also, I've just update my kernel and world (on host and jail):
FreeBSD host.local 9.3-STABLE FreeBSD 9.3-STABLE #0 r277102: Tue Jan 13 16:33:46 WET 2015     root@host.local:/usr/obj/usr/src/sys/VIMAGE  amd64

The issue was already happening, I just wanted to make sure I was not missing any patch, I see some work is being done on patching VIMAGE/PF support, but probably its not yet in 9-stable

Last lines of dmesg show this:
epair0a: Ethernet address: 02:6a:22:00:06:0a                                                         epair0b: Ethernet address: 02:6a:22:00:07:0b
epair0a: link state changed to UP                                                                    epair0b: link state changed to UP
epair0a: promiscuous mode enabled                                                                    arp: x.x.x10 moved from 02:6a:22:00:06:0a to 00:16:3e:52:3e:cf on epair0b
arp: x.x.x10 moved from 02:6a:22:00:06:0a to 00:16:3e:52:3e:cf on epair0b
arp: x.x.x10 moved from 02:6a:22:00:06:0a to 00:16:3e:52:3e:cf on epair0b


And not sure if relevant, but:
# arp hostIP
? (x.x.x.10) at 00:16:3e:52:3e:cf on xn0 permanent [ethernet]
# arp jailIP
? (x.x.x.25) at 02:6a:22:00:07:0b on epair0a expires in 70 seconds [ethernet]

Is it normal to see the mac address expire?

Comment 1 Kristof Provost freebsd_committer

2018-10-19 23:36:46 UTC

vnet is supported in 12, and pf works both on host and in jails there.