236523 – No FQDN ping from a Jail with NAT and ipfw

Bug 236523 - No FQDN ping from a Jail with NAT and ipfw

Summary: No FQDN ping from a Jail with NAT and ipfw

Status:	New

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	arm (show other bugs)
Version:	12.0-RELEASE
Hardware:	arm64 Any

Importance:	--- Affects Only Me
Assignee:	freebsd-arm (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-03-14 10:10 UTC by Jochen Neumeister
Modified:	2019-03-14 14:36 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jochen Neumeister freebsd_committer

2019-03-14 10:10:49 UTC

Is there a Bug / Problem with NAT and ipfw on arm64?

This config works with amd64 on FreeBSD12.0

It does not work on a RaspberryPi 3 with FreeBSD 12.0 and CURRENT / arm64

Config:
/etc/rc.conf

hostname="rpi3project.local"
keymap=de
ifconfig_ue0="inet 192.168.2.90 netmask 255.255.255.0"
defaultrouter="192.168.2.1"
sshd_enable="YES"
ntpdate_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"

jail_enable="YES"

sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

#IPFW
firewall_enable="YES"
#firewall_type="open"
firewall_nat_enable="YES"
firewall_script="/etc/ipfw.conf"

#NAT
cloned_interfaces="lo1"
ifconfig_lo1_alias0="inet 10.0.0.1 netmask 255.255.255.0"
gateway_enable="YES"

growfs_enable="YES"

######################

/etc/jail.conf:

exec.start="/bin/sh /etc/rc";

exec.stop="/bin/sh /etc/rc.shutdown";

exec.clean;

mount.devfs;

interface="lo1";

jail1icinga {
  host.hostname = "jail1icinga.local";
  path = /usr/jails/jail1icinga;
  ip4.addr = "10.0.0.1";
  allow.raw_sockets=1;
  allow.chflags;
  allow.mount.procfs;
  allow.mount.devfs;
}

#########################

/etc/ipfw.conf:

cmd="/sbin/ipfw -q"

lan_if="ue0"
ipaddr="192.168.2.30/24"

vm_net="10.0.0.0/28"

$cmd flush
$cmd queue flush
$cmd pipe flush

$cmd add 10 check-state

$cmd add 20 allow all from me to $vm_net setup keep-state

# NAT
$cmd nat 1 config if $lan_if

$cmd add 50 nat 1 all from $vm_net to not $vm_net
$cmd add 60 nat 1 all from any to $ipaddr

$cmd add 70 allow all from any to any

#####################

/etc/resolv.conf  (maihost + jail)

nameserver 192.168.2.1


#####################

# jls
   JID  IP Address      Hostname                      Path
     1  10.0.0.1        jail1icinga.local             /usr/jails/jail1icinga

# jexec 1 csh

root@jail1icinga:/ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=124 time=16.328 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=124 time=16.232 ms

root@jail1icinga:/ # ping www.google.de
ping: cannot resolve www.google.de: Host name lookup failure

#######################

On a FreeBSD 12.0 / amd64 with the same config (copy) into the jail:
ot # jexec 1 csh
root@jail1icinga:/ # ping www.google.de
PING www.google.de (172.217.16.131): 56 data bytes
64 bytes from 172.217.16.131: icmp_seq=0 ttl=57 time=17.520 ms
64 bytes from 172.217.16.131: icmp_seq=1 ttl=57 time=17.293 ms
^C

Comment 1 Andrey V. Elsukov freebsd_committer

2019-03-14 14:18:16 UTC

You need to properly configure /etc/resolv.conf in your jail.

Comment 2 Jochen Neumeister freebsd_committer

2019-03-14 14:21:26 UTC

(In reply to Andrey V. Elsukov from comment #1)

see in me first post:

>/etc/resolv.conf  (maihost + jail)
>
>nameserver 192.168.2.1

Comment 3 Andrey V. Elsukov freebsd_committer

2019-03-14 14:21:40 UTC

(In reply to Andrey V. Elsukov from comment #1)
> You need to properly configure /etc/resolv.conf in your jail.

Ah, I see, that you did that. But then check that it is reachable.

Comment 4 Jochen Neumeister freebsd_committer

2019-03-14 14:36:08 UTC

(In reply to Andrey V. Elsukov from comment #3)

i think this is okay too:

root@jail1icinga:/ # ls -la /etc/resolv.conf 
-rw-r--r--  1 root  wheel  50 Mar 14 09:52 /etc/resolv.conf