Re: vnet & firewalls in 12.0
On 18 Oct 2018, at 11:33, Ernie Luzar wrote: Wanting to get a head start on using 12.0 and vnet jails with in jail firewall. 1. Will Vimage be compiled as a module in the 12.0 kernel and be included in the base system release? vimage is a kernel option, not a module. It affects the entire kernel, and cannot be loaded as a module. It’s either enabled or not (and it’s enabled in 12.0). 1.a. Has the boot time console log message about vimage being "highly experimental" been removed? Yes. It was removed around the time it was enabled by default. 2. Has the pf firewall been fixed so it can now run in a vnet jail or multiple vnet jails with out concern for which firewall is running on the host? Yes. The automated pf tests rely on vimage. 2.a. Is each vnet/pf log only viewable from it's vnet jail console? Yes, assuming you mean pflog output. Log files can of course be read from the host. 2.b. Will pf/kernel module auto load on first call from a vnet jail? No. The decision to load the pf module is made by the host. If the module is not loaded no jail will be able to use it. Jails may not load kernel modules, for obvious reasons. 2.c. Does vnet/pf NAT work? Yes. Best regards, Kristof ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: vnet & firewalls in 12.0
I will only discuss ipfw.. I dont' use pf. On 18/10/18 11:33 am, Ernie Luzar wrote: Wanting to get a head start on using 12.0 and vnet jails with in jail firewall. 1. Will Vimage be compiled as a module in the 12.0 kernel and be included in the base system release? it's in base.. not a module 1.a. Has the boot time console log message about vimage being "highly experimental" been removed? 2. Has the pf firewall been fixed so it can now run in a vnet jail or multiple vnet jails with out concern for which firewall is running on the host? 2.a. Is each vnet/pf log only viewable from it's vnet jail console? 2.b. Will pf/kernel module auto load on first call from a vnet jail? 2.c. Does vnet/pf NAT work? 3. Does the ipfw firewall still have the 11.x release mandatory requirements that the host must also be running ipfw for the vnet jailed ipfw to work? never heard about that.. effectively each network stack can have its own firewall. The ipfw module must be loaded so it will be 'hooked into' each stack. whether you use it or not is up to you. 3.a. Are all vnet/ipfw log messages still intermixed with the host's ipfw log messages? that is probably the case. there is no per-jail kernel logging facility. (Sounds like a good idea! send patches!) 3.b. Does vnet/ipfw NAT work? last I checked it did. 4. Has any work been done to ipf (ipfilter) so it will function when used in a vnet jail? I don't know how many people are using that... not a lot. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: vnet & firewalls in 12.0
Hi Ernie, On Thu, Oct 18, 2018 at 9:36 PM Ernie Luzar wrote: > Wanting to get a head start on using 12.0 and vnet jails with in jail > firewall. > > 1. Will Vimage be compiled as a module in the 12.0 kernel and be > included in the base system release? > I suppose it's part of GENERIC kernel configuration > 1.a. Has the boot time console log message about vimage being "highly > experimental" been removed? > I don't see in dmesg such notification. 12-ALPHA3 > 2. Has the pf firewall been fixed so it can now run in a vnet jail or > multiple vnet jails with out concern for which firewall is running on > the host? > > 2.a. Is each vnet/pf log only viewable from it's vnet jail console? > > 2.b. Will pf/kernel module auto load on first call from a vnet jail? > > 2.c. Does vnet/pf NAT work? > > 3. Does the ipfw firewall still have the 11.x release mandatory > requirements that the host must also be running ipfw for the vnet jailed > ipfw to work? > > 3.a. Are all vnet/ipfw log messages still intermixed with the host's > ipfw log messages? > > 3.b. Does vnet/ipfw NAT work? > I use NAT via netgraph+ipfw. it works fine (why not?). I'm patching "jng" to add "nat" feature. > 4. Has any work been done to ipf (ipfilter) so it will function when > used in a vnet jail? > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" > ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
vnet & firewalls in 12.0
Wanting to get a head start on using 12.0 and vnet jails with in jail firewall. 1. Will Vimage be compiled as a module in the 12.0 kernel and be included in the base system release? 1.a. Has the boot time console log message about vimage being "highly experimental" been removed? 2. Has the pf firewall been fixed so it can now run in a vnet jail or multiple vnet jails with out concern for which firewall is running on the host? 2.a. Is each vnet/pf log only viewable from it's vnet jail console? 2.b. Will pf/kernel module auto load on first call from a vnet jail? 2.c. Does vnet/pf NAT work? 3. Does the ipfw firewall still have the 11.x release mandatory requirements that the host must also be running ipfw for the vnet jailed ipfw to work? 3.a. Are all vnet/ipfw log messages still intermixed with the host's ipfw log messages? 3.b. Does vnet/ipfw NAT work? 4. Has any work been done to ipf (ipfilter) so it will function when used in a vnet jail? ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"