Re: ipfw + bridge + epair + tags for vnet jails after upgrade to 13.1
Date: Wed, 21 Dec 2022 09:03:14 UTC
20.12.2022 13:50, Markus Graf пишет: > I upgraded a host from 13.0 to 13.1 > > I can't have a physical interface as member of the jailbridge, because > this leaks virtual mac addresses of epair interfaces to the outside > world where my hoster looks unkindly on mac-addresses not belonging to > the nic of my server. So I have vnet jails behind a common ifbridge. > All jails have their default routes point to the bridge-interface of > the host. The host works as a router. > > > Tags stopped working across vnet and bridge > ------------------------------------------- > > On a long running host that is still currently running 13.0 I have > this line in a vnet jail with an epair interface acme_j: > > allow tag 128 tcp from me to any 80,443 via acme_j setup uid root > keep-state > > On the host I see the tags: > > # ipfw -a list 570 > > 00570 112 11276 count tagged 128 > > On the updated 13.1 machine the host does not see the tags, or I can't > get the host to count them. > > > with epair0a being a member of the bridge. If I fetch a file in the > vnet jail containing epair0b the counters of em0 and bridge0 > increment, but the counter of epair0a does not increment. Tcpdump -i > epair0a does show the traffic though. Hi, probably this commit caused your problem https://reviews.freebsd.org/D32663 -- WBR, Andrey V. Elsukov