Here is my new rules file. I have tested it with the commented out lines and with the comments removed. Tested on vimage/ipfilter kernel and vimage only kernel. In all 4 combinations the "ipf" and "ipstat" commands work. I can see the ipf firewall rules.
The problem is when issuing the ping command from within the vnet jail nothing happens. The count of packets shown by the ipstat command stay at zero. The var/log/messages in the vnet jail is not populated. The ipf.log on the host only has ipv6 multcast packets from when the vnet jail is started. No ipv4 ping packets.
ipfilter in a vnet/vimage jail is broken. If anyone has suggestions to try let me know.
[devfsrules_vjail_ipf=5] add include $devfsrules_jail add path ipl unhide add path ipl0 unhide add path ipf unhide add path ipauth unhide add path ipnat unhide add path ipstate unhide # used by ipstate #add path kmem unhide #add path kernel unhide # full list of ioctl used by ipf #add path SIOCIPFFB unhide #add path FIONREAD unhide #add path SIOCADDFR unhide #add path SIOCDELFR unhide #add path SIOCIPFFR unhide #add path SIOCADAFR unhide #add path SIOCRMAFR unhide #add path SIOCADIFR unhide #add path SIOCRMIFR unhide #add path SIOCINAFR unhide #add path SIOCINIFR unhide #add path SIOCSETFF unhide #add path SIOGGETFF unhide #add path SIOCGETFS unhide #add path SIOCIPFFL unhide #add path SIOCIPFFB unhide #add path SIOCSWAPA unhide #add path SIOCFRENB unhide #add path SIOCFRSYN unhide #add path SIOCFRZST unhide #add path SIOCZRLST unhide #add path SIOCAUTHW unhide #add path SIOCAUTHR unhide #add path SIOCATHST unhide _______________________________________________ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"