PF Is there a way to filter packets moving from jail VNET to the actual interface?

[amity88]

I have a jail that uses a VNET bridge to the NIC. pf on the host doesn't seem to be able to filter packets through it. I've tried blocking everything on the bridge interface to test, yet the jail could pass packages with no issues (ping)

ifconfig on the host

re0: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        ether 9c:6b:00:ae:d1:2e
        inet 192.168.2.15 netmask 0xffffff00 broadcast 192.168.2.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
bridge0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        options=10<VLAN_HWTAGGING>
        ether 58:9c:fc:10:f7:ef
        inet 192.168.2.40 netmask 0xffffff00 broadcast 192.168.2.255
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        bridge flags=0<>
        member: epair41a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                port 4 priority 128 path cost 2000 vlan protocol 802.1q
        member: re0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                port 1 priority 128 path cost 55 vlan protocol 802.1q
        groups: bridge
        nd6 options=9<PERFORMNUD,IFDISABLED>
epair41a: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: jail:sboxr
        options=20000b<RXCSUM,TXCSUM,VLAN_MTU,RXCSUM_IPV6>
        ether 58:9c:fc:10:9c:c2
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

The pf conf

ext_if="re0"
lan_net="192.168.2.0/24"

jseedr_ip="192.168.2.41"
jseedr_if="epair41a"

set block-policy drop
set skip on lo

## Default deny
#block all
#pass out on $ext_if from any to any keep state
#
## Host access (SSH)
#pass quick on $ext_if proto tcp from $lan_net to any port 22 keep state


block in on epair41a
block out on epair41a

 

[Kristof Provost]

You should change your setup to route the jail traffic. You cannot usefully filter on layer 2 with pf.
Ipfw might be able to, but life will just be easier if you route rather than bridge.

(People might recommend a bridge sysclt. Do not do this. The implementation is hilariously broken. Do not use it. Yes, I deliberately did not name the specific sysctl, to discourage its use.)