PF pfctl: socket: Protocol not supported

byrnejb

byrnejb

FreeBSD-12.3p3

I am configuring PF to run in a jail. When I run pfctl -nvf ./pf.conf.sshpipe the rule set is clean but the final statement displayed is: pfctl: socket: Protocol not supported. This does not happen when the same rule set is tested on the host system. What does this mean? Is this something to do with logging?
 
Is it a vnet jail?

Code: 
     vnet    Create the jail with its own virtual network stack, with its own
             network interfaces, addresses, routing table, etc.  The kernel
             must have been compiled with the VIMAGE option for this to be
             available.  Possible values are “inherit” to use the system
             network stack, possibly with restricted IP addresses, and “new”
             to create a new network stack.
 
No. I use iocage to manage jails and the documentation says that vnet jails are an experimental feature and subject to system crashes. It does not specify if 'system' refers to the jail or the host but I must assume the latter in the absence of certainty.
 
A 'regular' jail doesn't have its own network stack, so you cannot use PF inside such a jail. This is only possible on a vnet enabled jail.
 
I enabled VNET on an iocage Jail, configured rc.conf and sysctl.conf on the host as specified in the iocage networking documentation. At least I followed the instructions as best I understood them. I started the jail. In iocage console ifconfig displays the the ip4_addr assigned to it. One can no longer see that ip in ifconfig run on the host.

However, I cannot ping the jail from the host and the jail cannot ping the gateway. So the network is misconfigured in some way.

The rc.conf settings used are:
Code: 
### VNET Jails (iocage) - also see sysctl.conf settings
cloned_interfaces="bridge0"
ifconfig_bridge0=addm igb0 up"

The sysctl.conf setting added are:
Code: 
### VNET Jails (iocage) - also see sysctl.conf settings
cloned_interfaces="bridge0"
ifconfig_bridge0=addm igb0 up"
# Do not filter VNET for jails
net.link.bridge.pfil_onlyip=0         # Only pass IP packets when pfil is enabled
net.link.bridge.pfil_bridge=0         # Packet filter on the bridge interface
net.link.bridge.pfil_member=0         # Packet filter on the member interface

ifconfig on the host shows this:
Code: 
[root@vhost01 ~ (master)]# ifconfig
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
 options=e523bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
    ether 70:85:c2:da:88:4f
    inet 216.185.71.41 netmask 0xffffff80 broadcast 216.185.71.127
    inet 192.168.216.41 netmask 0xffffff00 broadcast 192.168.216.255
    inet 192.168.216.179 netmask 0xffffff00 broadcast 192.168.216.255
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    inet 127.0.0.1 netmask 0xff000000
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    ether 02:1a:39:ed:22:00
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    member: vnet0.2 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 5 priority 128 path cost 2000
    groups: bridge
    nd6 options=9<PERFORMNUD,IFDISABLED>
vm-public: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    ether 1e:2b:47:32:21:6c
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 1 priority 128 path cost 20000
    groups: bridge vm-switch viid-4c918@
    nd6 options=1<PERFORMNUD>
vnet0.2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: associated with jail: sshpipe-3 as nic: epair0b
    options=8<VLAN_MTU>
    ether 70:85:c2:14:e6:67
    hwaddr 02:e8:86:36:4e:0a
    inet6 fe80::7285:c2ff:fe14:e667%vnet0.2 prefixlen 64 scopeid 0x5
    groups: epair
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Ifconfig on the Jail shows this:
Code: 
[root@sshpipe-3 ~]# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet 127.0.0.1 netmask 0xff000000
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 70:85:c2:14:e6:68
    hwaddr 02:e8:86:36:4e:0b
    inet 216.185.71.124 netmask 0xffffff00 broadcast 216.185.71.255
    inet 192.168.216.124 netmask 0xffffff00 broadcast 192.168.216.255
    inet 192.168.18.124 netmask 0xffffff00 broadcast 192.168.18.255
    inet6 fe80::7285:c2ff:fe14:e668%epair0b prefixlen 64 tentative scopeid 0x2
    groups: epair
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

[root@sshpipe-3 ~]# netstat -r
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            216.185.71.1       UGS     epair0b
127.0.0.1          link#1             UH          lo0
192.168.18.0/24    link#2             U       epair0b
192.168.18.124     link#2             UHS         lo0
192.168.216.0/24   link#2             U       epair0b
192.168.216.124    link#2             UHS         lo0
216.185.71.0/24    link#2             U       epair0b
216.185.71.124     link#2             UHS         lo0

Internet6:
Destination        Gateway            Flags     Netif Expire
::/96              ::1                UGRS        lo0
::1                link#1             UH          lo0
::ffff:0.0.0.0/96  ::1                UGRS        lo0
fe80::/10          ::1                UGRS        lo0
fe80::%lo0/64      link#1             U           lo0
fe80::1%lo0        link#1             UHS         lo0
fe80::%epair0b/64  link#2             U       epair0b
fe80::7285:c2ff:fe link#2             UHS         lo0
ff02::/16          ::1                UGRS        lo0

The iocage vnet settings for this jails are:
Code: 
[root@vhost01 ~ (master)]# iocage get all sshpipe-3 | grep vnet
interfaces:vnet0:bridge0
ip4_addr:vnet0|216.185.71.124,vnet0|192.168.216.124,vnet0|192.168.18.124
vnet:1
vnet0_mac:7085c214e667 7085c214e668
vnet1_mac:none
vnet2_mac:none
vnet3_mac:none
vnet_default_interface:auto
vnet_interfaces:none

What am I missing to get this to work?
 
You must log in or register to reply here.
Back
Top