search

BastilleBSD / bastille

Bastille is an open-source system for automating deployment and management of containerized applications on FreeBSD.
https://bastillebsd.org
BSD 3-Clause "New" or "Revised" License
822 stars 130 forks source link

[BUG] bastille_network_pf_ext_if (ext_if) not defined in pf.conf #645

Closed eoli3n closed 9 months ago

eoli3n commented 10 months ago

[MANDATORY] Describe the bug [MANDATORY] When I start my jails, bastille complains.

pfctl: Invalid argument.
[nsd]:
nsd: created
bastille_network_pf_ext_if (ext_if) not defined in pf.conf

/etc/pf.conf

ext_if="vtnet0"

set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo
table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if:0)

rdr-anchor "rdr/*"
anchor "blacklistd/*" in on $ext_if

table <blockedips> persist file "/etc/pf.blocked.ip.conf"
block drop in log quick from <blockedips>

block in all
pass out quick keep state
antispoof for $ext_if inet

pass in inet proto tcp from any to any port { **************** } flags S/SA keep state
pass in inet proto udp from any to any port { ** } keep state

Then I can't even stop a jail, it hangs indefinitely. My configuration is working since two years without problem and I didn't change anything except upgrading.

[MANDATORY] Bastille and FreeBSD version (paste bastille -v && freebsd-version -kru output)

# bastille -v && freebsd-version -kru
0.10.20231013
13.2-RELEASE-p4
13.2-RELEASE-p4
13.2-RELEASE-p6

[MANDATORY] How did you install bastille? (port/pkg/git)

pkg

[optional] Steps to reproduce?

Upgrade to latest version of Freebsd 13.2, and pkg, start a jail.

eoli3n commented 10 months ago

Workaround : downgrade to quarterly package

#  bastille -v
0.9.20220714
socphoenix commented 9 months ago

This is still causing issues on 13.2-RELEASE, would hang indefinitely on restart/stop commands. Downgrade worked for now.

cedwards commented 9 months ago

Please compare the bastille.conf with the bastille.conf.sample and merge any missing configuration lines. A couple were added this year that lead to this type of behavior if not found.

cd /usr/local/etc/bastille
diff -u bastille.conf bastille.conf.sample
socphoenix commented 9 months ago

Please compare the bastille.conf with the bastille.conf.sample and merge any missing configuration lines. A couple were added this year that lead to this type of behavior if not found.

cd /usr/local/etc/bastille
diff -u bastille.conf bastille.conf.sample

Thank you, it was missing several lines relating to pf configuration.

eoli3n commented 9 months ago

Fixed for me too. Thanks

ntn888 commented 4 months ago

I get the exact same error:

$ sudo bastille start natJail
[natJail]:
natJail: created
pfctl: DIOCGETRULES: Invalid argument
$ bastille -v
0.10.20231125

the diff command reports no changes between the two files above.. and they are identical to the current version on repo: https://github.com/BastilleBSD/bastille/blob/master/usr/local/etc/bastille/bastille.conf.sample

EDIT: nevermind; it has no real effect/issues. the redirection is working..

KiriakosGeorgiou commented 3 months ago

Works fine on FreeBSD 13.2, I get the "pfctl: DIOCGETRULES: Invalid argument" too on 14.0 and 14.1 no matter what I've tried. I even installed a fresh FreeBSD 14.1 with the minimal /etc/pf.conf required by bastille and created a test jail, same problem. The rdr and the jails do appear to work fine.

KiriakosGeorgiou commented 3 months ago

I backed out of my "upgrade" to FreeBSD 14.1 and rather went with FreeBSD 13.3 which is supported for another year. I imported my jails and all is good, no pfctl error. Hopefully this will be fixed, eventually.