how to (remember to) reload /etc/pf.conf when (re)starting a jail

[igalic]

I declare my jails with ip4_addr=vnet0|dhcp, where the dnsmasq on the host provides IP addresses.
My pf.conf uses names rather than IPs, and looks like this:

scrub in all
nat pass on vtnet0 from 192.168.1.1/24 to any -> (vtnet0:0)
rdr on vtnet0 proto tcp from any to vtnet0 port 80 -> webproxy port 80
rdr on vtnet0 proto tcp from any to vtnet0 port 443 -> webproxy port 443
rdr on vtnet0 proto tcp from 192.168.1.1/24 to vtnet0 port 9000 -> webirc port 9000

so i'd need to reload it every time a jail (re)starts, pf needs to be reloaded.

What's the best way to do this?

[urosgruber]

I'm using prestart/poststart hooks with combination of anchors to add and remove this per jail basis.

[igalic]

Would you mind sharing how, exactly?

[urosgruber]

So first of all some related pf.conf configuration. I'm using a separate lo1 interface to handle all the traffic.

table <jails> persist counters
nat-anchor "jail-nat/*"
rdr-anchor "jail-rdr/*"
pass quick log on lo0 from <jails> to $jail_out  # allow connection from jail to external IP
pass quick on lo1 from <jails> to 172.16.0.1. # DNS for jails

Might be that some lines are missing but I hope you get the idea of how to dynamically handle this.

Poststart hook

• add current IP to jails table
• create rule on the anchor (jail interconnection, this example only allow connect to itself)
• create nat on the anchor (I allow only http and https)

#!/usr/bin/env sh

# -e  If non interactive then exit immediately if a command fails.
# -u  Treat unset variables as an error when substituting.
# -v  Print shell input lines as they are read.
# -x  Print commands and their arguments as they are executed.

set -e

# get current jid
_name=$IOC_ID
_jid=$IOC_JID

_ip=$(echo "$IOC_IP4_ADDR" | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')
_if=$(echo "$IOC_IP4_ADDR" | cut -d"|" -f1)
_eif="igb0"

# FW
printf "  + Allow outbound access    "
pfctl -t jails -T add $_ip 2>/dev/null
printf "pass on $_if from $_ip to $_ip\n" | pfctl -a "jail/$_name" -f -
echo "nat on $_eif inet proto tcp from $_ip to ! $_ip port "{ http, https }" -> (igb0:0)" | pfctl -a "jail-nat/$_name" -f -

Prestop hook

• remove IP from jails table
• remove rules for the anchor
• remove nat from the anchor

#!/usr/bin/env sh

# -e  If non interactive then exit immediately if a command fails.
# -u  Treat unset variables as an error when substituting.
# -v  Print shell input lines as they are read.
# -x  Print commands and their arguments as they are executed.

set -e

_name=$IOC_ID
_jid=$IOC_JID

_ip=$(echo "$IOC_IP4_ADDR" | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')
_if=$(echo "$IOC_IP4_ADDR" | cut -d"|" -f1)

# FW
pfctl -t jails -T delete $_ip 2>/dev/null
pfctl -a "jail/$_name" -F rules 2>/dev/null
pfctl -a "jail-nat/$_name" -F nat 2>/dev/null