[Bug 260973] pf: firewall rules stop matching when vnet jails share interface names with the host
Date: Mon, 14 Feb 2022 15:37:06 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260973 --- Comment #3 from Kristof Provost <kp@freebsd.org> --- With the disclaimer that this is entirely from memory and may be incorrect or outdated: I'm aware of several somewhat related issues around interface naming. One is this, that when an interface is moved between vnets (e.g. when the jail it lives in goes away) there's no check for name collisions. That's non-trivial to solve, because the relevant code paths often have no ability to return errors if there's a name collision and the locking around interface names is also unclear (and likely wrong in several places). There's a loosely related issue with interface groups as well (see #218895, #202178). Now that interfaces can be renamed it's possible to have an interface group and an interface with the same name (and the interface need not even be a member of the group). This has previously triggered panics in pf, as it assumes that interfaces and interface groups share a namespace (and this was historically the case, in that interfaces always ended with a number and groups never did. The former is no longer the case, but the latter is still enforced). This issue too is difficult to solve for the same reasons as the problem described in this bug (lack of error paths, unclear locking). When I looked at it last I estimated this to be a significant (plausibly multi-month) effort to fix. I do not expect to work on these problems any time soon. -- You are receiving this mail because: You are the assignee for the bug.