testing 11.0-RC1 vnet jails with ipfilter

Bjoern A. Zeeb bzeeb-lists at lists.zabbadoz.net
Tue Aug 16 23:21:40 UTC 2016


On 16 Aug 2016, at 21:08, CyberLeo Kitsana wrote:

> On 08/16/2016 03:21 PM, Ernie Luzar wrote:
> <snip>
>> Issuing "ipf -FS -Fa" command from within the vnet jail gives this
>> message, "open device:no such file or directory. User kernel version
>> check failed.
>
> According to ipf(8), the ipfilter utilities touch /dev/ipauth , 
> /dev/ipl
> , and /dev/ipstate . Have you checked that the devfs ruleset applied 
> to
> your jail has those unhidden?
>
>> Issuing "ipfstat -hnio command from within the vnet jail gives this
>> message, open(IPSTATE_NAME):no such file or directory.
>
> ipfstat(8) also lists /dev/kmem ; I suspect that including this may be 
> a
> bad idea.

/dev/kmem is a bad idea;  I should go and check what it is using it for 
and if needed we should fix that.


I guess the general thing is that we might want to create another 
default set of devfs rules which include additional nodes we now 
consider safe inside VNET jails;  the jail.conf still needs to know the 
right ruleset to apply, so the jail.conf would need to specify the other 
devfs_ruleset=“..” for vnet jails.  Maybe Jamie could then come up 
with an intelligent solution that would automagically flip things if 
option vnet is set?   I guess jail.conf(5) will need more examples for 
these things as well.


/bz


More information about the freebsd-questions mailing list