testing 11.0-RC1 vnet jails with ipfilter
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Tue Aug 16 23:21:40 UTC 2016
On 16 Aug 2016, at 21:08, CyberLeo Kitsana wrote:
> On 08/16/2016 03:21 PM, Ernie Luzar wrote:
> <snip>
>> Issuing "ipf -FS -Fa" command from within the vnet jail gives this
>> message, "open device:no such file or directory. User kernel version
>> check failed.
>
> According to ipf(8), the ipfilter utilities touch /dev/ipauth ,
> /dev/ipl
> , and /dev/ipstate . Have you checked that the devfs ruleset applied
> to
> your jail has those unhidden?
>
>> Issuing "ipfstat -hnio command from within the vnet jail gives this
>> message, open(IPSTATE_NAME):no such file or directory.
>
> ipfstat(8) also lists /dev/kmem ; I suspect that including this may be
> a
> bad idea.
/dev/kmem is a bad idea; I should go and check what it is using it for
and if needed we should fix that.
I guess the general thing is that we might want to create another
default set of devfs rules which include additional nodes we now
consider safe inside VNET jails; the jail.conf still needs to know the
right ruleset to apply, so the jail.conf would need to specify the other
devfs_ruleset=“..” for vnet jails. Maybe Jamie could then come up
with an intelligent solution that would automagically flip things if
option vnet is set? I guess jail.conf(5) will need more examples for
these things as well.
/bz
More information about the freebsd-questions
mailing list