testing 11.0-RC1 vnet jails with ipfilter

Ernie Luzar luzar722 at gmail.com
Wed Aug 17 01:04:56 UTC 2016

Bjoern A. Zeeb wrote:
> On 16 Aug 2016, at 21:08, CyberLeo Kitsana wrote:
>> On 08/16/2016 03:21 PM, Ernie Luzar wrote:
>> <snip>
>>> Issuing "ipf -FS -Fa" command from within the vnet jail gives this
>>> message, "open device:no such file or directory. User kernel version
>>> check failed.
>> According to ipf(8), the ipfilter utilities touch /dev/ipauth , /dev/ipl
>> , and /dev/ipstate . Have you checked that the devfs ruleset applied to
>> your jail has those unhidden?
>>> Issuing "ipfstat -hnio command from within the vnet jail gives this
>>> message, open(IPSTATE_NAME):no such file or directory.
>> ipfstat(8) also lists /dev/kmem ; I suspect that including this may be a
>> bad idea.
> /dev/kmem is a bad idea;  I should go and check what it is using it for 
> and if needed we should fix that.
> I guess the general thing is that we might want to create another 
> default set of devfs rules which include additional nodes we now 
> consider safe inside VNET jails;  the jail.conf still needs to know the 
> right ruleset to apply, so the jail.conf would need to specify the other 
> devfs_ruleset=“..” for vnet jails.  Maybe Jamie could then come up with 
> an intelligent solution that would automatically flip things if option 
> vnet is set?   I guess jail.conf(5) will need more examples for these 
> things as well.
> /bz

If thats the road you are thinking of going down, then we have to look 
at the big picture. Is another rule set say number 5 that includes rule 
set number 4 plus the nodes for ipfilter, pf, and ipfw. Or maybe a 
separate rule set for each firewall which is more secure.

There is no way jail(8) could know which firewall if any was going to be 
run in the vnet jail to select the correct rule if there were separate 
rules for each firewall. A combined rule set containing everything 
needed for all 3 firewalls would be something jail(8) could auto default 
to if vnet option was coded.

In light of 11.0 release being published soon there should be something 
posted to the release notes talking about this with sample code for a 
combined rule #5. This would give vnet users a copy & paste solution to 
use until jail(8) gets updated in 11.1.

I tried this rule set in /etc/devfs.rules

add include $devfsrules_jail
add path /dev/ipl unhide
add path /dev/ipauth unhide
add path /dev/ipstate unhide

Boot time get error message that this was invalid.

If I could get a correct syntax combined rule #5 file, I could continue 
  testing all 3 firewalls using 11.0-RC1.

Your help would be greatly appreciated.

More information about the freebsd-questions mailing list