ipfw jail keyword broken in 11.3 by jail_getid changes

Ari Suutari ari at stonepile.fi
Thu Aug 1 06:03:00 UTC 2019


Hi,

We have a lot of servers using jails and ipfw rules with
numeric jail ids to limit acess between them (something
like 'allow tcp from from me to me 8086 jail 1 keep-state').

This has been working very well for ages. Yesterday, we upgraded
first of these servers to 11.3. During boot there are now messages
like 'ipfw: jail 1 not found' and the rules are not loaded.

I tracked this down to:
https://reviews.freebsd.org/rS348304

ipfw calls jail_getid, which used to just return the id without checking
if string was numeric. In 11.3, the function has been changed to actually
check if the jail with given id exists.

This doesn't really work in ipfw's context as the rules are loaded before
the jails are actually created.

    Ari S.



More information about the freebsd-stable mailing list