ipfw jail keyword broken in 11.3 by jail_getid changes
Ari Suutari
ari at stonepile.fi
Fri Aug 2 05:50:44 UTC 2019
Hi,
I tested your change and can confirm that it fixes the issue.
Ari S.
On 1.8.2019 21.19, Kyle Evans wrote:
> On Thu, Aug 1, 2019 at 8:43 AM Kyle Evans <kevans at freebsd.org> wrote:
>> On Thu, Aug 1, 2019 at 1:38 AM Ari Suutari via freebsd-stable
>> <freebsd-stable at freebsd.org> wrote:
>>> Hi,
>>>
>>> We have a lot of servers using jails and ipfw rules with
>>> numeric jail ids to limit acess between them (something
>>> like 'allow tcp from from me to me 8086 jail 1 keep-state').
>>>
>>> This has been working very well for ages. Yesterday, we upgraded
>>> first of these servers to 11.3. During boot there are now messages
>>> like 'ipfw: jail 1 not found' and the rules are not loaded.
>>>
>>> I tracked this down to:
>>> https://reviews.freebsd.org/rS348304
>>>
>>> ipfw calls jail_getid, which used to just return the id without checking
>>> if string was numeric. In 11.3, the function has been changed to actually
>>> check if the jail with given id exists.
>>>
>>> This doesn't really work in ipfw's context as the rules are loaded before
>>> the jails are actually created.
>>>
>>> Ari S.
>> Hi,
>>
>> I've CC'd Andrey, who tends to work in this area. Apologies for not
>> catching the breakage- I'll whip up a patch unless Andrey objects, but
>> this area feels a bit finnicky. I think a couple of things need to
>> happen:
>>
>> 1.) To fix things -right now-, ipfw should fall back to strtoul if
>> jail_getid fails and only error out if strtoul fails. This restores
>> the functional status quo and still uses jail_getid properly, which is
>> documented to return -1 if the jail does not exist.
>>
> I've created a review for this at [0] -- I can't test it, though, so
> some testing would be appreciated.
>
> Thanks,
>
> Kyle Evans
>
> [0] https://reviews.freebsd.org/D21128
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
More information about the freebsd-stable
mailing list