ipfw jail keyword broken in 11.3 by jail_getid changes

Kyle Evans kevans at freebsd.org
Tue Aug 20 17:58:03 UTC 2019


On Fri, Aug 2, 2019 at 12:50 AM Ari Suutari via freebsd-stable
<freebsd-stable at freebsd.org> wrote:
> On 1.8.2019 21.19, Kyle Evans wrote:
> > On Thu, Aug 1, 2019 at 8:43 AM Kyle Evans <kevans at freebsd.org> wrote:
> >> On Thu, Aug 1, 2019 at 1:38 AM Ari Suutari via freebsd-stable
> >> <freebsd-stable at freebsd.org> wrote:
> >>> Hi,
> >>>
> >>> We have a lot of servers using jails and ipfw rules with
> >>> numeric jail ids to limit acess between them (something
> >>> like 'allow tcp from from me to me 8086 jail 1 keep-state').
> >>>
> >>> This has been working very well for ages. Yesterday, we upgraded
> >>> first of these servers to 11.3. During boot there are now messages
> >>> like 'ipfw: jail 1 not found' and the rules are not loaded.
> >>>
> >>> I tracked this down to:
> >>> https://reviews.freebsd.org/rS348304
> >>>
> >>> ipfw calls jail_getid, which used to just return the id without checking
> >>> if string was numeric. In 11.3, the function has been changed to actually
> >>> check if the jail with given id exists.
> >>>
> >>> This doesn't really work in ipfw's context as the rules are loaded before
> >>> the jails are actually created.
> >>>
> >>>      Ari S.
> >> Hi,
> >>
> >> I've CC'd Andrey, who tends to work in this area. Apologies for not
> >> catching the breakage- I'll whip up a patch unless Andrey objects, but
> >> this area feels a bit finnicky. I think a couple of things need to
> >> happen:
> >>
> >> 1.) To fix things -right now-, ipfw should fall back to strtoul if
> >> jail_getid fails and only error out if strtoul fails. This restores
> >> the functional status quo and still uses jail_getid properly, which is
> >> documented to return -1 if the jail does not exist.
> >>
> > I've created a review for this at [0] -- I can't test it, though, so
> > some testing would be appreciated.
> >
> > Thanks,
> >
> > Kyle Evans
> >
> > [0] https://reviews.freebsd.org/D21128
>
> Hi,
>
> I tested your change and can confirm that it fixes the issue.
>

secteam@ has given this EN-19:17.ipfw to be included in 11.3-RELEASE-p3.

Thanks!

Kyle Evans


More information about the freebsd-stable mailing list