[patch] allow testing VIMAGE with pf in base system only
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Thu Sep 9 20:05:09 UTC 2010
On Thu, 9 Sep 2010, Luiz Gustavo S. Costa wrote:
Hey,
> But I found something that may be unsafe within the jail environment,
> I'm allowed to change /dev/pf, so that if I run a "pfctl-f
> /etc/pf.conf" inside the jail to do with that the rules are read
> again, killing pf.conf on the main environment
yes, see the comment at the top of the patch:
! You should not leak /dev/pf into jails for now or they might
! change your rules;-)
See devfs, devfs.rules, etc. The jail startup script would usually
apply the devfsrules_jail defines in /etc/defaults/devfs.rules.
/bz
--
Bjoern A. Zeeb Welcome a new stage of life.
More information about the freebsd-virtualization
mailing list