Date: Tue, 16 Aug 2016 23:21:31 +0000 From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: "CyberLeo Kitsana" <cyberleo@cyberleo.net> Cc: "Ernie Luzar" <luzar722@gmail.com>, "freebsd-jail@freebsd.org" <freebsd-jail@freebsd.org>, "Freebsd Questions" <FreeBSD-questions@freebsd.org>, krad <kraduk@gmail.com>, "James Gritton" <jamie@freebsd.org> Subject: Re: testing 11.0-RC1 vnet jails with ipfilter Message-ID: <89E52542-8E6B-4BA6-921E-E939A3F3A038@lists.zabbadoz.net> In-Reply-To: <b640b4fa-ba88-9fde-41a0-339d9d4a897b@cyberleo.net> References: <57B1E1BC.4090205@gmail.com> <078403E1-D8A3-4E52-B218-7A8B4400749A@lists.zabbadoz.net> <CALfReyeR_4pM6FsrFZxTbHNoC1_yd3SZW72Ze9Bo354itzEgWQ@mail.gmail.com> <F610E6D1-6622-4E15-98B4-F7AD58EEA9CF@lists.zabbadoz.net> <57B375C6.9030500@gmail.com> <b640b4fa-ba88-9fde-41a0-339d9d4a897b@cyberleo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 16 Aug 2016, at 21:08, CyberLeo Kitsana wrote: > On 08/16/2016 03:21 PM, Ernie Luzar wrote: > <snip> >> Issuing "ipf -FS -Fa" command from within the vnet jail gives this >> message, "open device:no such file or directory. User kernel version >> check failed. > > According to ipf(8), the ipfilter utilities touch /dev/ipauth , > /dev/ipl > , and /dev/ipstate . Have you checked that the devfs ruleset applied > to > your jail has those unhidden? > >> Issuing "ipfstat -hnio command from within the vnet jail gives this >> message, open(IPSTATE_NAME):no such file or directory. > > ipfstat(8) also lists /dev/kmem ; I suspect that including this may be > a > bad idea. /dev/kmem is a bad idea; I should go and check what it is using it for and if needed we should fix that. I guess the general thing is that we might want to create another default set of devfs rules which include additional nodes we now consider safe inside VNET jails; the jail.conf still needs to know the right ruleset to apply, so the jail.conf would need to specify the other devfs_ruleset=“..” for vnet jails. Maybe Jamie could then come up with an intelligent solution that would automagically flip things if option vnet is set? I guess jail.conf(5) will need more examples for these things as well. /bz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?89E52542-8E6B-4BA6-921E-E939A3F3A038>