Date: Thu, 9 Sep 2010 20:03:07 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: "Luiz Gustavo S. Costa" <luizgustavo@luizgustavo.pro.br> Cc: FreeBSD virtualization mailing list <freebsd-virtualization@freebsd.org> Subject: Re: [patch] allow testing VIMAGE with pf in base system only Message-ID: <20100909195951.S31898@maildrop.int.zabbadoz.net> In-Reply-To: <AANLkTikheuZs=qNw24Hr8vJ3A1Qo%2Bk-0eHW=cb2c17qi@mail.gmail.com> References: <20100907164529.O31898@maildrop.int.zabbadoz.net> <AANLkTikheuZs=qNw24Hr8vJ3A1Qo%2Bk-0eHW=cb2c17qi@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 9 Sep 2010, Luiz Gustavo S. Costa wrote: Hey, > But I found something that may be unsafe within the jail environment, > I'm allowed to change /dev/pf, so that if I run a "pfctl-f > /etc/pf.conf" inside the jail to do with that the rules are read > again, killing pf.conf on the main environment yes, see the comment at the top of the patch: ! You should not leak /dev/pf into jails for now or they might ! change your rules;-) See devfs, devfs.rules, etc. The jail startup script would usually apply the devfsrules_jail defines in /etc/defaults/devfs.rules. /bz -- Bjoern A. Zeeb Welcome a new stage of life.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100909195951.S31898>