Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 16 Aug 2016 23:21:31 +0000
From:      "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To:        "CyberLeo Kitsana" <cyberleo@cyberleo.net>
Cc:        "Ernie Luzar" <luzar722@gmail.com>, "freebsd-jail@freebsd.org" <freebsd-jail@freebsd.org>, "Freebsd Questions" <FreeBSD-questions@freebsd.org>, krad <kraduk@gmail.com>,  "James Gritton" <jamie@freebsd.org>
Subject:   Re: testing 11.0-RC1 vnet jails with ipfilter
Message-ID:  <89E52542-8E6B-4BA6-921E-E939A3F3A038@lists.zabbadoz.net>
In-Reply-To: <b640b4fa-ba88-9fde-41a0-339d9d4a897b@cyberleo.net>
References:  <57B1E1BC.4090205@gmail.com> <078403E1-D8A3-4E52-B218-7A8B4400749A@lists.zabbadoz.net> <CALfReyeR_4pM6FsrFZxTbHNoC1_yd3SZW72Ze9Bo354itzEgWQ@mail.gmail.com> <F610E6D1-6622-4E15-98B4-F7AD58EEA9CF@lists.zabbadoz.net> <57B375C6.9030500@gmail.com> <b640b4fa-ba88-9fde-41a0-339d9d4a897b@cyberleo.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 16 Aug 2016, at 21:08, CyberLeo Kitsana wrote:

> On 08/16/2016 03:21 PM, Ernie Luzar wrote:
> <snip>
>> Issuing "ipf -FS -Fa" command from within the vnet jail gives this
>> message, "open device:no such file or directory. User kernel version
>> check failed.
>
> According to ipf(8), the ipfilter utilities touch /dev/ipauth , 
> /dev/ipl
> , and /dev/ipstate . Have you checked that the devfs ruleset applied 
> to
> your jail has those unhidden?
>
>> Issuing "ipfstat -hnio command from within the vnet jail gives this
>> message, open(IPSTATE_NAME):no such file or directory.
>
> ipfstat(8) also lists /dev/kmem ; I suspect that including this may be 
> a
> bad idea.

/dev/kmem is a bad idea;  I should go and check what it is using it for 
and if needed we should fix that.


I guess the general thing is that we might want to create another 
default set of devfs rules which include additional nodes we now 
consider safe inside VNET jails;  the jail.conf still needs to know the 
right ruleset to apply, so the jail.conf would need to specify the other 
devfs_ruleset=“..” for vnet jails.  Maybe Jamie could then come up 
with an intelligent solution that would automagically flip things if 
option vnet is set?   I guess jail.conf(5) will need more examples for 
these things as well.


/bz

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?89E52542-8E6B-4BA6-921E-E939A3F3A038>