From owner-freebsd-jail@freebsd.org Tue Aug 16 23:21:40 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BE424BBCF28; Tue, 16 Aug 2016 23:21:40 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7FE4511A4; Tue, 16 Aug 2016 23:21:40 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 9B40D25D387C; Tue, 16 Aug 2016 23:21:36 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id AEDA8D1F8C1; Tue, 16 Aug 2016 23:21:35 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id 2f9eSN9SGq0x; Tue, 16 Aug 2016 23:21:34 +0000 (UTC) Received: from [10.111.64.116] (unknown [IPv6:fde9:577b:c1a9:4410:8df0:8af8:fda2:61f3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 67B89D1F814; Tue, 16 Aug 2016 23:21:33 +0000 (UTC) From: "Bjoern A. Zeeb" To: "CyberLeo Kitsana" Cc: "Ernie Luzar" , "freebsd-jail@freebsd.org" , "Freebsd Questions" , krad , "James Gritton" Subject: Re: testing 11.0-RC1 vnet jails with ipfilter Date: Tue, 16 Aug 2016 23:21:31 +0000 Message-ID: <89E52542-8E6B-4BA6-921E-E939A3F3A038@lists.zabbadoz.net> In-Reply-To: References: <57B1E1BC.4090205@gmail.com> <078403E1-D8A3-4E52-B218-7A8B4400749A@lists.zabbadoz.net> <57B375C6.9030500@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6048) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Aug 2016 23:21:40 -0000 On 16 Aug 2016, at 21:08, CyberLeo Kitsana wrote: > On 08/16/2016 03:21 PM, Ernie Luzar wrote: > >> Issuing "ipf -FS -Fa" command from within the vnet jail gives this >> message, "open device:no such file or directory. User kernel version >> check failed. > > According to ipf(8), the ipfilter utilities touch /dev/ipauth , > /dev/ipl > , and /dev/ipstate . Have you checked that the devfs ruleset applied > to > your jail has those unhidden? > >> Issuing "ipfstat -hnio command from within the vnet jail gives this >> message, open(IPSTATE_NAME):no such file or directory. > > ipfstat(8) also lists /dev/kmem ; I suspect that including this may be > a > bad idea. /dev/kmem is a bad idea; I should go and check what it is using it for and if needed we should fix that. I guess the general thing is that we might want to create another default set of devfs rules which include additional nodes we now consider safe inside VNET jails; the jail.conf still needs to know the right ruleset to apply, so the jail.conf would need to specify the other devfs_ruleset=“..” for vnet jails. Maybe Jamie could then come up with an intelligent solution that would automagically flip things if option vnet is set? I guess jail.conf(5) will need more examples for these things as well. /bz