Date: Mon, 14 Feb 2022 15:37:06 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 260973] pf: firewall rules stop matching when vnet jails share interface names with the host Message-ID: <bug-260973-227-dDM1XjoKvU@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-260973-227@https.bugs.freebsd.org/bugzilla/> References: <bug-260973-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D260973 --- Comment #3 from Kristof Provost <kp@freebsd.org> --- With the disclaimer that this is entirely from memory and may be incorrect = or outdated: I'm aware of several somewhat related issues around interface naming. One is this, that when an interface is moved between vnets (e.g. when the jail it lives in goes away) there's no check for name collisions. That's non-trivial to solve, because the relevant code paths often have no ability to return errors if there's a name collision and the locking around interface names is also unclear (and likely wrong in several places). There's a loosely related issue with interface groups as well (see #218895, #202178). Now that interfaces can be renamed it's possible to have an inter= face group and an interface with the same name (and the interface need not even = be a member of the group). This has previously triggered panics in pf, as it ass= umes that interfaces and interface groups share a namespace (and this was historically the case, in that interfaces always ended with a number and gr= oups never did. The former is no longer the case, but the latter is still enforc= ed). This issue too is difficult to solve for the same reasons as the problem described in this bug (lack of error paths, unclear locking). When I looked at it last I estimated this to be a significant (plausibly multi-month) effort to fix. I do not expect to work on these problems any t= ime soon. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-260973-227-dDM1XjoKvU>