Date: Fri, 2 Aug 2019 08:51:01 +0300 From: Ari Suutari <ari@stonepile.fi> To: freebsd-stable@freebsd.org Subject: Re: ipfw jail keyword broken in 11.3 by jail_getid changes Message-ID: <47adcb23-b2d5-c70d-beb8-c8bbde6a2973@stonepile.fi> In-Reply-To: <CACNAnaFUZ8uHumBYXtF3_p-f2S=S15y7X1BROyj0nMcD6m9gxw@mail.gmail.com> References: <8ef12e33-583e-5b5c-a602-155e396a6a45@stonepile.fi> <CACNAnaHv_fpQ_cVbRCaJEb4Vmm-AGK21aRE3XsoEDjSeKEAGnA@mail.gmail.com> <CACNAnaFUZ8uHumBYXtF3_p-f2S=S15y7X1BROyj0nMcD6m9gxw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, I tested your change and can confirm that it fixes the issue. Ari S. On 1.8.2019 21.19, Kyle Evans wrote: > On Thu, Aug 1, 2019 at 8:43 AM Kyle Evans <kevans@freebsd.org> wrote: >> On Thu, Aug 1, 2019 at 1:38 AM Ari Suutari via freebsd-stable >> <freebsd-stable@freebsd.org> wrote: >>> Hi, >>> >>> We have a lot of servers using jails and ipfw rules with >>> numeric jail ids to limit acess between them (something >>> like 'allow tcp from from me to me 8086 jail 1 keep-state'). >>> >>> This has been working very well for ages. Yesterday, we upgraded >>> first of these servers to 11.3. During boot there are now messages >>> like 'ipfw: jail 1 not found' and the rules are not loaded. >>> >>> I tracked this down to: >>> https://reviews.freebsd.org/rS348304 >>> >>> ipfw calls jail_getid, which used to just return the id without checking >>> if string was numeric. In 11.3, the function has been changed to actually >>> check if the jail with given id exists. >>> >>> This doesn't really work in ipfw's context as the rules are loaded before >>> the jails are actually created. >>> >>> Ari S. >> Hi, >> >> I've CC'd Andrey, who tends to work in this area. Apologies for not >> catching the breakage- I'll whip up a patch unless Andrey objects, but >> this area feels a bit finnicky. I think a couple of things need to >> happen: >> >> 1.) To fix things -right now-, ipfw should fall back to strtoul if >> jail_getid fails and only error out if strtoul fails. This restores >> the functional status quo and still uses jail_getid properly, which is >> documented to return -1 if the jail does not exist. >> > I've created a review for this at [0] -- I can't test it, though, so > some testing would be appreciated. > > Thanks, > > Kyle Evans > > [0] https://reviews.freebsd.org/D21128 > _______________________________________________ > freebsd-stable@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47adcb23-b2d5-c70d-beb8-c8bbde6a2973>