From owner-freebsd-stable@freebsd.org  Fri Aug  2 05:50:44 2019
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id BE1A9AA5D4
 for <freebsd-stable@mailman.nyi.freebsd.org>;
 Fri,  2 Aug 2019 05:50:44 +0000 (UTC)
 (envelope-from ari@stonepile.fi)
Received: from dmx.stonepile.fi (dmx.stonepile.fi [84.22.101.171])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 460GVC4ylpz4fNb
 for <freebsd-stable@freebsd.org>; Fri,  2 Aug 2019 05:50:43 +0000 (UTC)
 (envelope-from ari@stonepile.fi)
Received: from dmx.stonepile.fi (dmx.stonepile.fi [192.168.64.10])
 by dmx.stonepile.fi (Postfix) with ESMTP id 8C60F2735C8
 for <freebsd-stable@freebsd.org>; Fri,  2 Aug 2019 08:50:41 +0300 (EEST)
Received: from dmx.stonepile.fi ([192.168.64.10])
 by dmx.stonepile.fi (dmx.stonepile.fi [192.168.64.10]) (amavisd-new,
 port 10026)
 with ESMTP id mSl_AEM2JxUT for <freebsd-stable@freebsd.org>;
 Fri,  2 Aug 2019 08:50:38 +0300 (EEST)
Received: from [192.168.2.242] (unknown [194.136.144.131])
 by dmx.stonepile.fi (Postfix) with ESMTPSA id A0F69273040
 for <freebsd-stable@freebsd.org>; Fri,  2 Aug 2019 08:50:38 +0300 (EEST)
Subject: Re: ipfw jail keyword broken in 11.3 by jail_getid changes
To: freebsd-stable@freebsd.org
References: <8ef12e33-583e-5b5c-a602-155e396a6a45@stonepile.fi>
 <CACNAnaHv_fpQ_cVbRCaJEb4Vmm-AGK21aRE3XsoEDjSeKEAGnA@mail.gmail.com>
 <CACNAnaFUZ8uHumBYXtF3_p-f2S=S15y7X1BROyj0nMcD6m9gxw@mail.gmail.com>
From: Ari Suutari <ari@stonepile.fi>
Message-ID: <47adcb23-b2d5-c70d-beb8-c8bbde6a2973@stonepile.fi>
Date: Fri, 2 Aug 2019 08:51:01 +0300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <CACNAnaFUZ8uHumBYXtF3_p-f2S=S15y7X1BROyj0nMcD6m9gxw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Rspamd-Queue-Id: 460GVC4ylpz4fNb
X-Spamd-Bar: --
X-Spamd-Result: default: False [-2.73 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[];
 R_DKIM_ALLOW(-0.20)[stonepile.fi:s=k2]; FROM_HAS_DN(0.00)[];
 R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org];
 TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1];
 RCVD_COUNT_THREE(0.00)[4];
 IP_SCORE(-0.76)[asn: 196752(-3.80), country: NL(0.01)];
 DKIM_TRACE(0.00)[stonepile.fi:+];
 DMARC_POLICY_ALLOW(-0.50)[stonepile.fi,quarantine];
 NEURAL_HAM_SHORT(-0.97)[-0.975,0]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[];
 ASN(0.00)[asn:196752, ipnet:84.22.96.0/19, country:NL];
 MID_RHS_MATCH_FROM(0.00)[]
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Aug 2019 05:50:44 -0000

Hi,

I tested your change and can confirm that it fixes the issue.

     Ari S.


On 1.8.2019 21.19, Kyle Evans wrote:
> On Thu, Aug 1, 2019 at 8:43 AM Kyle Evans <kevans@freebsd.org> wrote:
>> On Thu, Aug 1, 2019 at 1:38 AM Ari Suutari via freebsd-stable
>> <freebsd-stable@freebsd.org> wrote:
>>> Hi,
>>>
>>> We have a lot of servers using jails and ipfw rules with
>>> numeric jail ids to limit acess between them (something
>>> like 'allow tcp from from me to me 8086 jail 1 keep-state').
>>>
>>> This has been working very well for ages. Yesterday, we upgraded
>>> first of these servers to 11.3. During boot there are now messages
>>> like 'ipfw: jail 1 not found' and the rules are not loaded.
>>>
>>> I tracked this down to:
>>> https://reviews.freebsd.org/rS348304
>>>
>>> ipfw calls jail_getid, which used to just return the id without checking
>>> if string was numeric. In 11.3, the function has been changed to actually
>>> check if the jail with given id exists.
>>>
>>> This doesn't really work in ipfw's context as the rules are loaded before
>>> the jails are actually created.
>>>
>>>      Ari S.
>> Hi,
>>
>> I've CC'd Andrey, who tends to work in this area. Apologies for not
>> catching the breakage- I'll whip up a patch unless Andrey objects, but
>> this area feels a bit finnicky. I think a couple of things need to
>> happen:
>>
>> 1.) To fix things -right now-, ipfw should fall back to strtoul if
>> jail_getid fails and only error out if strtoul fails. This restores
>> the functional status quo and still uses jail_getid properly, which is
>> documented to return -1 if the jail does not exist.
>>
> I've created a review for this at [0] -- I can't test it, though, so
> some testing would be appreciated.
>
> Thanks,
>
> Kyle Evans
>
> [0] https://reviews.freebsd.org/D21128
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"