Date: Thu, 1 Aug 2019 09:03:12 +0300 From: Ari Suutari <ari@stonepile.fi> To: freebsd-stable@freebsd.org Subject: ipfw jail keyword broken in 11.3 by jail_getid changes Message-ID: <8ef12e33-583e-5b5c-a602-155e396a6a45@stonepile.fi>
next in thread | raw e-mail | index | archive | help
Hi, We have a lot of servers using jails and ipfw rules with numeric jail ids to limit acess between them (something like 'allow tcp from from me to me 8086 jail 1 keep-state'). This has been working very well for ages. Yesterday, we upgraded first of these servers to 11.3. During boot there are now messages like 'ipfw: jail 1 not found' and the rules are not loaded. I tracked this down to: https://reviews.freebsd.org/rS348304 ipfw calls jail_getid, which used to just return the id without checking if string was numeric. In 11.3, the function has been changed to actually check if the jail with given id exists. This doesn't really work in ipfw's context as the rules are loaded before the jails are actually created. Ari S.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8ef12e33-583e-5b5c-a602-155e396a6a45>