On 16 Aug 2016, at 21:08, CyberLeo Kitsana wrote:
On 08/16/2016 03:21 PM, Ernie Luzar wrote:
<snip>
Issuing "ipf -FS -Fa" command from within the vnet jail gives this
message, "open device:no such file or directory. User kernel version
check failed.
According to ipf(8), the ipfilter utilities touch /dev/ipauth ,
/dev/ipl
, and /dev/ipstate . Have you checked that the devfs ruleset applied
to
your jail has those unhidden?
Issuing "ipfstat -hnio command from within the vnet jail gives this
message, open(IPSTATE_NAME):no such file or directory.
ipfstat(8) also lists /dev/kmem ; I suspect that including this may be
a
bad idea.
/dev/kmem is a bad idea; I should go and check what it is using it for
and if needed we should fix that.
I guess the general thing is that we might want to create another
default set of devfs rules which include additional nodes we now
consider safe inside VNET jails; the jail.conf still needs to know the
right ruleset to apply, so the jail.conf would need to specify the other
devfs_ruleset=“..” for vnet jails. Maybe Jamie could then come up
with an intelligent solution that would automagically flip things if
option vnet is set? I guess jail.conf(5) will need more examples for
these things as well.
/bz
_______________________________________________
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
