On Tue, Aug 16, 2016 at 09:05:28PM -0400, Ernie Luzar wrote: > Bjoern A. Zeeb wrote: > > On 16 Aug 2016, at 21:08, CyberLeo Kitsana wrote: > > > >> On 08/16/2016 03:21 PM, Ernie Luzar wrote: > >> <snip> > >>> Issuing "ipf -FS -Fa" command from within the vnet jail gives this > >>> message, "open device:no such file or directory. User kernel version > >>> check failed. > >> > >> According to ipf(8), the ipfilter utilities touch /dev/ipauth , /dev/ipl > >> , and /dev/ipstate . Have you checked that the devfs ruleset applied to > >> your jail has those unhidden? > >> > >>> Issuing "ipfstat -hnio command from within the vnet jail gives this > >>> message, open(IPSTATE_NAME):no such file or directory. > >> > >> ipfstat(8) also lists /dev/kmem ; I suspect that including this may be a > >> bad idea. > > > > /dev/kmem is a bad idea; I should go and check what it is using it for > > and if needed we should fix that. > > > > > > I guess the general thing is that we might want to create another > > default set of devfs rules which include additional nodes we now > > consider safe inside VNET jails; the jail.conf still needs to know the > > right ruleset to apply, so the jail.conf would need to specify the other > > devfs_ruleset=“..” for vnet jails. Maybe Jamie could then come up with > > an intelligent solution that would automatically flip things if option > > vnet is set? I guess jail.conf(5) will need more examples for these > > things as well. > > > > > > /bz > > > > If thats the road you are thinking of going down, then we have to look > at the big picture. Is another rule set say number 5 that includes rule > set number 4 plus the nodes for ipfilter, pf, and ipfw. Or maybe a > separate rule set for each firewall which is more secure. > > There is no way jail(8) could know which firewall if any was going to be > run in the vnet jail to select the correct rule if there were separate > rules for each firewall. A combined rule set containing everything > needed for all 3 firewalls would be something jail(8) could auto default > to if vnet option was coded. > > In light of 11.0 release being published soon there should be something > posted to the release notes talking about this with sample code for a > combined rule #5. This would give vnet users a copy & paste solution to > use until jail(8) gets updated in 11.1. > > I tried this rule set in /etc/devfs.rules > > [devfsrules_jail=5] > add include $devfsrules_jail > add path /dev/ipl unhide > add path /dev/ipauth unhide > add path /dev/ipstate unhide
I think you have to remove '/dev/' > > Boot time get error message that this was invalid. > > If I could get a correct syntax combined rule #5 file, I could continue > testing all 3 firewalls using 11.0-RC1. > > Your help would be greatly appreciated. > > > > > > > > > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
pgpzXbXsjAoMZ.pgp
Description: PGP signature
