From owner-freebsd-bugs@FreeBSD.ORG Thu Jan 1 21:20:02 2009 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2BB9F1065670 for ; Thu, 1 Jan 2009 21:20:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 05DEF8FC18 for ; Thu, 1 Jan 2009 21:20:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n01LK14H099653 for ; Thu, 1 Jan 2009 21:20:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n01LK1Kr099652; Thu, 1 Jan 2009 21:20:01 GMT (envelope-from gnats) Resent-Date: Thu, 1 Jan 2009 21:20:01 GMT Resent-Message-Id: <200901012120.n01LK1Kr099652@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Stefan Hegnauer Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B0F0E106564A for ; Thu, 1 Jan 2009 21:17:03 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 9CB8B8FC0C for ; Thu, 1 Jan 2009 21:17:03 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n01LH3Q9045315 for ; Thu, 1 Jan 2009 21:17:03 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id n01LH3RO045314; Thu, 1 Jan 2009 21:17:03 GMT (envelope-from nobody) Message-Id: <200901012117.n01LH3RO045314@www.freebsd.org> Date: Thu, 1 Jan 2009 21:17:03 GMT From: Stefan Hegnauer To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: kern/130102: 'pfctl -d' from inside a jail disables pf on the jail host X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jan 2009 21:20:02 -0000 >Number: 130102 >Category: kern >Synopsis: 'pfctl -d' from inside a jail disables pf on the jail host >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Jan 01 21:20:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Stefan Hegnauer >Release: 7.1-PRERELEASE #9 >Organization: >Environment: FreeBSD jailhost.x.y.z 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #9: Wed Dec 31 09:05:43 CET 2008 root@jailhost.x.y.z:/usr/obj/usr/src/sys/IBMT20 i386 >Description: I have a jail host (192.168.1.10) with two jails running, webjail (192.168.1.80) and mailjail (192.168.1.25). The host uses pf for some additional protection on the single network interface facing my DMZ router, with rules for the two jailed hosts. So far everything seems to work as intended. The setup of the jails is according to the descriptions in the jail(8) manual page with no deviations. If I use pfctl(8) as root in one of the jails it is possible to control pf(4) that runs on the host. For example I can disable pf on the host altogether using 'pfctl -d', or re-enable it again with 'pfctl -e', or load a different ruleset with 'pfctl -f ' etc. It seems that pfctl easily gets out of the jail which I did not expect, and I did also not find any reference of this behaviour in the handbook, the FAQ, the PR database or anywhere else on the net >How-To-Repeat: - have enabled in the kernel (device pf, device pflog) - set up a jail system with at least one jail according to jail(8) man page - run pf on the host, load some rules and enable pf (pfctl -ef ) - run 'pfctl -d' as root within a jail -> pf is disabled on the host (pfctl -si) >Fix: >Release-Note: >Audit-Trail: >Unformatted: