Date: Thu, 1 Aug 2019 13:19:49 -0500 From: Kyle Evans <kevans@freebsd.org> To: Ari Suutari <ari@stonepile.fi> Cc: FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>, "Andrey V. Elsukov" <ae@freebsd.org> Subject: Re: ipfw jail keyword broken in 11.3 by jail_getid changes Message-ID: <CACNAnaFUZ8uHumBYXtF3_p-f2S=S15y7X1BROyj0nMcD6m9gxw@mail.gmail.com> In-Reply-To: <CACNAnaHv_fpQ_cVbRCaJEb4Vmm-AGK21aRE3XsoEDjSeKEAGnA@mail.gmail.com> References: <8ef12e33-583e-5b5c-a602-155e396a6a45@stonepile.fi> <CACNAnaHv_fpQ_cVbRCaJEb4Vmm-AGK21aRE3XsoEDjSeKEAGnA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Aug 1, 2019 at 8:43 AM Kyle Evans <kevans@freebsd.org> wrote: > > On Thu, Aug 1, 2019 at 1:38 AM Ari Suutari via freebsd-stable > <freebsd-stable@freebsd.org> wrote: > > > > Hi, > > > > We have a lot of servers using jails and ipfw rules with > > numeric jail ids to limit acess between them (something > > like 'allow tcp from from me to me 8086 jail 1 keep-state'). > > > > This has been working very well for ages. Yesterday, we upgraded > > first of these servers to 11.3. During boot there are now messages > > like 'ipfw: jail 1 not found' and the rules are not loaded. > > > > I tracked this down to: > > https://reviews.freebsd.org/rS348304 > > > > ipfw calls jail_getid, which used to just return the id without checking > > if string was numeric. In 11.3, the function has been changed to actually > > check if the jail with given id exists. > > > > This doesn't really work in ipfw's context as the rules are loaded before > > the jails are actually created. > > > > Ari S. > > Hi, > > I've CC'd Andrey, who tends to work in this area. Apologies for not > catching the breakage- I'll whip up a patch unless Andrey objects, but > this area feels a bit finnicky. I think a couple of things need to > happen: > > 1.) To fix things -right now-, ipfw should fall back to strtoul if > jail_getid fails and only error out if strtoul fails. This restores > the functional status quo and still uses jail_getid properly, which is > documented to return -1 if the jail does not exist. > I've created a review for this at [0] -- I can't test it, though, so some testing would be appreciated. Thanks, Kyle Evans [0] https://reviews.freebsd.org/D21128
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACNAnaFUZ8uHumBYXtF3_p-f2S=S15y7X1BROyj0nMcD6m9gxw>