Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 1 Aug 2019 13:19:49 -0500
From:      Kyle Evans <kevans@freebsd.org>
To:        Ari Suutari <ari@stonepile.fi>
Cc:        FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>, "Andrey V. Elsukov" <ae@freebsd.org>
Subject:   Re: ipfw jail keyword broken in 11.3 by jail_getid changes
Message-ID:  <CACNAnaFUZ8uHumBYXtF3_p-f2S=S15y7X1BROyj0nMcD6m9gxw@mail.gmail.com>
In-Reply-To: <CACNAnaHv_fpQ_cVbRCaJEb4Vmm-AGK21aRE3XsoEDjSeKEAGnA@mail.gmail.com>
References:  <8ef12e33-583e-5b5c-a602-155e396a6a45@stonepile.fi> <CACNAnaHv_fpQ_cVbRCaJEb4Vmm-AGK21aRE3XsoEDjSeKEAGnA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Aug 1, 2019 at 8:43 AM Kyle Evans <kevans@freebsd.org> wrote:
>
> On Thu, Aug 1, 2019 at 1:38 AM Ari Suutari via freebsd-stable
> <freebsd-stable@freebsd.org> wrote:
> >
> > Hi,
> >
> > We have a lot of servers using jails and ipfw rules with
> > numeric jail ids to limit acess between them (something
> > like 'allow tcp from from me to me 8086 jail 1 keep-state').
> >
> > This has been working very well for ages. Yesterday, we upgraded
> > first of these servers to 11.3. During boot there are now messages
> > like 'ipfw: jail 1 not found' and the rules are not loaded.
> >
> > I tracked this down to:
> > https://reviews.freebsd.org/rS348304
> >
> > ipfw calls jail_getid, which used to just return the id without checking
> > if string was numeric. In 11.3, the function has been changed to actually
> > check if the jail with given id exists.
> >
> > This doesn't really work in ipfw's context as the rules are loaded before
> > the jails are actually created.
> >
> >     Ari S.
>
> Hi,
>
> I've CC'd Andrey, who tends to work in this area. Apologies for not
> catching the breakage- I'll whip up a patch unless Andrey objects, but
> this area feels a bit finnicky. I think a couple of things need to
> happen:
>
> 1.) To fix things -right now-, ipfw should fall back to strtoul if
> jail_getid fails and only error out if strtoul fails. This restores
> the functional status quo and still uses jail_getid properly, which is
> documented to return -1 if the jail does not exist.
>

I've created a review for this at [0] -- I can't test it, though, so
some testing would be appreciated.

Thanks,

Kyle Evans

[0] https://reviews.freebsd.org/D21128

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACNAnaFUZ8uHumBYXtF3_p-f2S=S15y7X1BROyj0nMcD6m9gxw>