On Thu, Aug 1, 2019 at 8:43 AM Kyle Evans <[email protected]> wrote: > > On Thu, Aug 1, 2019 at 1:38 AM Ari Suutari via freebsd-stable > <[email protected]> wrote: > > > > Hi, > > > > We have a lot of servers using jails and ipfw rules with > > numeric jail ids to limit acess between them (something > > like 'allow tcp from from me to me 8086 jail 1 keep-state'). > > > > This has been working very well for ages. Yesterday, we upgraded > > first of these servers to 11.3. During boot there are now messages > > like 'ipfw: jail 1 not found' and the rules are not loaded. > > > > I tracked this down to: > > https://reviews.freebsd.org/rS348304 > > > > ipfw calls jail_getid, which used to just return the id without checking > > if string was numeric. In 11.3, the function has been changed to actually > > check if the jail with given id exists. > > > > This doesn't really work in ipfw's context as the rules are loaded before > > the jails are actually created. > > > > Ari S. > > Hi, > > I've CC'd Andrey, who tends to work in this area. Apologies for not > catching the breakage- I'll whip up a patch unless Andrey objects, but > this area feels a bit finnicky. I think a couple of things need to > happen: > > 1.) To fix things -right now-, ipfw should fall back to strtoul if > jail_getid fails and only error out if strtoul fails. This restores > the functional status quo and still uses jail_getid properly, which is > documented to return -1 if the jail does not exist. >
I've created a review for this at [0] -- I can't test it, though, so some testing would be appreciated. Thanks, Kyle Evans [0] https://reviews.freebsd.org/D21128 _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[email protected]"
