On Fri, Aug 2, 2019 at 12:50 AM Ari Suutari via freebsd-stable <freebsd-stable@freebsd.org> wrote: > On 1.8.2019 21.19, Kyle Evans wrote: > > On Thu, Aug 1, 2019 at 8:43 AM Kyle Evans <kev...@freebsd.org> wrote: > >> On Thu, Aug 1, 2019 at 1:38 AM Ari Suutari via freebsd-stable > >> <freebsd-stable@freebsd.org> wrote: > >>> Hi, > >>> > >>> We have a lot of servers using jails and ipfw rules with > >>> numeric jail ids to limit acess between them (something > >>> like 'allow tcp from from me to me 8086 jail 1 keep-state'). > >>> > >>> This has been working very well for ages. Yesterday, we upgraded > >>> first of these servers to 11.3. During boot there are now messages > >>> like 'ipfw: jail 1 not found' and the rules are not loaded. > >>> > >>> I tracked this down to: > >>> https://reviews.freebsd.org/rS348304 > >>> > >>> ipfw calls jail_getid, which used to just return the id without checking > >>> if string was numeric. In 11.3, the function has been changed to actually > >>> check if the jail with given id exists. > >>> > >>> This doesn't really work in ipfw's context as the rules are loaded before > >>> the jails are actually created. > >>> > >>> Ari S. > >> Hi, > >> > >> I've CC'd Andrey, who tends to work in this area. Apologies for not > >> catching the breakage- I'll whip up a patch unless Andrey objects, but > >> this area feels a bit finnicky. I think a couple of things need to > >> happen: > >> > >> 1.) To fix things -right now-, ipfw should fall back to strtoul if > >> jail_getid fails and only error out if strtoul fails. This restores > >> the functional status quo and still uses jail_getid properly, which is > >> documented to return -1 if the jail does not exist. > >> > > I've created a review for this at [0] -- I can't test it, though, so > > some testing would be appreciated. > > > > Thanks, > > > > Kyle Evans > > > > [0] https://reviews.freebsd.org/D21128 > > Hi, > > I tested your change and can confirm that it fixes the issue. >
secteam@ has given this EN-19:17.ipfw to be included in 11.3-RELEASE-p3. Thanks! Kyle Evans _______________________________________________ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
