Page MenuHomeFreeBSD
Differential D53623

ipfilter: Restrict ipfilter within a jail
ClosedPublic
Actions

Authored by cy on Nov 6 2025, 7:24 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Dec 12, 4:42 AM
Unknown Object (File)
Fri, Nov 28, 2:08 PM
Unknown Object (File)
Wed, Nov 26, 4:17 AM
Unknown Object (File)
Nov 18 2025, 4:41 PM
Unknown Object (File)
Nov 7 2025, 9:58 PM
Unknown Object (File)
Nov 7 2025, 8:23 PM
Unknown Object (File)
Nov 7 2025, 8:23 PM
Unknown Object (File)
Nov 7 2025, 5:20 PM
View All 13 Files
Subscribers
glebius
imp
jrm
melifaro
vegeta_tuxpowered.net

Details

Reviewers
emaste
markj
Commits
rGd9788eabffa4: ipfilter: Restrict ipfilter within a jail
Summary

Add a sysctl/tunable (net.inet.ipf.jail_allowed) to control whether a
jail can manage its own ipfilter rules, pools, and settings. A jail's
control over its own ipfilter rules and settings may not be desireable.
The default is jail access to ipfilter is denied.

The host system can stil manage a jail's rules by attaching the rules,
using the on keyword, limiting the rule to the jail's interface. Or
the sysctl/tunable can be enabled to allow a jail control over its own
ipfilter rules and settings.

Implementation note: Rather than store the jail_allowed variable,
referenced by sysctl(9), in a global area, storing the variable in the
ipfilter softc is consistent with ipfilter's use of its softc.

Discussed with: emaste, jrm
MFC after: 1 week

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

cy created this revision.Nov 6 2025, 7:24 PM
Herald added subscribers: vegeta_tuxpowered.net, glebius, melifaro, imp. · View Herald TranscriptNov 6 2025, 7:24 PM
cy requested review of this revision.Nov 6 2025, 7:24 PM
Harbormaster completed remote builds in B68464: Diff 165978.Nov 6 2025, 7:24 PM
This revision was not accepted when it landed; it landed in state Needs Review.Mon, Dec 8, 4:15 PM
Closed by commit rGd9788eabffa4: ipfilter: Restrict ipfilter within a jail (authored by cy). · Explain Why
This revision was automatically updated to reflect the committed changes.
cy added a commit: rGd9788eabffa4: ipfilter: Restrict ipfilter within a jail.

Revision Contents
Changeset List

PathSize
sbin/
ipf/
libipf/
1 line
sys/
netpfil/
ipfilter/
netinet/
1 line
1 line
15 lines
1 line

Diff 167717

View Options

sbin/ipf/libipf/interror.c

Loading...
View Options

sys/netpfil/ipfilter/netinet/fil.c

Loading...
View Options

sys/netpfil/ipfilter/netinet/ip_fil.h

Loading...
View Options

sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c

Loading...
View Options

sys/netpfil/ipfilter/netinet/mlfk_ipl.c

Loading...