Page MenuHomeFreeBSD

ipfilter: Restrict ipfilter within a jail
ClosedPublic

Authored by cy on Nov 6 2025, 7:24 PM.
Tags
None
Referenced Files
F162632664: D53623.diff
Wed, Jul 15, 6:54 AM
F162632663: D53623.diff
Wed, Jul 15, 6:54 AM
Unknown Object (File)
Mon, Jul 13, 4:08 AM
Unknown Object (File)
Sat, Jul 4, 9:17 PM
Unknown Object (File)
Wed, Jul 1, 2:16 AM
Unknown Object (File)
Mon, Jun 29, 1:34 PM
Unknown Object (File)
Thu, Jun 25, 8:22 PM
Unknown Object (File)
Tue, Jun 23, 12:19 AM

Details

Summary

Add a sysctl/tunable (net.inet.ipf.jail_allowed) to control whether a
jail can manage its own ipfilter rules, pools, and settings. A jail's
control over its own ipfilter rules and settings may not be desireable.
The default is jail access to ipfilter is denied.

The host system can stil manage a jail's rules by attaching the rules,
using the on keyword, limiting the rule to the jail's interface. Or
the sysctl/tunable can be enabled to allow a jail control over its own
ipfilter rules and settings.

Implementation note: Rather than store the jail_allowed variable,
referenced by sysctl(9), in a global area, storing the variable in the
ipfilter softc is consistent with ipfilter's use of its softc.

Discussed with: emaste, jrm
MFC after: 1 week

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable