Diffusion FreeBSD src repository ed86cf0121f9

ipfilter: Support only jails in VNET
ed86cf0121f9
Actions

Description

ipfilter: Support only jails in VNET

Jails without VNET have complete access to the ipfilter rules, NAT,
pools and logs. This is insecure. Only allow jails to manipulate
ipfilter rules, NAT tables and ippools if the jail has its own VNET.
Otherwise a jail can affect the global system.

This patch brings ipfilter in line with ipfw's support of VNET jails and
non-support of non-VNET jails.

(cherry picked from commit c47db49ba4aa7e74afe22591a62fbda95317932d)

Details

Provenance

cy	Authored on Mar 17 2022, 6:05 PM

Parents

rGbb4cbd0fcf3e: Simplify dynamic ipfilter sysctls.

Branches

Unknown

Tags

Unknown

Event Timeline

cy committed rGed86cf0121f9: ipfilter: Support only jails in VNET (authored by cy).Jul 14 2022, 1:26 PM

Changes (4)

Path

Size

sbin/

ipf/

libipf/

interror.c

sys/

netpfil/

ipfilter/

netinet/

ip_fil_freebsd.c

ip_nat.c

mlfk_ipl.c

rGed86cf0121f9

View Options

sbin/ipf/libipf/interror.c

View Options

sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c

View Options

sys/netpfil/ipfilter/netinet/ip_nat.c

View Options

sys/netpfil/ipfilter/netinet/mlfk_ipl.c

ipfilter: Support only jails in VNETed86cf0121f9Actions

Description

Details

Event Timeline

Changes (4)

rGed86cf0121f9

sbin/ipf/libipf/interror.c

sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c

sys/netpfil/ipfilter/netinet/ip_nat.c

sys/netpfil/ipfilter/netinet/mlfk_ipl.c

ipfilter: Support only jails in VNET
ed86cf0121f9
Actions