Diffusion FreeBSD src repository c47db49ba4aa

ipfilter: Support only jails in VNET
c47db49ba4aa
Actions

Description

ipfilter: Support only jails in VNET

Jails without VNET have complete access to the ipfilter rules, NAT,
pools and logs. This is insecure. Only allow jails to manipulate
ipfilter rules, NAT tables and ippools if the jail has its own VNET.
Otherwise a jail can affect the global system.

This patch brings ipfilter in line with ipfw's support of VNET jails and
non-support of non-VNET jails.

MFC after: 1 week

Details

Provenance

cy	Authored on Mar 17 2022, 6:05 PM

Parents

rG70b56f4b9287: sqlite3: Vendor import of sqlite3 3.39.0

Branches

Unknown

Tags

Unknown

Event Timeline

cy committed rGc47db49ba4aa: ipfilter: Support only jails in VNET (authored by cy).Jul 7 2022, 2:53 PM

cy mentioned this in rG831c6b8edda6: ipfilter: Support only jails in VNET.Jul 14 2022, 1:54 PM

cy mentioned this in rGed86cf0121f9: ipfilter: Support only jails in VNET.Jul 14 2022, 9:33 PM

Changes (4)

Path

Size

sbin/

ipf/

libipf/

interror.c

sys/

netpfil/

ipfilter/

netinet/

ip_fil_freebsd.c

ip_nat.c

mlfk_ipl.c

rGc47db49ba4aa

View Options

sbin/ipf/libipf/interror.c

View Options

sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c

View Options

sys/netpfil/ipfilter/netinet/ip_nat.c

View Options

sys/netpfil/ipfilter/netinet/mlfk_ipl.c

ipfilter: Support only jails in VNETc47db49ba4aaActions

Description

Details

Event Timeline

Changes (4)

rGc47db49ba4aa

sbin/ipf/libipf/interror.c

sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c

sys/netpfil/ipfilter/netinet/ip_nat.c

sys/netpfil/ipfilter/netinet/mlfk_ipl.c

ipfilter: Support only jails in VNET
c47db49ba4aa
Actions