Re: [patch] allow testing VIMAGE with pf in base system only
jul...@elischer.org (Julian Elischer) writes: >there is a version of pf in the wings that actually knows about jails. >This change is not to be confused with that. I was worried that the pf/vimage project was stalled. I eagerly await! -- G. Paul Ziemba FreeBSD unix: 9:46PM up 98 days, 13:27, 23 users, load averages: 0.07, 0.05, 0.01 ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to "freebsd-virtualization-unsubscr...@freebsd.org"
Re: [patch] allow testing VIMAGE with pf in base system only
On 9/9/10 12:22 PM, Luiz Gustavo S. Costa wrote: Hi Bjoern, I just perform tests with your patch and it worked very well! thanks for the patch ... But I found something that may be unsafe within the jail environment, I'm allowed to change /dev/pf, so that if I run a "pfctl-f /etc/pf.conf" inside the jail to do with that the rules are read again, killing pf.conf on the main environment there is a version of pf in the wings that actually knows about jails. This change is not to be confused with that. FreeBSD gugabsd..com.br 8.1-STABLE FreeBSD 8.1-STABLE #1: Thu Sep 9 14:31:43 BRT 2010 r...@gugabsd..com.br:/usr/obj/usr/src/sys/GENERIC i386 Thanks 2010/9/7 Bjoern A. Zeeb: Hey, in a way to work on something I needed to be able to at least load pf on my VIMAGE development machine. So I quickly hacked together a patch that does exactly that. I hope it'll apply to HEAD or stable/8 but I didn't test on either. This will NOT allow you to use pf with jails+vnet but should allow using pf in the base system even if VIMAGE is enabled. In case it still panics for you, let me know and include a backtrace in your report. http://people.freebsd.org/~bz/20100907-01-pf-vnet0.diff /bz -- Bjoern A. Zeeb Welcome a new stage of life. ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to "freebsd-virtualization-unsubscr...@freebsd.org" ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to "freebsd-virtualization-unsubscr...@freebsd.org"
Re: [patch] allow testing VIMAGE with pf in base system only
lol in the rush to see the patch working not read the head of it :p has every reason only disable dev ;) 2010/9/9 Bjoern A. Zeeb : > On Thu, 9 Sep 2010, Luiz Gustavo S. Costa wrote: > > Hey, > >> But I found something that may be unsafe within the jail environment, >> I'm allowed to change /dev/pf, so that if I run a "pfctl-f >> /etc/pf.conf" inside the jail to do with that the rules are read >> again, killing pf.conf on the main environment > > yes, see the comment at the top of the patch: > > ! You should not leak /dev/pf into jails for now or they might > ! change your rules;-) > > See devfs, devfs.rules, etc. The jail startup script would usually > apply the devfsrules_jail defines in /etc/defaults/devfs.rules. > > /bz > > -- > Bjoern A. Zeeb Welcome a new stage of life. > -- Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: cont...@mundounix.com.br Tel: 55 Blog: http://www.luizgustavo.pro.br ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to "freebsd-virtualization-unsubscr...@freebsd.org"
Re: [patch] allow testing VIMAGE with pf in base system only
On Thu, 9 Sep 2010, Luiz Gustavo S. Costa wrote: Hey, But I found something that may be unsafe within the jail environment, I'm allowed to change /dev/pf, so that if I run a "pfctl-f /etc/pf.conf" inside the jail to do with that the rules are read again, killing pf.conf on the main environment yes, see the comment at the top of the patch: ! You should not leak /dev/pf into jails for now or they might ! change your rules;-) See devfs, devfs.rules, etc. The jail startup script would usually apply the devfsrules_jail defines in /etc/defaults/devfs.rules. /bz -- Bjoern A. Zeeb Welcome a new stage of life. ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to "freebsd-virtualization-unsubscr...@freebsd.org"
Re: [patch] allow testing VIMAGE with pf in base system only
Hi Bjoern, I just perform tests with your patch and it worked very well! thanks for the patch ... But I found something that may be unsafe within the jail environment, I'm allowed to change /dev/pf, so that if I run a "pfctl-f /etc/pf.conf" inside the jail to do with that the rules are read again, killing pf.conf on the main environment FreeBSD gugabsd..com.br 8.1-STABLE FreeBSD 8.1-STABLE #1: Thu Sep 9 14:31:43 BRT 2010 r...@gugabsd..com.br:/usr/obj/usr/src/sys/GENERIC i386 Thanks 2010/9/7 Bjoern A. Zeeb : > Hey, > > in a way to work on something I needed to be able to at least load pf > on my VIMAGE development machine. So I quickly hacked together a > patch that does exactly that. I hope it'll apply to HEAD or stable/8 > but I didn't test on either. > > This will NOT allow you to use pf with jails+vnet but should allow > using pf in the base system even if VIMAGE is enabled. In case it > still panics for you, let me know and include a backtrace in your > report. > > http://people.freebsd.org/~bz/20100907-01-pf-vnet0.diff > > /bz > > -- > Bjoern A. Zeeb Welcome a new stage of life. > ___ > freebsd-virtualization@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization > To unsubscribe, send any mail to > "freebsd-virtualization-unsubscr...@freebsd.org" > -- Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: cont...@mundounix.com.br Tel: 55 Blog: http://www.luizgustavo.pro.br ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to "freebsd-virtualization-unsubscr...@freebsd.org"
Re: [patch] allow testing VIMAGE with pf in base system only
___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to "freebsd-virtualization-unsubscr...@freebsd.org"
Re: [patch] allow testing VIMAGE with pf in base system only
On Tue, 7 Sep 2010, Bjoern A. Zeeb wrote: Hey, in a way to work on something I needed to be able to at least load pf on my VIMAGE development machine. So I quickly hacked together a patch that does exactly that. I hope it'll apply to HEAD or stable/8 but I didn't test on either. This will NOT allow you to use pf with jails+vnet but should allow using pf in the base system even if VIMAGE is enabled. In case it still panics for you, let me know and include a backtrace in your report. http://people.freebsd.org/~bz/20100907-01-pf-vnet0.diff even though the patch seems to apply cleanly to a stable/8 tree, here's the one from SVN on that rather than perfoce/HEAD: http://people.freebsd.org/~bz/20100907-02-pf-vnet0-8.diff It survives a GENERIC, LINT and LINT-VIMAGE build on RELENG_8 at least. /bz -- Bjoern A. Zeeb Welcome a new stage of life. ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to "freebsd-virtualization-unsubscr...@freebsd.org"
[patch] allow testing VIMAGE with pf in base system only
Hey, in a way to work on something I needed to be able to at least load pf on my VIMAGE development machine. So I quickly hacked together a patch that does exactly that. I hope it'll apply to HEAD or stable/8 but I didn't test on either. This will NOT allow you to use pf with jails+vnet but should allow using pf in the base system even if VIMAGE is enabled. In case it still panics for you, let me know and include a backtrace in your report. http://people.freebsd.org/~bz/20100907-01-pf-vnet0.diff /bz -- Bjoern A. Zeeb Welcome a new stage of life. ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to "freebsd-virtualization-unsubscr...@freebsd.org"
