[Bug 260973] pf: firewall rules stop matching when vnet jails share interface names with the host

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 260973] pf: firewall rules stop matching when vnet jails share interface names with the host"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 14 Feb 2022 19:05:25 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260973

--- Comment #4 from Thomas Steen Rasmussen / Tykling <thomas@gibfest.dk> ---
(In reply to Kristof Provost from comment #3)

Thank you for the input. The issue I was hitting is the first one you mention -
also described in #185619 - and I've been able to work around it in my own
setup by inventing some interface names inside the jails which are never used
on the host (in my case the jail interfaces are called jail0, jail1 etc).

Also, this is not strictly needed, but one could add an exec.stop entry before
rc.shutdown to rename the interfaces back to their original epairNb name which
shouldn't be in use in the parent vnet.

Both of these are workarounds of course, and doesn't begin to consider nested
jails with overlapping interface names.

Kristof, do you know the code well enough to say if it would be possible to
deny the initial interface rename action if a parent vnet is using the same
name?

-- 
You are receiving this mail because:
You are the assignee for the bug.