Bug 217177
| Summary: | sysutils/qjail [Maintainer update] reworked vnet function | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | qjail | ||||
| Component: | Individual Port(s) | Assignee: | Mathieu Arnold <mat> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | CC: | qjail1 | ||||
| Priority: | --- | Flags: | bugzilla:
maintainer-feedback?
(qjail1) |
||||
| Version: | Latest | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
A commit references this bug: Author: mat Date: Fri Feb 17 16:49:30 UTC 2017 New revision: 434303 URL: https://svnweb.freebsd.org/changeset/ports/434303 Log: Update to 5.1. PR: 217177 Submitted by: maintainer Sponsored by: Absolight Changes: head/sysutils/qjail/Makefile head/sysutils/qjail/distinfo head/sysutils/qjail/pkg-message head/sysutils/qjail/pkg-plist |
Created attachment 180083 [details] updated port make files diff qjail-5.1 change log. 1. Release 11.0 activated fortune tips at user login time. I disabled it. When creating the sharedefs filesystem during "qjail install" time renamed the fortune file named /usr/bin/fortune so when logging into an account in a jail will no longer get the tip message generated. Done 01/5/2017 2. Edit qjail.8 man page adding info about NAT forwarding by ip address and port number to target traffic to the desired jail. Done 01/5/2017 3. Re-wrote qjail-howto.8, now shows example of how to drive public traffic to jail based on port number and NAT forwarding. done 1/5/2017 4. 2/1/2017 I received an email from Shuto Imai, who is a security engineer living in Japan. He suggested a different method of configuring vnet jails. He customized the qjail script and the qjail.vnet.be script so the ipv4 ip address entered on the create command gets used as the vnet jail access ip address and also changed the list command to show the ipv4 ip address on the list display for vnet jails. He provided a diff that I patched qjail-5.0 with to really understand what his different method was all about. Using that as a starting point I rewrote just about every thing dealing with vnet configuration, and how it is shown by the list command. The following items are the details. A. The create command ipv4 & ipv6 ip addresses are now used as the connection ip address on the epairb that bridges the vnet jail to the host system. B. Discarded the bridge/epair method that used the qjail.vnet.be script. C. Changed the vnet jail config method so the -w and -v command options can now be coded together on the same command request. D. Changed the build_config_def routine in what exec.start variable content is populated for vnet jails. E. Moved the bridge/epair logic from the qjail.vnet.be script to the qjail script start/stop routine. F. Changed the way firewalls are checked at vnet jail start time to verify the host is running the same firewall as the vnet jail. G. Changed the way the list command shows vnet jails. The status field now contains some new content. A "V" is displayed for a vnet jail. Numbers are shown to indicate which firewall is being used by that vnet jail. 0=none, 1=ipfw, 2=pf, 3=ipf 5. Changed qjail.8 manual to address the new way vnet jails are handled. 6. Wrote the new qjail-vnet-howto.8 manual. 7. Wrote the new qjail-ipv6-testing.8 manual. 8. Fixed the way "config -V" function removed vnet jail status, 9. For vnet jails corrected the method of assigning multiple ipv4 ip addresses. 10. For vnet jails corrected the method of assigning multiple ipv6 ip addresses. 11. Added code to "config -b" rule logic to add qjail-bpf.ruleset rule number 50 to the host system on first use. 12. Changed qjail.8 "GENERAL QJAIL USAGE TIPS" section adding information about rule 50 usage. 13. Changed qjail.8 "config -b" section adding information about rule 50 usage.