[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ezjail] ezjail-admin vs. make.conf

On 2/14/10 12:31 AM, Charles Sprickman wrote:

Hey Charles,

thanks for your feedback.

> I have one lingering request (or request for discussion), and that is
> to look at another way to handle configuring a jail with a large
> number of IPs (for example, I have two that have had from 200 to 400
> IPs in each).  Specifying all those IPs in a single line in
> ezjail.conf is rough.  It would be nice if there were another option,
> either include another file that lists one IP/line, or even cooler,
> being able to specify a range of IPs as in the interface config in
> rc.conf.

Well, you're totally correct. With the dawn of multi-IP jails it should
have become a no-brainer to hand cidr notated blocks to the jail
script/command and list them accordingly, the routines are right there
in rc.subr (at least for v4) and displaying those net blocks will look
much tidier.

I think, on the long run this belongs into rc.d/jail (maybe I should
apply as a maintainer), but until then, doing it if rc.d/jail is unable
to might become a handy feature for 3.2.

> Another thing that you'll run into if you use a ton of IPs is that
> there's a sysctl (security.jail.jail_max_af_ips) that arbitrarily
> limits the max IPs per jail.  ezjail will silently fail when this
> limit is hit.  It would be nice to check if that limit will be
> exceeded.

Hmmm, that would be a nice "ezjail-admin create"-time warning, too? OTOH
this also is a job for the rc.d/jail script, ezjail can't handle every
single possible error condition for the jail to start.

IOW: I put the blame on the rc-script but am willing to help out there.
(Although the last time I reported a security issue they held 7.0 and I
replied to their fix not exactly politely.)