Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ioc_start.py: allow 'none' bridge in interfaces #47

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

ioc_start.py: allow 'none' bridge in interfaces #47

wants to merge 1 commit into from

Conversation

Defenso-QTH
Copy link
Contributor

Iocage currently expects interfaces to be specified in the nic:bridge format, where bridge cannot be none. This results in iocage always creating a bridge to which VNET jail epair interfaces are added as members.

In a scenario where the user wants jails to be isolated on the data-link layer (OSI layer 2 / Ethernet) and use the host as a router, this bridge is unnecessery. It can also result in illegitimate cross-jail traffic being allowed, since pf filtering on bridge interfaces is disabled by default on FreeBSD systems (net.link.bridge.pfil_bridge=0).

Closes #44

Passing CI job: https://cirrus-ci.com/task/6547222509125632

For some reason the CI run using python packages instead of pre-built pkg ones is broken (incl. on the master branch) and indefinitely hangs on tests/functional_tests/0013_import_test.py::test_01_import_jail, but it is unrelated to this PR.

@Defenso-QTH
ioc_start.py: allow 'none' bridge in interfaces
d48f123 
Iocage currently expects interfaces to be specified in the nic:bridge
format, where bridge cannot be none. This results in iocage always
creating a bridge to which VNET jail epair interfaces are added as
members.

In a scenario where the user wants jails to be isolated on the data-link
layer (OSI layer 2 / Ethernet) and use the host as a router, this bridge
is unnecessery. It can also result in illegitimate cross-jail traffic
being allowed, since pf filtering on bridge interfaces is disabled by
default on FreeBSD systems (net.link.bridge.pfil_bridge=0).

Closes freebsd#44
@coveralls
Copy link

coveralls commented Nov 19, 2024
edited
Loading

Pull Request Test Coverage Report for Build 11910889948

Details

  • 0 of 3 (0.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage decreased (-0.002%) to 7.738%
Changes Missing Coverage Covered Lines Changed/Added Lines %
iocage_lib/ioc_start.py 0 3 0.0%
Totals Coverage Status
Change from base Build 11334365279: -0.002%
Covered Lines: 798
Relevant Lines: 7803
💛 - Coveralls

@Defenso-QTH Defenso-QTH mentioned this pull request Nov 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

iocage creates unnecessary bridges for VNET jails
2 participants
@Defenso-QTH @coveralls