ipfilter: Restrict ipfilter within a jail

Add a sysctl/tunable (net.inet.ipf.jail_allowed) to control whether a
jail can manage its own ipfilter rules, pools, and settings. A jail's
control over its own ipfilter rules and settings may not be desireable.
The default is jail access to ipfilter is denied.

The host system can stil manage a jail's rules by attaching the rules,
using the on keyword, limiting the rule to the jail's interface. Or
the sysctl/tunable can be enabled to allow a jail control over its own
ipfilter rules and settings.

Implementation note: Rather than store the jail_allowed variable,
referenced by sysctl(9), in a global area, storing the variable in the
ipfilter softc is consistent with ipfilter's use of its softc.

Discussed with:		emaste, jrm
MFC after:		1 week
Differential revision:	https://reviews.freebsd.org/D53623

Author: cschuber

sbin/ipf/libipf/interror.c

@@ -531,6 +531,7 @@ log" },
 	{	130016,	"finding pfil head failed" },
 	{	130017,	"ipfilter is already initialised and running" },
 	{	130018,	"ioctl denied in jail without VNET" },
+	{	130019,	"ioctl denied in jail" },
 };
 
 

sys/netpfil/ipfilter/netinet/fil.c

@@ -9096,6 +9096,7 @@ ipf_main_soft_create(void *arg)
 	softc->ipf_icmpminfragmtu = 68;
 	softc->ipf_max_namelen = 128;
 	softc->ipf_flags = IPF_LOGGING;
+	softc->ipf_jail_allowed = 0;
 
 #ifdef LARGE_NAT
 	softc->ipf_large_nat = 1;

sys/netpfil/ipfilter/netinet/ip_fil.h

@@ -1550,6 +1550,7 @@ typedef struct ipf_main_softc_s {
 	u_int		ipf_icmpacktimeout;
 	u_int		ipf_iptimeout;
 	u_int		ipf_large_nat;
+	u_int		ipf_jail_allowed;
 	u_long		ipf_ticks;
 	u_long		ipf_userifqs;
 	u_long		ipf_rb_no_mem;

sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c

@@ -88,6 +88,7 @@ VNET_DEFINE(ipf_main_softc_t, ipfmain) = {
 	.ipf_running		= -2,
 };
 #define	V_ipfmain		VNET(ipfmain)
+#define V0_ipfmain		VNET_VNET(vnet0,ipfmain)
 
 #include <sys/conf.h>
 #include <net/pfil.h>
@@ -254,6 +255,20 @@ ipfioctl(struct cdev *dev, ioctlcmd_t cmd, caddr_t data,
 		return (EPERM);
 	}
 
+	/*
+	 * Remember, the host system (with its vnet0) controls
+	 * whether a jail is allowed to use ipfilter or not.
+	 * The default is ipfilter cannot be used by a jail
+	 * unless the sysctl allows it.
+	 */
+	if (V0_ipfmain.ipf_jail_allowed == 0) {
+		if (jailed(p->p_cred)) {
+			V_ipfmain.ipf_interror = 130019;
+			CURVNET_RESTORE();
+			return (EOPNOTSUPP);
+		}
+	}
+
 	if (jailed_without_vnet(p->p_cred)) {
 		V_ipfmain.ipf_interror = 130018;
 		CURVNET_RESTORE();

sys/netpfil/ipfilter/netinet/mlfk_ipl.c

@@ -136,6 +136,7 @@ SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &VNET_NAME(ipfmain.ip
 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &VNET_NAME(ipfmain.ipf_minttl), 0, "");
 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, large_nat, CTLFLAG_RDTUN | CTLFLAG_NOFETCH, &VNET_NAME(ipfmain.ipf_large_nat), 0, "large_nat");
 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_max_namelen, CTLFLAG_RWTUN, &VNET_NAME(ipfmain.ipf_max_namelen), 0, "max_namelen");
+SYSCTL_IPF(_net_inet_ipf, OID_AUTO, jail_allowed, CTLFLAG_RWTUN, &VNET_NAME(ipfmain.ipf_jail_allowed), 0, "jail_allowed");
 
 #define CDEV_MAJOR 79
 #include <sys/poll.h>