K 10
svn:author
V 2
cy
K 8
svn:date
V 27
2022-07-29T17:06:57.981797Z
K 7
svn:log
V 542
ipfilter: Support only jails in VNET

Jails without VNET have complete access to the ipfilter rules, NAT,
pools and logs. This is insecure. Only allow jails to manipulate
ipfilter rules, NAT tables and ippools if the jail has its own VNET.
Otherwise a jail can affect the global system.

This patch brings ipfilter in line with ipfw's support of VNET jails and
non-support of non-VNET jails.

(cherry picked from commit c47db49ba4aa7e74afe22591a62fbda95317932d)

Git Hash:   ed86cf0121f9a28e754f605c5be6c6576cde6c64
Git Author: cy@FreeBSD.org
END