Any patch for ICMP in a jail?
Robert Watson
rwatson at freebsd.org
Mon Aug 4 05:36:44 PDT 2003
On Mon, 4 Aug 2003, Rus Foster wrote:
> Is there a patch that will allow ping from inside a jail on 5.x? Google
> didn't show anything?
The problem is that, to generate pings, you have to have access to a raw
socket. And unfortuantely, raw sockets imply access to a lot more than
just the ability to send/receive ICMP: a number of management components
in the IP stack assume that if you have a raw socket, you're also allowed
to configure those components. Take a look at rip_ctloutput() in raw_ip.c
for some examples. We have some local in-progress changes to modify this
as part of our capabilities work, but there's no timeline for integrating
it. The best short-term suggestion would be to write a
privilege-separated ping tool -- a pingd running outside the jail,
providing UNIX domain sockets in each jail that needs the ability to ping;
ping then becomes a client that RPC's to pingd.
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org Network Associates Laboratories
More information about the freebsd-current
mailing list