Jail source address selection in 8.1-RELEASE
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Thu Nov 25 22:45:08 UTC 2010
On Wed, 24 Nov 2010, Steve Polyack wrote:
> There appears to be a loosely documented sysctl
> 'security.jail.param.ip4.saddrsel' which should limit source IP selection of
> jails to their primary jail interface/IP. The sysctl does not appear to do
> anything, however:
> # sysctl security.jail.param.ip4.saddrsel=0
> # echo $?
> # sysctl security.jail.param.ip4.saddrsel
> # sysctl -d security.jail.param.ip4.saddrsel
> security.jail.param.ip4.saddrsel: Do (not) use IPv4 source address selection
> rather than the primary jail IPv4 address.
> Is this tunable only available when VIMAGE jails are built? The 8.1-RELEASE
> Release Notes suggest it is for VIMAGE jail(8) containers, while 7.3-RELEASE
> Release Notes suggest that it is available for the entire jail(8) subsystem
> as 'security.jail.ip4_saddrsel', a different OID.
Don't use the systctl; the param tree only tells you which options are
available; ip4.saddrsel is an option to the jail -c|-m command.
Bjoern A. Zeeb Welcome a new stage of life.
<ks> Going to jail sucks -- <bz> All my daemons like it!
More information about the freebsd-questions