Exposing default route(s) to "inherit" jails

Reply: Andrea Cocito : "Re: Exposing default route(s) to "inherit" jails"
Reply: James Gritton : "Re: Exposing default route(s) to "inherit" jails"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Andrea Cocito <andrea_at_cocito.eu>
Date: Sat, 01 Nov 2025 06:59:32 UTC

Hallo,

In a project I am working on we need to use in jails tools, like map, which need to see the default route. Jails with “inherit” network mode cannot see default route.

I experimented with dedicated FIBs in which I inject the routes and various other paths, nothing worked. I finally decided to patch the kernel and add a sysctl knob.

Setting net.route.inherit_jail_default_routes=1 makes the default routes visible to “inherit” jails, leaving it at the default (0) keeps the known and current behaviour.

I wonder:
1. Did I miss some other, simpler, solution?
2. What are the security risks of exposing (read only( default routes to a jail?
3. Could this be useful to others?
4. What would be the path to propose this as a PR for integration in the codebase.

So far the patch is tested on 14.3-p5. Patch attached.

Cheers,

A.