Re: Exposing default route(s) to "inherit" jails

On 2025-10-31 23:59, Andrea Cocito wrote:
> Hallo,
> 
> In a project I am working on we need to use in jails tools, like map, 
> which need to see the default route. Jails with “inherit” network mode 
> cannot see default route.
> 
> I experimented with dedicated FIBs in which I inject the routes and 
> various other paths, nothing worked. I finally decided to patch the 
> kernel and add a sysctl knob.
> 
> Setting net.route.inherit_jail_default_routes=1 makes the default 
> routes visible to “inherit” jails, leaving it at the default (0) keeps 
> the known and current behaviour.
> 
> I wonder:
> 1. Did I miss some other, simpler, solution?
> 2. What are the security risks of exposing (read only( default routes 
> to a jail?
> 3. Could this be useful to others?
> 4. What would be the path to propose this as a PR for integration in 
> the codebase.
> 
> So far the patch is tested on 14.3-p5. Patch attached.

I don't see a problem with this.  For that matter, I don't see a problem 
with seeing all the routes if the admin decides it's fine for a jail to 
see them.  But don't take it from me - I hope someone else with more of 
a networking background will chime in with any reasons why this is or 
isn't a good idea.

I would make this not a sysctl knob, but another flag under jail.allow.

- Jamie