[Bug 278232] Jail IPv4 source address selection inside a jail not working

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 09 Apr 2024 17:49:37 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278232

--- Comment #4 from Dirk Meyer <dinoex@FreeBSD.org> ---
Same failure on FreeBSD-13.3

# freebsd-version -kru
13.3-RELEASE-p1
13.3-RELEASE-p1
13.3-RELEASE-p1

I would like to know what the expected behavior of ip4.saddrsel in this case
is.

1)
The selection behaves different from the host,
changing the netmask to /24 did had no effect either.

# man jail
     ip4.addr
             A list of IPv4 addresses assigned to the jail.  If this is set,
             the jail is restricted to using only these addresses.  Any
             attempts to use other addresses fail, and attempts to use
             wildcard addresses silently use the jailed address instead.  For
             IPv4 the first address given will be used as the source address
             when source address selection on unbound sockets cannot find a
             better match.  It is only possible to start multiple jails with
             the same IP address if none of the jails has more than this
             single overlapping IP address assigned to itself.

     ip4.saddrsel
             A boolean option to change the formerly mentioned behaviour and
             disable IPv4 source address selection for the jail in favour of
             the primary IPv4 address of the jail.  Source address selection
             is enabled by default for all jails and the ip4.nosaddrsel
             setting of a parent jail is not inherited for any child jails.


2)
There is also a sysctl, but I am unable to change it outside,
nor does it reflect the status inside the jail:

host# sysctl -d security.jail.param.ip4.saddrsel
security.jail.param.ip4.saddrsel: Do (not) use IPv4 source address selection
rather than the primary jail IPv4 address.

host# sysctl security.jail.param.ip4.saddrsel=1
security.jail.param.ip4.saddrsel: 0 -> 0

jail# sysctl security.jail.param.ip4.saddrsel
security.jail.param.ip4.saddrsel: 0

Is this the expected behavior ?

-- 
You are receiving this mail because:
You are the assignee for the bug.