[patch] Raw sockets in jails
Poul-Henning Kamp
phk at phk.freebsd.dk
Tue Apr 20 02:20:49 PDT 2004
In message <20040420015638.A84821 at staff.seccuris.com>, "Christian S.J. Peron" w
rites:
>
> Although RAW sockets can be used when specifying the source
> address of packets (defeating one of the aspects of the jail)
> some people may find it usefull to use utilities like ping(8)
> or traceroute(8) from inside jails.
>
> Enclosed is a patch I have written which gives you the option
> of allowing prison-root to create raw sockets inside the prison,
> so that programs various network debugging programs like ping
> and traceroute etc can be used.
>
> This patch will create the security.jail.allow_raw_sockets sysctl
> MIB. I would appriciate any feed-back from testers
>
> See PR #:
> http://www.freebsd.org/cgi/query-pr.cgi?pr=65800
Could you take a peek and see how hard it would be to enforce source-IP
compliance with the jail restriction ?
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
More information about the freebsd-hackers
mailing list