Anyone interested in jail patches?
Frank Behrens
frank at harz.behrens.de
Sun Nov 30 08:32:24 PST 2008
Bjoern A. Zeeb wrote:
> On Thu, 27 Nov 2008, Frank Behrens wrote:
>> On the other side I still read in the patched jail(2) man page:
>> "Similarly, it might be a good idea to add an address alias flag such
>> that daemons listening on all IPs (INADDR_ANY) will not bind on that
>> address...". Can you explain the current behaviour?
>
> I think this question is related to your PR kern/84215.
Yes.
> The current situation is: jails take precendence. So if sshd is
> listening on inaddr_any on the host and on inaddr_any inside a jail
> the connection to an IP belonging to a jail will end up inside the
> jail; any connections to IPs not beloning to jails will end up on the
> base.
So we have now the desired behaviour. Your explanation should replace
the (now incorrect) sentence in the man page. Please excuse my error, it
is in jail(8),
not jail(2).
> Obviously if you stop the jail and ssh to a former jail IP you'll end
> up on the bsae system and ssh would complain about different keys
> possibly while telnet or similar things won't notice.
This is expected and not easily to circumvent.
Regards,
Frank
More information about the freebsd-jail
mailing list