Jails - Ethernet data vs IP data

[Jamie Gritton]

On 01/09/10 21:21, Tim Judd wrote:

> I bought a new SiliconDust HDHomeRun device which brings two Digital
> coaxial tuners to an ethernet network.  From what I read and
> understand about the HDHomeRun ("HDHR"), is that it does have an IP
> address assigned to the system, but all packets of video are actually
> just raw Ethernet packets/data that has it's own payload and protocol.
>
> The port MythTV (to which I'm starting to love) maintainer has marked
> the two pieces of MythTV as conflicting ports (I'll address to the
> maintainer directly), so I build the frontend (the user interface if
> you will) on the host, because it needs lots of X11/xorg.  The backend
> runs as a daemon talking with MySQL to manage everything.  Since they
> conflict, the backend goes onto a jail.
>
> I have to port-compile the backend every time, the packages have
> missing dependencies.  It takes quite a while.  I know the HDHR is
> online, I can watch the video without MythTV interaction, but the
> jailed backend isn't seeing it.  So I was hoping to see if I can query
> the group and see if "raw ethernet data" can be delivered to a jail,
> or if I'm just fishing in the empty fish bowl trying to get this to
> work in a jail.
>
> Thanks for<ANY>  input in regards to limits the jail system might
> have.  This is on a golden 8.0-RELEASE i386, haven't updated it yet.

Take a look at the security.jail.allow_raw_sockets sysctl, or the
allow.raw_sockets jail parameter (probably the former since the jail
parameters don't have good rc support yet). By default, jails aren't
allowed to create the raw sockets necessary for direct ethernet
communication. Setting security.jail.allow_raw_sockets=1 should allow
that. You might also need to clear security.jail.socket_unixiproute_only
(or set allow.socket_af) - not sure about that.

- Jamie