Jail source address selection in 8.1-RELEASE

Steve Polyack korvus at comcast.net
Wed Nov 24 18:07:39 UTC 2010

There appears to be a loosely documented sysctl 
'security.jail.param.ip4.saddrsel' which should limit source IP 
selection of jails to their primary jail interface/IP.  The sysctl does 
not appear to do anything, however:

# sysctl security.jail.param.ip4.saddrsel=0
# echo $?
# sysctl security.jail.param.ip4.saddrsel
# sysctl -d security.jail.param.ip4.saddrsel
security.jail.param.ip4.saddrsel: Do (not) use IPv4 source address 
selection rather than the primary jail IPv4 address.

Is this tunable only available when VIMAGE jails are built? The 
8.1-RELEASE Release Notes suggest it is for VIMAGE jail(8) containers, 
while 7.3-RELEASE Release Notes suggest that it is available for the 
entire jail(8) subsystem as 'security.jail.ip4_saddrsel', a different OID.

FreeBSD xxxx 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Tue Aug  3 16:24:09 EDT 
2010     root at xxxx:/usr/obj/usr/src/sys/GENERIC  amd64

More information about the freebsd-questions mailing list