Jail source address selection in 8.1-RELEASE
korvus at comcast.net
Wed Nov 24 18:07:39 UTC 2010
There appears to be a loosely documented sysctl
'security.jail.param.ip4.saddrsel' which should limit source IP
selection of jails to their primary jail interface/IP. The sysctl does
not appear to do anything, however:
# sysctl security.jail.param.ip4.saddrsel=0
# echo $?
# sysctl security.jail.param.ip4.saddrsel
# sysctl -d security.jail.param.ip4.saddrsel
security.jail.param.ip4.saddrsel: Do (not) use IPv4 source address
selection rather than the primary jail IPv4 address.
Is this tunable only available when VIMAGE jails are built? The
8.1-RELEASE Release Notes suggest it is for VIMAGE jail(8) containers,
while 7.3-RELEASE Release Notes suggest that it is available for the
entire jail(8) subsystem as 'security.jail.ip4_saddrsel', a different OID.
FreeBSD xxxx 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Tue Aug 3 16:24:09 EDT
2010 root at xxxx:/usr/obj/usr/src/sys/GENERIC amd64
More information about the freebsd-questions