svn commit: r195944 - head/sys/kern
Jamie Gritton
jamie at FreeBSD.org
Wed Jul 29 17:18:05 UTC 2009
Sam Leffler wrote:
> Jamie Gritton wrote:
>> Author: jamie
>> Date: Wed Jul 29 16:41:02 2009
>> New Revision: 195944
>> URL: http://svn.freebsd.org/changeset/base/195944
>>
>> Log:
>> Change the default value of the "ip4" and "ip6" jail parameters to
>> "disable", which only allows access to the parent/physical system's
>> IP addresses when specifically directed. Change the default value of
>> "host" to "new", and don't copy the parent host values, to insulate
>> jails from the parent hostname et al.
>
> This does not say why you're making these changes; please explain.
My apologies. The ip4/6 change fixed an error with the old-style
command line of jail(8), where specifying IPv4 address(es) but not IPv6
addresses would allow access to the full IPv6 stack, a regression from
7.2 which allows only specifically noted IPv6 addresses. This could
have been fixed in jail(8), but the default to act like the current jail
implementation even for new-style command lines made more sense, and the
kernel is the place for such policy points.
The host change arose from a discrepancy between the it and the "linux"
parameters that control the Linux MIB entries. These had different
defaults for no reason other than I coded them at different times
without a lot of thought as to what the most reasonable default would
be. I also made a cleaner break with the parent system when one value
(typically host.hostname) is set and the others aren't - it didn't make
sense to copy some and set others.
- Jamie
More information about the svn-src-all
mailing list