svn commit: r202924 - in stable/7: sys/kern
sys/netinet sys/netinet6 sys/sys usr.sbin/jail
Jase Thew
freebsd at beardz.net
Sun Jan 24 16:23:08 UTC 2010
On 24/01/2010 14:05, Bjoern A. Zeeb wrote:
> Author: bz
> Date: Sun Jan 24 14:05:56 2010
> New Revision: 202924
> URL: http://svn.freebsd.org/changeset/base/202924
>
> Log:
> MFC r202468:
>
> Add security.jail.ip4_saddrsel/ip6_nosaddrsel sysctls to control
> whether to use source address selection (default) or the primary
> jail address for unbound outgoing connections.
>
> This is intended to be used by people upgrading from single-IP
> jails to multi-IP jails but not having to change firewall rules,
> application ACLs, ... but to force their connections (unless
> otherwise changed) to the primry jail IP they had been used for
> years, as well as for people prefering to implement similar policies.
>
> Note that for IPv6, if configured incorrectly, this might lead to
> scope violations, which single-IPv6 jails could as well, as by the
> design of jails. [1]
>
> Note that in contrast to FreeBSD 8.x and newer, where we have
> per-jail options, the sysctls are global for all jails.
>
> Reviewed by: jamie, hrs (ipv6 part) [for HEAD]
> Pointed out by: hrs [1]
> Tested by: Jase Thew (bazerka beardz.net) (IPv4)
>
> Approved by: re (kib)
>
> Modified:
> stable/7/sys/kern/kern_jail.c
> stable/7/sys/netinet/in_pcb.c
> stable/7/sys/netinet6/in6_src.c
> stable/7/sys/sys/jail.h
> stable/7/usr.sbin/jail/jail.8
> Directory Properties:
> stable/7/sys/ (props changed)
> stable/7/sys/cddl/contrib/opensolaris/ (props changed)
> stable/7/sys/contrib/dev/acpica/ (props changed)
> stable/7/sys/contrib/pf/ (props changed)
> stable/7/usr.sbin/jail/ (props changed)
>
>
Many thanks!
Regards,
Jase.
More information about the svn-src-all
mailing list