Date: Thu, 25 Nov 2010 22:41:36 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Steve Polyack <korvus@comcast.net> Cc: freebsd-net@freebsd.org, "Brian A. Seklecki" <bseklecki@collaborativefusion.com>, User Questions <freebsd-questions@freebsd.org> Subject: Re: Jail source address selection in 8.1-RELEASE Message-ID: <20101125224035.K24596@maildrop.int.zabbadoz.net> In-Reply-To: <4CED50E0.7020205@comcast.net> References: <4CED50E0.7020205@comcast.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 24 Nov 2010, Steve Polyack wrote:
Hi,
> There appears to be a loosely documented sysctl
> 'security.jail.param.ip4.saddrsel' which should limit source IP selection of
> jails to their primary jail interface/IP. The sysctl does not appear to do
> anything, however:
>
> # sysctl security.jail.param.ip4.saddrsel=0
> ->
> # echo $?
> 0
> # sysctl security.jail.param.ip4.saddrsel
> #
> # sysctl -d security.jail.param.ip4.saddrsel
> security.jail.param.ip4.saddrsel: Do (not) use IPv4 source address selection
> rather than the primary jail IPv4 address.
>
> Is this tunable only available when VIMAGE jails are built? The 8.1-RELEASE
> Release Notes suggest it is for VIMAGE jail(8) containers, while 7.3-RELEASE
> Release Notes suggest that it is available for the entire jail(8) subsystem
> as 'security.jail.ip4_saddrsel', a different OID.
Don't use the systctl; the param tree only tells you which options are
available; ip4.saddrsel is an option to the jail -c|-m command.
/bz
--
Bjoern A. Zeeb Welcome a new stage of life.
<ks> Going to jail sucks -- <bz> All my daemons like it!
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20101125224035.K24596>