From owner-freebsd-net@FreeBSD.ORG Thu Nov 25 22:45:08 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 173DF10656BD; Thu, 25 Nov 2010 22:45:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [IPv6:2001:4068:10::3]) by mx1.freebsd.org (Postfix) with ESMTP id 898718FC12; Thu, 25 Nov 2010 22:45:07 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id E9F6E41C747; Thu, 25 Nov 2010 23:45:05 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([192.168.74.103]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id aKwr4ZptHlu8; Thu, 25 Nov 2010 23:45:05 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id 65B5C41C736; Thu, 25 Nov 2010 23:45:05 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 69ED744490B; Thu, 25 Nov 2010 22:41:36 +0000 (UTC) Date: Thu, 25 Nov 2010 22:41:36 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Steve Polyack In-Reply-To: <4CED50E0.7020205@comcast.net> Message-ID: <20101125224035.K24596@maildrop.int.zabbadoz.net> References: <4CED50E0.7020205@comcast.net> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org, "Brian A. Seklecki" , User Questions Subject: Re: Jail source address selection in 8.1-RELEASE X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Nov 2010 22:45:08 -0000 On Wed, 24 Nov 2010, Steve Polyack wrote: Hi, > There appears to be a loosely documented sysctl > 'security.jail.param.ip4.saddrsel' which should limit source IP selection of > jails to their primary jail interface/IP. The sysctl does not appear to do > anything, however: > > # sysctl security.jail.param.ip4.saddrsel=0 > -> > # echo $? > 0 > # sysctl security.jail.param.ip4.saddrsel > # > # sysctl -d security.jail.param.ip4.saddrsel > security.jail.param.ip4.saddrsel: Do (not) use IPv4 source address selection > rather than the primary jail IPv4 address. > > Is this tunable only available when VIMAGE jails are built? The 8.1-RELEASE > Release Notes suggest it is for VIMAGE jail(8) containers, while 7.3-RELEASE > Release Notes suggest that it is available for the entire jail(8) subsystem > as 'security.jail.ip4_saddrsel', a different OID. Don't use the systctl; the param tree only tells you which options are available; ip4.saddrsel is an option to the jail -c|-m command. /bz -- Bjoern A. Zeeb Welcome a new stage of life. Going to jail sucks -- All my daemons like it! http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html