Date: Sat, 28 Apr 2001 19:54:17 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.ORG> To: scanner@jurai.net Cc: Poul-Henning Kamp <phk@critter.freebsd.dk>, freebsd-arch@FreeBSD.ORG Subject: Re: jailNG Message-ID: <Pine.NEB.3.96L.1010428195253.89482E-100000@fledge.watson.org> In-Reply-To: <Pine.BSF.4.21.0104281944550.84976-100000@sasami.jurai.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 28 Apr 2001 scanner@jurai.net wrote: > It is my understanding from the OpenRoot project that jail currently > does not allow ICMP to work inside a jail? If this is so, this seriously > damages services that need Path MTU-D such as SMTP and HTTP. Surely this > is not the case? Can someone enlighten me on this. The jail() code doesn't allow user applications to open raw sockets permitting direct use of ICMP by user processes, but all of the normal use of ICMP by the network stack directly is uninhibited. This means that things like PMTU discovery work just fine, but applications such as ping do not work in jail(). It's possible to imagine modifications to the raw socket behavior that might permit use of it from within jail(), but there's a whole can of worms there that we're not willing to spend too much time on at this point. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010428195253.89482E-100000>