From owner-freebsd-jail@FreeBSD.ORG Wed May 26 19:05:59 2010 Return-Path: Delivered-To: jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B73F71065709 for ; Wed, 26 May 2010 19:05:59 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from gritton.org (gritton.org [208.92.232.93]) by mx1.freebsd.org (Postfix) with ESMTP id 7E2298FC1C for ; Wed, 26 May 2010 19:05:59 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by gritton.org (8.14.3/8.14.3) with ESMTP id o4QJ5wT4067536; Wed, 26 May 2010 13:05:58 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <4BFD709B.5090409@FreeBSD.org> Date: Wed, 26 May 2010 13:03:55 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.1.5) Gecko/20100103 Thunderbird/3.0 MIME-Version: 1.0 To: Glen Barber References: <20100525175412.GA75052@orion.glenbarber.us> <4BFD52F1.9030704@FreeBSD.org> <4BFD5EDC.6060208@gmail.com> In-Reply-To: <4BFD5EDC.6060208@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: jail@FreeBSD.org Subject: Re: jail(8) allow.socket_af, unknown oid X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 May 2010 19:05:59 -0000 I think the current situation should be sufficient, where the only mention of the parameter sysctls are the note that you can see them via "sysctl -d security.jail.param". The move toward jail parameters is also a move away from using sysctl variables for the same purpose. In this new jail order, the only useful jail-related sysctls are security.jail.jailed and security.jail.max_af_ips, which are both mentioned in the "Sysctl MIB Entries" section of the man page. I don't want to worry about the sysctls that have been obsoleted by jail parameters. - Jamie On 05/26/10 11:48, Glen Barber wrote: > Thanks for the explanation. Would there be opposition about a patch for > jail(8) noting which sysctls are tunable by sysctl(8) and which are not? > > On 5/26/10 12:57 PM, Jamie Gritton wrote: >> On 05/25/10 11:54, Glen Barber wrote: >>> The jail(8) man page has an entry under 'allow.*', allow.socket_af, >>> which >>> states to allow access to protocol stacks that have not had jail >>> functionality >>> added to them. >>> >>> [snip] >>> >>> Is this sysctl missing, or is it not a tunable? >> The sysctls that describe available jail parameters don't always have a >> type that sysctl(8) understands. In particular, the boolean parameters >> are given a sysctl type of "B", and sysctl(8) will ignore them. >> >> These aren't useful sysctls in any normal way - they never have a >> meaningful value. The exist only so their types and sizes can be >> determined by jail(8) and jail(3). >> >> As per the jail(8) man page, you can use "sysctl -d" to show sysctl >> descriptions without the value. Since it's only the values that >> sysctl(8) doesn't understand, such parameters as allow.sock_af will then >> show up. >> >> Or, in a short answer to your last question: this isn't a tunable in the >> normal sysctl way, just a jail parameter.