From owner-svn-src-all@FreeBSD.ORG Sun Jan 24 16:23:08 2010 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 66BD4106566B for ; Sun, 24 Jan 2010 16:23:08 +0000 (UTC) (envelope-from freebsd@beardz.net) Received: from mx-2.btshosting.co.uk (mx-2.btshosting.co.uk [87.117.208.79]) by mx1.freebsd.org (Postfix) with ESMTP id 28BEB8FC0C for ; Sun, 24 Jan 2010 16:23:07 +0000 (UTC) Received: from [192.168.1.65] (host86-148-118-227.range86-148.btcentralplus.com [86.148.118.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: bazerka@beardz.net) by mx-2.btshosting.co.uk (Postfix) with ESMTPSA id 132C56E5482 for ; Sun, 24 Jan 2010 16:06:04 +0000 (GMT) Message-ID: <4B5C6FE4.5050306@beardz.net> Date: Sun, 24 Jan 2010 16:05:56 +0000 From: Jase Thew User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1 MIME-Version: 1.0 To: svn-src-all@freebsd.org References: <201001241405.o0OE5u9m049481@svn.freebsd.org> In-Reply-To: <201001241405.o0OE5u9m049481@svn.freebsd.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.95.3 at mx-2.btshosting.co.uk X-Virus-Status: Clean Subject: Re: svn commit: r202924 - in stable/7: sys/kern sys/netinet sys/netinet6 sys/sys usr.sbin/jail X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Jan 2010 16:23:08 -0000 On 24/01/2010 14:05, Bjoern A. Zeeb wrote: > Author: bz > Date: Sun Jan 24 14:05:56 2010 > New Revision: 202924 > URL: http://svn.freebsd.org/changeset/base/202924 > > Log: > MFC r202468: > > Add security.jail.ip4_saddrsel/ip6_nosaddrsel sysctls to control > whether to use source address selection (default) or the primary > jail address for unbound outgoing connections. > > This is intended to be used by people upgrading from single-IP > jails to multi-IP jails but not having to change firewall rules, > application ACLs, ... but to force their connections (unless > otherwise changed) to the primry jail IP they had been used for > years, as well as for people prefering to implement similar policies. > > Note that for IPv6, if configured incorrectly, this might lead to > scope violations, which single-IPv6 jails could as well, as by the > design of jails. [1] > > Note that in contrast to FreeBSD 8.x and newer, where we have > per-jail options, the sysctls are global for all jails. > > Reviewed by: jamie, hrs (ipv6 part) [for HEAD] > Pointed out by: hrs [1] > Tested by: Jase Thew (bazerka beardz.net) (IPv4) > > Approved by: re (kib) > > Modified: > stable/7/sys/kern/kern_jail.c > stable/7/sys/netinet/in_pcb.c > stable/7/sys/netinet6/in6_src.c > stable/7/sys/sys/jail.h > stable/7/usr.sbin/jail/jail.8 > Directory Properties: > stable/7/sys/ (props changed) > stable/7/sys/cddl/contrib/opensolaris/ (props changed) > stable/7/sys/contrib/dev/acpica/ (props changed) > stable/7/sys/contrib/pf/ (props changed) > stable/7/usr.sbin/jail/ (props changed) > > Many thanks! Regards, Jase.