Date: Thu, 31 Oct 2013 14:35:33 +0000 From: Jase Thew <jase@FreeBSD.org> To: "Mars G. Miro" <spry@anarchy.in.the.ph>, freebsd-jail@freebsd.org Subject: Re: raw sockets on 8.4 jails Message-ID: <52726AB5.3000803@FreeBSD.org> In-Reply-To: <526777CE.8010600@anarchy.in.the.ph> References: <526777CE.8010600@anarchy.in.the.ph>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --khP6kqLs35xIUNBvQaWLxiQpIfuImBDUe Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 23/10/2013 08:16, Mars G. Miro wrote: > Hi list, >=20 > On a jail on FreeBSD 8.4R-p4 >=20 > root@waspb1:~# ping -a 4.2.2.2 > ping: socket: Operation not permitted > root@waspb1:~# nc -uv 4.2.2.2 53 > Connection to 4.2.2.2 53 port [udp/domain] succeeded! > ^C > root@waspb1:~# sysctl security.jail.jailed > security.jail.jailed: 1 > root@waspb1:~# >=20 >=20 > But I have set it properly on the host: >=20 > mars@wasp:~% sysctl -a | grep jail > security.jail.param.cpuset.id: 0 > security.jail.param.host.hostid: 0 > security.jail.param.host.hostuuid: 64 > security.jail.param.host.domainname: 256 > security.jail.param.host.hostname: 256 > security.jail.param.children.max: 0 > security.jail.param.children.cur: 0 > security.jail.param.enforce_statfs: 0 > security.jail.param.securelevel: 0 > security.jail.param.path: 1024 > security.jail.param.name: 256 > security.jail.param.parent: 0 > security.jail.param.jid: 0 > security.jail.enforce_statfs: 2 > security.jail.mount_allowed: 0 > security.jail.chflags_allowed: 1 > security.jail.allow_raw_sockets: 1 > security.jail.sysvipc_allowed: 1 > security.jail.socket_unixiproute_only: 1 > security.jail.set_hostname_allowed: 1 > security.jail.jail_max_af_ips: 255 > security.jail.jailed: 0 >=20 > mars@wasp:~% uname -a > FreeBSD wasp.spry.lan 8.4-RELEASE-p4 FreeBSD 8.4-RELEASE-p4 #0: Sun Oct= > 20 16:37:42 PHT 2013 root@XXX:/usr/obj/usr/src/sys/WASP amd64 > mars@wasp:~% >=20 > On an 8.3R-p11 machine it works fine. >=20 > Problem ? >=20 >=20 Hi, Jails now have their own per-jail properties, so allow.raw_sockets needs to be passed as a parameter upon jail creation (or alternatively can be set by modifying an already running jail). Please refer to jail(8) manpage for further details. Regards, Jase. --=20 Jase Thew jase@FreeBSD.org FreeBSD Ports Committer --khP6kqLs35xIUNBvQaWLxiQpIfuImBDUe Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.21 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJ8BAEBCgBmBQJScmq/XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGNzY3ODIxQkE1MTQ4MjNFQ0RGNUM3QkRE NEU2NUM4QkZGMUMzODI5AAoJENTmXIv/HDgp/HwP/1YiiD1WrZwQrOquN8WiKJQ8 y8H/I3Wk5DPsy216+2pzCCSXKfP0hPqbMDgmdDdAwpMLuATmEEJZD5pN+DYU7TEt PhISUM0fyHadYu4Ll4HU1842rs80IndcZ/eR15AhN1BLnAdrJg4ri5oBIzOMnIHc dSY7XX+bXeBH42gVk1fWhCHtnSZJjveM30wMBD7VXIxG5Q+wUSub4jhHKi9Hbzci LJmyGaWMwE59kk4/V5Gx8zcbiTKfg9JuAUo1a2BL1g9brGp07dZsEDUzg3w99Gtb 4CGkdSB/q0e0O/PsebzKcRPuywxTULxvafU3RxTBZ+Pj85kKPnMfL5namBucyoyv IHxUPXgLAycUgP9gNjCKi0cw2QIbgbnC5FfIx+GUtnobaNQe4qwJHokuSpzzUn5X 621ytrmBR1OxN8cwKwIS509n1e/8cYXxWxoxP4uOE15pSobyrcffozaBCpMevPXj eEgMLhwwqYNPPV+ED7j7FFIBIDo8v4uJXqmSoXHmnfGOc/zsS8AerX/DeudHUuGo H+0V2MRaClEapSLw0deMcQrwS9+h/cupoIULI91IfTVZSzQg8/pWhN/9aDH/8AQJ moq0Z1yhDw0Q/8G0Jheuwyr5i6VfdzK+gih+z4JNIVmrE5KoBqifvBdXCIkcgJV0 3WqM6YNBsV7oRX9/zIBX =+sef -----END PGP SIGNATURE----- --khP6kqLs35xIUNBvQaWLxiQpIfuImBDUe--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52726AB5.3000803>