Date: Mon, 4 Aug 2003 08:35:31 -0400 (EDT) From: Robert Watson <rwatson@freebsd.org> To: Rus Foster <rghf@fsck.me.uk> Cc: current@freebsd.org Subject: Re: Any patch for ICMP in a jail? Message-ID: <Pine.NEB.3.96L.1030804083230.49165B-100000@fledge.watson.org> In-Reply-To: <20030804020003.X73591@thor.65535.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 4 Aug 2003, Rus Foster wrote: > Is there a patch that will allow ping from inside a jail on 5.x? Google > didn't show anything? The problem is that, to generate pings, you have to have access to a raw socket. And unfortuantely, raw sockets imply access to a lot more than just the ability to send/receive ICMP: a number of management components in the IP stack assume that if you have a raw socket, you're also allowed to configure those components. Take a look at rip_ctloutput() in raw_ip.c for some examples. We have some local in-progress changes to modify this as part of our capabilities work, but there's no timeline for integrating it. The best short-term suggestion would be to write a privilege-separated ping tool -- a pingd running outside the jail, providing UNIX domain sockets in each jail that needs the ability to ping; ping then becomes a client that RPC's to pingd. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1030804083230.49165B-100000>