From owner-freebsd-current@FreeBSD.ORG  Mon Aug  4 05:36:43 2003
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E6D2237B401
	for <current@freebsd.org>; Mon,  4 Aug 2003 05:36:43 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2A58743FB1
	for <current@freebsd.org>; Mon,  4 Aug 2003 05:36:43 -0700 (PDT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (localhost [127.0.0.1])
	by fledge.watson.org (8.12.9/8.12.9) with ESMTP id h74CZWai050298;
	Mon, 4 Aug 2003 08:35:32 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Received: from localhost (robert@localhost)h74CZWFi050295;
	Mon, 4 Aug 2003 08:35:32 -0400 (EDT)
Date: Mon, 4 Aug 2003 08:35:31 -0400 (EDT)
From: Robert Watson <rwatson@freebsd.org>
X-Sender: robert@fledge.watson.org
To: Rus Foster <rghf@fsck.me.uk>
In-Reply-To: <20030804020003.X73591@thor.65535.net>
Message-ID: <Pine.NEB.3.96L.1030804083230.49165B-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: current@freebsd.org
Subject: Re: Any patch for ICMP in a jail?
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Aug 2003 12:36:44 -0000


On Mon, 4 Aug 2003, Rus Foster wrote:

> Is there a patch that will allow ping from inside a jail on 5.x? Google
> didn't show anything? 

The problem is that, to generate pings, you have to have access to a raw
socket.  And unfortuantely, raw sockets imply access to a lot more than
just the ability to send/receive ICMP: a number of management components
in the IP stack assume that if you have a raw socket, you're also allowed
to configure those components.  Take a look at rip_ctloutput() in raw_ip.c
for some examples.  We have some local in-progress changes to modify this
as part of our capabilities work, but there's no timeline for integrating
it.  The best short-term suggestion would be to write a
privilege-separated ping tool -- a pingd running outside the jail,
providing UNIX domain sockets in each jail that needs the ability to ping; 
ping then becomes a client that RPC's to pingd. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Network Associates Laboratories