From owner-freebsd-arch Sat Apr 28 16:54: 2 2001 Delivered-To: freebsd-arch@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id BA14437B423 for ; Sat, 28 Apr 2001 16:54:00 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.3/8.11.3) with SMTP id f3SNsHf06257; Sat, 28 Apr 2001 19:54:17 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Sat, 28 Apr 2001 19:54:17 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: scanner@jurai.net Cc: Poul-Henning Kamp , freebsd-arch@FreeBSD.ORG Subject: Re: jailNG In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, 28 Apr 2001 scanner@jurai.net wrote: > It is my understanding from the OpenRoot project that jail currently > does not allow ICMP to work inside a jail? If this is so, this seriously > damages services that need Path MTU-D such as SMTP and HTTP. Surely this > is not the case? Can someone enlighten me on this. The jail() code doesn't allow user applications to open raw sockets permitting direct use of ICMP by user processes, but all of the normal use of ICMP by the network stack directly is uninhibited. This means that things like PMTU discovery work just fine, but applications such as ping do not work in jail(). It's possible to imagine modifications to the raw socket behavior that might permit use of it from within jail(), but there's a whole can of worms there that we're not willing to spend too much time on at this point. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message