Date: Thu, 22 Apr 2004 11:21:20 +0000 From: "Devon H. O'Dell" <dodell@sitetronics.com> To: "Christian S.J. Peron" <maneo@bsdpro.com> Cc: freebsd-security@freebsd.org Subject: Re: [patch] Raw sockets in jails Message-ID: <20040422112120.GB888@sitetronics.com> In-Reply-To: <20040420200027.A51891@staff.seccuris.com> References: <20040420015638.A84821@staff.seccuris.com> <14522.1082452837@critter.freebsd.dk> <20040420200027.A51891@staff.seccuris.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Christian S.J. Peron <maneo@bsdpro.com> scribbled: > Poul/group > > The following patch makes raw sockets comply with prison IP addresses. > Some tools such as traceroute(8) may require that the prison IP address > be specified on the command line. I.E. > > traceroute -s <prison ip> <dest address> > > Otherwise it might fail. > > (because of this we may want to get rid of the > create_raw_sockets MIB all together). > > Anyway, take a gander at it (testers feedback welcome): > > Regards > Christian S.J. Peron Nice work! It doesn't seem that it would be very difficult to get this to comply with Pawels multiple IPs in jail patch, but it would have to be optimized a bit as the IPs are currently stored in a linked list in his patch and traversing that list to determine whether the IP complies with the jails allotted IP range is sub-optimal (as it would have to be done on a per-packet basis). If we could store those IPs in a hash table with a fast algorithm for O(1) lookup times, the prison subsystem would experience significant feature improvements. -- Kind regards, Devon H. O'Dell | dodell@sitetronics.com ICQ: 2903604 | IRC: dho@freenode/dodell@efnet
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040422112120.GB888>