Date: Thu, 3 Jan 2013 13:23:55 -0800 From: David Thiel <lx@FreeBSD.org> To: Jamie Gritton <jamie@FreeBSD.org> Cc: freebsd-net@FreeBSD.org, "Bjoern A. Zeeb" <bz@FreeBSD.org>, FreeBSD-Jail <freebsd-jail@FreeBSD.org> Subject: Re: kern/68189 and kern/169751: what jails are allowed to see in a routing socket Message-ID: <20130103212355.GA37196@redundancy.redundancy.org> In-Reply-To: <50E5C468.7080700@FreeBSD.org> References: <50E4F7A9.4070900@FreeBSD.org> <alpine.BSF.2.00.1301030926030.4401@ai.fobar.qr> <50E5C468.7080700@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jan 03, 2013 at 10:48:24AM -0700, Jamie Gritton wrote: > On 01/03/13 02:36, Bjoern A. Zeeb wrote: > > Meanwhile your suggestion might be ok given simple enough, but I wonder > > if a different flag would be helpful still. I would not be able to > > "trust" (the little that is possible anyway) raw_sockets anymore if they > > suddently could fiddle with the routing table - even read-only, should > > that really be enough. > > I would explicitly advertise it as 'do not use - will go away again' > > feature and it should the moment vnets are declared non-experimental. > > Well I'd rather not introduce something as a stopgap. Either this is > worth doing or it isn't. It does make sense to at least make sure it > works with VNET. Hello all, Thanks for your consideration of the issue. I don't think it would necessarily have to be a stopgap - I think something like jail.socket_allow_readroute, default 0, wouldn't hurt anything and would definitely help some folks, as this issue has arisen for multiple people over the years. While I agree that vnets will be a great future solution, I think that the very existence of unixiproute_only is kind of problematic, as it implies that jails should be able to use routing sockets by default (read-only, presumably). If we don't want to allow that, should it at least be slated to rename/redocument this sysctl at some point in the future? Or is it intended that VNET totally replace old jail infrastructure, obviating the need for that sysctl at all? -David
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130103212355.GA37196>