Date: Sun, 24 Jan 2010 14:05:56 +0000 (UTC) From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: cvs-src-old@freebsd.org Subject: cvs commit: src/sys/kern kern_jail.c src/sys/netinet in_pcb.c src/sys/netinet6 in6_src.c src/sys/sys jail.h src/usr.sbin/jail jail.8 Message-ID: <201001241408.o0OE8cs2058983@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
bz 2010-01-24 14:05:56 UTC
FreeBSD src repository
Modified files: (Branch: RELENG_7)
sys/kern kern_jail.c
sys/netinet in_pcb.c
sys/netinet6 in6_src.c
sys/sys jail.h
usr.sbin/jail jail.8
Log:
SVN rev 202924 on 2010-01-24 14:05:56Z by bz
MFC r202468:
Add security.jail.ip4_saddrsel/ip6_nosaddrsel sysctls to control
whether to use source address selection (default) or the primary
jail address for unbound outgoing connections.
This is intended to be used by people upgrading from single-IP
jails to multi-IP jails but not having to change firewall rules,
application ACLs, ... but to force their connections (unless
otherwise changed) to the primry jail IP they had been used for
years, as well as for people prefering to implement similar policies.
Note that for IPv6, if configured incorrectly, this might lead to
scope violations, which single-IPv6 jails could as well, as by the
design of jails. [1]
Note that in contrast to FreeBSD 8.x and newer, where we have
per-jail options, the sysctls are global for all jails.
Reviewed by: jamie, hrs (ipv6 part) [for HEAD]
Pointed out by: hrs [1]
Tested by: Jase Thew (bazerka beardz.net) (IPv4)
Approved by: re (kib)
Revision Changes Path
1.70.2.11 +82 -0 src/sys/kern/kern_jail.c
1.196.2.28 +7 -0 src/sys/netinet/in_pcb.c
1.46.2.12 +7 -0 src/sys/netinet6/in6_src.c
1.29.2.7 +2 -0 src/sys/sys/jail.h
1.84.2.4 +10 -1 src/usr.sbin/jail/jail.8
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201001241408.o0OE8cs2058983>