From owner-svn-src-all@FreeBSD.ORG Wed Jul 29 17:18:05 2009 Return-Path: Delivered-To: svn-src-all@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 089041065674; Wed, 29 Jul 2009 17:18:05 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from gritton.org (gritton.org [161.58.222.4]) by mx1.freebsd.org (Postfix) with ESMTP id C54D38FC0C; Wed, 29 Jul 2009 17:18:04 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by gritton.org (8.13.6.20060614/8.13.6) with ESMTP id n6TH53H8005661; Wed, 29 Jul 2009 11:05:03 -0600 (MDT) Message-ID: <4A70813A.6020502@FreeBSD.org> Date: Wed, 29 Jul 2009 11:04:58 -0600 From: Jamie Gritton User-Agent: Thunderbird 2.0.0.19 (X11/20090109) MIME-Version: 1.0 To: Sam Leffler References: <200907291641.n6TGf2mb076622@svn.freebsd.org> <4A707DF5.5050108@errno.com> In-Reply-To: <4A707DF5.5050108@errno.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: svn-src-head@FreeBSD.org, svn-src-all@FreeBSD.org, src-committers@FreeBSD.org Subject: Re: svn commit: r195944 - head/sys/kern X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 17:18:05 -0000 Sam Leffler wrote: > Jamie Gritton wrote: >> Author: jamie >> Date: Wed Jul 29 16:41:02 2009 >> New Revision: 195944 >> URL: http://svn.freebsd.org/changeset/base/195944 >> >> Log: >> Change the default value of the "ip4" and "ip6" jail parameters to >> "disable", which only allows access to the parent/physical system's >> IP addresses when specifically directed. Change the default value of >> "host" to "new", and don't copy the parent host values, to insulate >> jails from the parent hostname et al. > > This does not say why you're making these changes; please explain. My apologies. The ip4/6 change fixed an error with the old-style command line of jail(8), where specifying IPv4 address(es) but not IPv6 addresses would allow access to the full IPv6 stack, a regression from 7.2 which allows only specifically noted IPv6 addresses. This could have been fixed in jail(8), but the default to act like the current jail implementation even for new-style command lines made more sense, and the kernel is the place for such policy points. The host change arose from a discrepancy between the it and the "linux" parameters that control the Linux MIB entries. These had different defaults for no reason other than I coded them at different times without a lot of thought as to what the most reasonable default would be. I also made a cleaner break with the parent system when one value (typically host.hostname) is set and the others aren't - it didn't make sense to copy some and set others. - Jamie