From owner-freebsd-questions@freebsd.org Sun Dec 4 18:00:46 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 786BEC67B50 for ; Sun, 4 Dec 2016 18:00:46 +0000 (UTC) (envelope-from doug@fledge.watson.org) Received: from cyrus.watson.org (cyrus.watson.org [198.74.231.69]) by mx1.freebsd.org (Postfix) with ESMTP id 5677D1E29; Sun, 4 Dec 2016 18:00:46 +0000 (UTC) (envelope-from doug@fledge.watson.org) Received: from fledge.watson.org (fledge.watson.org [198.74.231.63]) by cyrus.watson.org (Postfix) with ESMTPS id 5407A47E03; Sun, 4 Dec 2016 13:00:45 -0500 (EST) Received: from fledge.watson.org (doug@localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.15.2/8.15.2) with ESMTP id uB4I0i2b044839; Sun, 4 Dec 2016 13:00:45 -0500 (EST) (envelope-from doug@fledge.watson.org) Received: from localhost (doug@localhost) by fledge.watson.org (8.15.2/8.15.2/Submit) with ESMTP id uB4I0iee044836; Sun, 4 Dec 2016 13:00:44 -0500 (EST) (envelope-from doug@fledge.watson.org) Date: Sun, 4 Dec 2016 13:00:44 -0500 (EST) From: doug Reply-To: doug@safeport.com To: Matthew Seaman cc: freebsd-questions@freebsd.org Subject: Re: Can't ping in jail In-Reply-To: <8d283142-a8e8-fed5-0ab4-57960dfbb304@FreeBSD.org> Message-ID: References: <584368A1.5080206@gmail.com> <5843788A.2080902@gmail.com> <8d283142-a8e8-fed5-0ab4-57960dfbb304@FreeBSD.org> User-Agent: Alpine 2.20 (BSF 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (fledge.watson.org [127.0.0.1]); Sun, 04 Dec 2016 13:00:45 -0500 (EST) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Dec 2016 18:00:46 -0000 On Sun, 4 Dec 2016, Matthew Seaman wrote: > On 04/12/2016 01:59, Ernie Luzar wrote: >> This post sheds a lot light on your problem. ezjail uses the legacy >> method with definition statements in /etc/rc.conf and qjail uses the >> modern way using /etc/jail.conf. qjail is a fork of ezjail so many >> things will feel the same moving to qjail. The ezjail and qjail >> directory tree is named differently and use different internal control >> files so you would have to build your qjail jails anew. qjail and ezjail >> can both run on the same host at the same time just using different jail >> ip addresses. >> >> Both methods have statements for enabling allow_raw_sockets on a jail >> by jail basis which is the way it should be done. The sysctl nib has to >> be issued on the host were the jails are, not the gateway host connected >> to the public network. >> >> ezjail requires manual starting and stopping of ip alias for the jail. >> qjail does all that for you without you having to take any actions. >> >> there is a qjail version for 9.x systems, but its out dated and at EOL. > > The jail management system that has been attracting a lot of attention > and favourable comment recently is iocage. The original version was > written in /bin/sh and this is what is in ports as sysutils/iocage or > sysutils/iocage-devel. The authors are intending to rewrite it in a > different language though. >From this I hear that the file system and more specifically various jail management interfaces, which I understand as basically an abstraction layer to interface with the basic jail structure has an impact on the way raw sockets are handled in the network stack. It was/is my general understanding that best practices O/S design would and do generally following the layers underlying the original apranet design. So that's not the case with the jail implementation??