From owner-svn-src-all@FreeBSD.ORG Wed Jul 29 18:25:08 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 43A8A106566B; Wed, 29 Jul 2009 18:25:08 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mail.cksoft.de (mail.cksoft.de [195.88.108.3]) by mx1.freebsd.org (Postfix) with ESMTP id EC5818FC1D; Wed, 29 Jul 2009 18:25:07 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 1958D41C71D; Wed, 29 Jul 2009 20:25:07 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([195.88.108.3]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id tEo33RnEI-Fw; Wed, 29 Jul 2009 20:25:06 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 55A0B41C710; Wed, 29 Jul 2009 20:25:06 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 145A34448E6; Wed, 29 Jul 2009 18:24:03 +0000 (UTC) Date: Wed, 29 Jul 2009 18:24:02 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Jamie Gritton In-Reply-To: <4A70813A.6020502@FreeBSD.org> Message-ID: <20090729181634.E245@maildrop.int.zabbadoz.net> References: <200907291641.n6TGf2mb076622@svn.freebsd.org> <4A707DF5.5050108@errno.com> <4A70813A.6020502@FreeBSD.org> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: svn-src-head@FreeBSD.org, Sam Leffler , svn-src-all@FreeBSD.org, src-committers@FreeBSD.org Subject: Re: svn commit: r195944 - head/sys/kern X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 18:25:09 -0000 On Wed, 29 Jul 2009, Jamie Gritton wrote: Hi, let me add a few words. > Sam Leffler wrote: >> Jamie Gritton wrote: >>> Author: jamie >>> Date: Wed Jul 29 16:41:02 2009 >>> New Revision: 195944 >>> URL: http://svn.freebsd.org/changeset/base/195944 >>> >>> Log: >>> Change the default value of the "ip4" and "ip6" jail parameters to >>> "disable", which only allows access to the parent/physical system's >>> IP addresses when specifically directed. Change the default value of >>> "host" to "new", and don't copy the parent host values, to insulate >>> jails from the parent hostname et al. >> >> This does not say why you're making these changes; please explain. > > My apologies. The ip4/6 change fixed an error with the old-style > command line of jail(8), where specifying IPv4 address(es) but not IPv6 > addresses would allow access to the full IPv6 stack, a regression from > 7.2 which allows only specifically noted IPv6 addresses. And vice versa for IPv6 only jails and also with no-IP jails where addresses of both AFs were inherited rather than denied. This behaviour is actually needed to not break lots of jail setups with mostly Java[1] and some other apps that have strange defaults and `understandings' of what dual-stack or socket operations in one of those means. It's bascically reverting to the old or rather expected defaults of a jail so that jails can continue to run 1:1 when upgrading from 7 to 8. At least hoping most (all) things are shaken out now with regard to this. In case you know anything that doesn't work as expected, now would be a good time to tell us. /bz [1] http://diario.behrens.de/2008/10/12/java_and_ipv6_on_bsd.html -- Bjoern A. Zeeb The greatest risk is not taking one.