Date: Wed, 29 Jul 2009 18:24:02 +0000 (UTC) From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: Jamie Gritton <jamie@FreeBSD.org> Cc: svn-src-head@FreeBSD.org, Sam Leffler <sam@errno.com>, svn-src-all@FreeBSD.org, src-committers@FreeBSD.org Subject: Re: svn commit: r195944 - head/sys/kern Message-ID: <20090729181634.E245@maildrop.int.zabbadoz.net> In-Reply-To: <4A70813A.6020502@FreeBSD.org> References: <200907291641.n6TGf2mb076622@svn.freebsd.org> <4A707DF5.5050108@errno.com> <4A70813A.6020502@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 29 Jul 2009, Jamie Gritton wrote: Hi, let me add a few words. > Sam Leffler wrote: >> Jamie Gritton wrote: >>> Author: jamie >>> Date: Wed Jul 29 16:41:02 2009 >>> New Revision: 195944 >>> URL: http://svn.freebsd.org/changeset/base/195944 >>> >>> Log: >>> Change the default value of the "ip4" and "ip6" jail parameters to >>> "disable", which only allows access to the parent/physical system's >>> IP addresses when specifically directed. Change the default value of >>> "host" to "new", and don't copy the parent host values, to insulate >>> jails from the parent hostname et al. >> >> This does not say why you're making these changes; please explain. > > My apologies. The ip4/6 change fixed an error with the old-style > command line of jail(8), where specifying IPv4 address(es) but not IPv6 > addresses would allow access to the full IPv6 stack, a regression from > 7.2 which allows only specifically noted IPv6 addresses. And vice versa for IPv6 only jails and also with no-IP jails where addresses of both AFs were inherited rather than denied. This behaviour is actually needed to not break lots of jail setups with mostly Java[1] and some other apps that have strange defaults and `understandings' of what dual-stack or socket operations in one of those means. It's bascically reverting to the old or rather expected defaults of a jail so that jails can continue to run 1:1 when upgrading from 7 to 8. At least hoping most (all) things are shaken out now with regard to this. In case you know anything that doesn't work as expected, now would be a good time to tell us. /bz [1] http://diario.behrens.de/2008/10/12/java_and_ipv6_on_bsd.html -- Bjoern A. Zeeb The greatest risk is not taking one.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090729181634.E245>