Date: Sat, 01 Nov 2025 10:18:45 -0700 From: James Gritton <jamie@freebsd.org> To: Andrea Cocito <andrea@cocito.eu> Cc: freebsd-hackers@freebsd.org Subject: Re: Exposing default route(s) to "inherit" jails Message-ID: <e2a1cee74210432b58ca0c13ca0689e6@freebsd.org> In-Reply-To: <867AD117-5557-4BB8-8976-DBF56BBD8FF1@cocito.eu> References: <867AD117-5557-4BB8-8976-DBF56BBD8FF1@cocito.eu>
index | next in thread | previous in thread | raw e-mail
On 2025-10-31 23:59, Andrea Cocito wrote: > Hallo, > > In a project I am working on we need to use in jails tools, like map, > which need to see the default route. Jails with “inherit” network mode > cannot see default route. > > I experimented with dedicated FIBs in which I inject the routes and > various other paths, nothing worked. I finally decided to patch the > kernel and add a sysctl knob. > > Setting net.route.inherit_jail_default_routes=1 makes the default > routes visible to “inherit” jails, leaving it at the default (0) keeps > the known and current behaviour. > > I wonder: > 1. Did I miss some other, simpler, solution? > 2. What are the security risks of exposing (read only( default routes > to a jail? > 3. Could this be useful to others? > 4. What would be the path to propose this as a PR for integration in > the codebase. > > So far the patch is tested on 14.3-p5. Patch attached. I don't see a problem with this. For that matter, I don't see a problem with seeing all the routes if the admin decides it's fine for a jail to see them. But don't take it from me - I hope someone else with more of a networking background will chime in with any reasons why this is or isn't a good idea. I would make this not a sysctl knob, but another flag under jail.allow. - Jamiehelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e2a1cee74210432b58ca0c13ca0689e6>