From owner-freebsd-jail@FreeBSD.ORG Wed May 26 16:59:26 2010 Return-Path: Delivered-To: jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 08B66106566B for ; Wed, 26 May 2010 16:59:26 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from gritton.org (gritton.org [208.92.232.93]) by mx1.freebsd.org (Postfix) with ESMTP id C41628FC26 for ; Wed, 26 May 2010 16:59:25 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by gritton.org (8.14.3/8.14.3) with ESMTP id o4QGxOkd066395; Wed, 26 May 2010 10:59:24 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <4BFD52F1.9030704@FreeBSD.org> Date: Wed, 26 May 2010 10:57:21 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.1.5) Gecko/20100103 Thunderbird/3.0 MIME-Version: 1.0 To: Glen Barber References: <20100525175412.GA75052@orion.glenbarber.us> In-Reply-To: <20100525175412.GA75052@orion.glenbarber.us> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: jail@FreeBSD.org Subject: Re: jail(8) allow.socket_af, unknown oid X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 May 2010 16:59:26 -0000 The sysctls that describe available jail parameters don't always have a type that sysctl(8) understands. In particular, the boolean parameters are given a sysctl type of "B", and sysctl(8) will ignore them. These aren't useful sysctls in any normal way - they never have a meaningful value. The exist only so their types and sizes can be determined by jail(8) and jail(3). As per the jail(8) man page, you can use "sysctl -d" to show sysctl descriptions without the value. Since it's only the values that sysctl(8) doesn't understand, such parameters as allow.sock_af will then show up. Or, in a short answer to your last question: this isn't a tunable in the normal sysctl way, just a jail parameter. - Jamie On 05/25/10 11:54, Glen Barber wrote: > The jail(8) man page has an entry under 'allow.*', allow.socket_af, which > states to allow access to protocol stacks that have not had jail functionality > added to them. > > However, though socket_af exists in sys/kern/kern_jail.c, the sysctl itself > does not exist on my system: > > orion# sysctl -a | grep socket > kern.ipc.maxsockets: 25600 > kern.ipc.numopensockets: 35 > security.jail.allow_raw_sockets: 0 > security.jail.socket_unixiproute_only: 1 > > Is this sysctl missing, or is it not a tunable?