On Mon, 14 Jul 2025 at 16:54, James Gritton <[email protected]> wrote:
> On 2025-07-14 03:53, Doug Rabson wrote: > > I tried setting allow.socket_af for a jail which inherits the host vnet > and this still has problems creating interfaces: > > $ jid=$(sudo jail -i -c host.hostname=foo vnet=inherit allow.socket_af > path=/ persist) > $ sudo jexec $jid > You have mail. > root@foo:/ # ifconfig bridge create > ifconfig: socket(family 2,SOCK_DGRAM): Protocol not supported > root@foo:/ # exit > exit > $ sudo jail -r $jid > > > I think I see the problem: address family 2 is AF_INET, which > check_prison_af will only disallow if IPv4 is disabled in that jail - which > it is! add ip4=inherit to your child jail and see if that does the trick. > > A typical non-vnet jail has one or more IP address included in the > definition, but without that the default is ip4=disabled. Bjoern's "all I > have is yours" is not in fact the overriding jail philosophy, but rather > "you get only what you ask for." > Jamie is, of course, correct and setting ip4=inherit fixes the EPROTONOSUPPORT, uncovering my original EPERM problem: $ jid=$(sudo jail -i -c host.hostname=foo ip4=inherit allow.socket_af path=/ persist) $ sudo jexec $jid ifconfig bridge create ifconfig: SIOCIFCREATE2 (bridge): Operation not permitted $ sudo jail -r $jid Doug.
