On Thu, Jan 03, 2013 at 10:48:24AM -0700, Jamie Gritton wrote: > On 01/03/13 02:36, Bjoern A. Zeeb wrote: > > Meanwhile your suggestion might be ok given simple enough, but I wonder > > if a different flag would be helpful still. I would not be able to > > "trust" (the little that is possible anyway) raw_sockets anymore if they > > suddently could fiddle with the routing table - even read-only, should > > that really be enough. > > I would explicitly advertise it as 'do not use - will go away again' > > feature and it should the moment vnets are declared non-experimental. > > Well I'd rather not introduce something as a stopgap. Either this is > worth doing or it isn't. It does make sense to at least make sure it > works with VNET.
Hello all, Thanks for your consideration of the issue. I don't think it would necessarily have to be a stopgap - I think something like jail.socket_allow_readroute, default 0, wouldn't hurt anything and would definitely help some folks, as this issue has arisen for multiple people over the years. While I agree that vnets will be a great future solution, I think that the very existence of unixiproute_only is kind of problematic, as it implies that jails should be able to use routing sockets by default (read-only, presumably). If we don't want to allow that, should it at least be slated to rename/redocument this sysctl at some point in the future? Or is it intended that VNET totally replace old jail infrastructure, obviating the need for that sysctl at all? -David _______________________________________________ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
