Allan Jude <allanj...@freebsd.org> wrote: > Author: allanjude > Date: Tue Jun 6 02:15:00 2017 > New Revision: 319611 > URL: https://svnweb.freebsd.org/changeset/base/319611 > > Log: > Jails: Optionally prevent jailed root from binding to privileged ports > > You may now optionally specify allow.noreserved_ports to prevent root > inside a jail from using privileged ports (less than 1024) > > PR: 217728 > Submitted by: Matt Miller <mattm...@pulsar.neomailbox.ch> > Reviewed by: jamie, cem, smh > Relnotes: yes > Differential Revision: https://reviews.freebsd.org/D10202 > > Modified: > head/sys/kern/kern_jail.c > head/sys/sys/jail.h > head/usr.sbin/jail/jail.8 [...] > @@ -611,6 +613,8 @@ with non-jailed parts of the system. > Sockets within a jail are normally restricted to IPv4, IPv6, local > (UNIX), and route. This allows access to other protocol stacks that > have not had jail functionality added to them. > +.It Va allow.reserved_ports > +The jail root may bind to ports lower than 1024.
This description seems to imply that net.inet.ip.portrange.reservedhigh isn't honoured while it actually is. Fabian
pgpBVfHoPXp7I.pgp
Description: OpenPGP digital signature