Issuing "ipfstat -hnio command from within the vnet jail gives this message, open(IPSTATE_NAME):no such file or directory.ipfstat(8) also lists /dev/kmem ; I suspect that including this may be a bad idea.
kmem will give access to the complete memory of the host. If your goal is tighter security (instead of just improved managability due to a less wide scope of the rules needed), then this is a no-go.
Just adding kmem in the devfs rules will not help anyway, the kernel disallows access to it even if present in the jail (except you run my X11-in-a-jail patch and have the corresponding option activated for the jail).
Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netch...@freebsd.org : PGP 0x8F31830F9F2772BF
pgp6cr2J2d9wF.pgp
Description: Digitale PGP-Signatur
