On Fri, 11 Jul 2025, Doug Rabson wrote:
I do have if_bridge loaded on the base system. With your examples, I can
verify that creating bridges and epairs as well as adding some of those
epairs to the bridge works in a simple vnet=new jail. For the scenario
where network management for the host is delegated to a trusted jail, I
haven't been able to create a bridge:
jail -c host.hostname=foo vnet=inherit path=/ persist
jexec <JID>
root@foo:/ # ifconfig bridge create
ifconfig: socket(family 2,SOCK_DGRAM): Protocol not supported
Can you use dtrace to see where the error comes from?
In this scenario, I also want to be able to add interfaces to a bridge and
in earlier testing I get EPERM errors to the 'ifconfig mybridge addm ...'
command.
EPERM could be from
I was hoping that looking for prison_owns_vnet() and
jailed_without_vnet() would reveal anything for your other problems.
Thanks for the feedback - it does seem that nesting Podman containers
should work already - I was working on debugging the vnet=inherit use case
and assumed vnet=new would be the same.
I am a bit surprised too. I was expecting PR_VNET to also be inherited
and with that the priv checks being the same. After all the "parent"
says to a "child" 'you can have all I have'.
root@bhyve-freebsd:~ # jail -c host.hostname=parent name=parent path=/ vnet
children.max=3 persist
root@bhyve-freebsd:~ # jexec parent
root@parent:/ # ifconfig bridge create
bridge0
root@parent:/ # jail -c host.hostname=child name=child path=/ vnet=inherit
persist
root@parent:/ # ifconfig -l
lo0 bridge0
root@parent:/ # ifconfig epair create
epair0a
root@parent:/ # jexec child
root@child:/ # ifconfig -l
lo0 bridge0 epair0a epair0b
root@child:/ # ifconfig bridge0 addm epair0b
ifconfig: socket(family 2,SOCK_DGRAM): Protocol not supported
[.. cut the rest of my poking .. ]
Okay, running ifconfig under ktrace:
62376 ifconfig CALL
socket(PF_INET,0x10000002<SOCK_DGRAM|SOCK_CLOEXEC>,IPPROTO_IP)
62376 ifconfig RET socket -1 errno 43 Protocol not supported
socreate(): does
943 if (prison_check_af(cred, prp->pr_domain->dom_family) != 0)
944 return (EPROTONOSUPPORT);
and
3458 int
3459 prison_check_af(struct ucred *cred, int af)
...
3467 #ifdef VIMAGE
3468 /* Prisons with their own network stack are not limited. */
3469 if (prison_owns_vnet(cred))
3470 return (0);
3471 #endif
You can probably work around this using:
3504 default:
3505 if (!(pr->pr_allow & PR_ALLOW_SOCKET_AF))
3506 error = EAFNOSUPPORT;
3507 }
3508 return (error);
But that would likely have to come all the way up, which is no good.
The check in socreate() comes from:
git show ca04ba643034d
BUT:
6bb795633cbb4 altered this and it seems in de0bd6f76b4d3 I chnaged that
to what it is now.
prison 0xfffff8004517b000:
jid = 1
name = parent
vnet = 0xfffff8000176c000
flags = 0x193 persist ip4.saddrsel ip6.saddrsel host = new
1_1001_0011
PERSIST
HOST
VNET
IP6/4ADDRSEL
vnet = new
ip4 = inherit
ip6 = inherit
allow = 0x8601 allow.set_hostname allow.reserved_ports
allow.unprivileged_proc_debug allow.suser
prison 0xfffff80023c25000:
jid = 2
name = child
parent = 0xffffffff818c66a0
vnet = 0xfffff800010e4000
flags = 0x600018f persist ip4.saddrsel ip6.saddrsel host
= new
110_0000_0000_0000_0001_1000_1111
PR_IP6
PR_IP4
PR_IP6_SADDRSEL
PR_IP4_SADDRSEL
PR_IP6_USER | PR_IP4_USER | PR_HOST | PR_PERSIST
No PR_VNET and in addition PR_IP4 | PR_IP6 | PR_IP6_USER | PR_IP4_USER
vnet = inherit
ip4 = disable
ip6 = disable
allow = 0x8601 allow.set_hostname allow.reserved_ports
allow.unprivileged_proc_debug allow.suser
There are not too many prison_owns_vnet() callers (especially outside
kern_jail.c).
But I have been too long out of that code to remember all the subtleties and
implications.
My guess is that at least prison_check_af() should allow if vnet is not
disabled (that is new or inherited).
I'll Cc: Jamie and see if he remembers as the hierarchical jails all came with
him.
/bz
--
Bjoern A. Zeeb r15:7
