On 2025-07-14 03:53, Doug Rabson wrote:
I tried setting allow.socket_af for a jail which inherits the host vnet
and this still has problems creating interfaces:
$ jid=$(sudo jail -i -c host.hostname=foo vnet=inherit allow.socket_af
path=/ persist)
$ sudo jexec $jid
You have mail.
root@foo:/ # ifconfig bridge create
ifconfig: socket(family 2,SOCK_DGRAM): Protocol not supported
root@foo:/ # exit
exit
$ sudo jail -r $jid
I think I see the problem: address family 2 is AF_INET, which
check_prison_af will only disallow if IPv4 is disabled in that jail -
which it is! add ip4=inherit to your child jail and see if that does
the trick.
A typical non-vnet jail has one or more IP address included in the
definition, but without that the default is ip4=disabled. Bjoern's "all
I have is yours" is not in fact the overriding jail philosophy, but
rather "you get only what you ask for."
- Jamie
