On 08/01/2023 18:52, Steffen Christgau wrote:
The effect of the silently changed wildcard address in my case is that the changed address prevents the required binding of the second/sending socket. This is inconsistent with the behavior outside a jail. Is this actually intended? If so, what can be done to bind both sockets to their required ports?ip4.addrA list of IPv4 addresses assigned to the jail. If this is set, the jail is restricted to using only these addresses. [...] Attempts to use wildcard addresses silently use the jailed address instead. For IPv4 the first address given will be used as the source address whensource address selection on unbound sockets cannot find a better match.I also tried to set ip4.saddrsel = 1 in the jail config, but it appeared that nothing changed. If the IP address configuration is omitted for the jail, the service does not encounter the error of an address that is already in use.If there is a solution to have the daemon run in a jail, I would be happy to discuss this. If jails are not suitable for this use case, let me know as well. 😉
Did you try using vnet style jails? These have their own, separate, loopback interface and a separate network interface, typically using epair(4) so you should avoid the silent rewriting of wildcard addresses that is causing you such difficulty.
See: https://wiki.freebsd.org/Jails/VNET /usr/src/share/examples/jails/jib Cheers, Matthew
OpenPGP_signature
Description: OpenPGP digital signature
