On Wed, 29 Jul 2009, Jamie Gritton wrote:
Hi,
let me add a few words.
Sam Leffler wrote:
Jamie Gritton wrote:
Author: jamie
Date: Wed Jul 29 16:41:02 2009
New Revision: 195944
URL: http://svn.freebsd.org/changeset/base/195944
Log:
Change the default value of the "ip4" and "ip6" jail parameters to
"disable", which only allows access to the parent/physical system's
IP addresses when specifically directed. Change the default value of
"host" to "new", and don't copy the parent host values, to insulate
jails from the parent hostname et al.
This does not say why you're making these changes; please explain.
My apologies. The ip4/6 change fixed an error with the old-style
command line of jail(8), where specifying IPv4 address(es) but not IPv6
addresses would allow access to the full IPv6 stack, a regression from
7.2 which allows only specifically noted IPv6 addresses.
And vice versa for IPv6 only jails and also with no-IP jails where
addresses of both AFs were inherited rather than denied.
This behaviour is actually needed to not break lots of jail setups
with mostly Java[1] and some other apps that have strange defaults and
`understandings' of what dual-stack or socket operations in one of
those means.
It's bascically reverting to the old or rather expected defaults of a
jail so that jails can continue to run 1:1 when upgrading from 7 to 8.
At least hoping most (all) things are shaken out now with regard to
this. In case you know anything that doesn't work as expected, now
would be a good time to tell us.
/bz
[1] http://diario.behrens.de/2008/10/12/java_and_ipv6_on_bsd.html
--
Bjoern A. Zeeb The greatest risk is not taking one.
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
