On 24/01/2010 14:05, Bjoern A. Zeeb wrote:
Author: bz Date: Sun Jan 24 14:05:56 2010 New Revision: 202924 URL: http://svn.freebsd.org/changeset/base/202924Log: MFC r202468: Add security.jail.ip4_saddrsel/ip6_nosaddrsel sysctls to control whether to use source address selection (default) or the primary jail address for unbound outgoing connections. This is intended to be used by people upgrading from single-IP jails to multi-IP jails but not having to change firewall rules, application ACLs, ... but to force their connections (unless otherwise changed) to the primry jail IP they had been used for years, as well as for people prefering to implement similar policies. Note that for IPv6, if configured incorrectly, this might lead to scope violations, which single-IPv6 jails could as well, as by the design of jails. [1] Note that in contrast to FreeBSD 8.x and newer, where we have per-jail options, the sysctls are global for all jails. Reviewed by: jamie, hrs (ipv6 part) [for HEAD] Pointed out by: hrs [1] Tested by: Jase Thew (bazerka beardz.net) (IPv4) Approved by: re (kib) Modified: stable/7/sys/kern/kern_jail.c stable/7/sys/netinet/in_pcb.c stable/7/sys/netinet6/in6_src.c stable/7/sys/sys/jail.h stable/7/usr.sbin/jail/jail.8 Directory Properties: stable/7/sys/ (props changed) stable/7/sys/cddl/contrib/opensolaris/ (props changed) stable/7/sys/contrib/dev/acpica/ (props changed) stable/7/sys/contrib/pf/ (props changed) stable/7/usr.sbin/jail/ (props changed)
Many thanks! Regards, Jase. _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
