diff options
| author | bz <bz@FreeBSD.org> | 2010-01-17 12:57:11 +0000 |
|---|---|---|
| committer | bz <bz@FreeBSD.org> | 2010-01-17 12:57:11 +0000 |
| commit | d80ba03e3c55996b4cbd43c63798a30f830c08c3 (patch) | |
| tree | 2b602932505487bf20c4f34fd4d2c8c7b7e2dc5e /sys/netinet6 | |
| parent | b89a432ee1889ec29b188c301b5171234c9247bc (diff) | |
| download | FreeBSD-src-d80ba03e3c55996b4cbd43c63798a30f830c08c3.zip FreeBSD-src-d80ba03e3c55996b4cbd43c63798a30f830c08c3.tar.gz | |
Add ip4.saddrsel/ip4.nosaddrsel (and equivalent for ip6) to control
whether to use source address selection (default) or the primary
jail address for unbound outgoing connections.
This is intended to be used by people upgrading from single-IP
jails to multi-IP jails but not having to change firewall rules,
application ACLs, ... but to force their connections (unless
otherwise changed) to the primry jail IP they had been used for
years, as well as for people prefering to implement similar policies.
Note that for IPv6, if configured incorrectly, this might lead to
scope violations, which single-IPv6 jails could as well, as by the
design of jails. [1]
Reviewed by: jamie, hrs (ipv6 part)
Pointed out by: hrs [1]
MFC After: 2 weeks
Asked for by: Jase Thew (bazerka beardz.net)
Diffstat (limited to 'sys/netinet6')
| -rw-r--r-- | sys/netinet6/in6_src.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/sys/netinet6/in6_src.c b/sys/netinet6/in6_src.c index 8e82ef1..ea302a5 100644 --- a/sys/netinet6/in6_src.c +++ b/sys/netinet6/in6_src.c @@ -271,6 +271,13 @@ in6_selectsrc(struct sockaddr_in6 *dstsock, struct ip6_pktopts *opts, } /* + * Bypass source address selection and use the primary jail IP + * if requested. + */ + if (cred != NULL && !prison_saddrsel_ip6(cred, srcp)) + return (0); + + /* * If the address is not specified, choose the best one based on * the outgoing interface and the destination address. */ |
