diff options
author | bz <bz@FreeBSD.org> | 2010-01-17 12:57:11 +0000 |
---|---|---|
committer | bz <bz@FreeBSD.org> | 2010-01-17 12:57:11 +0000 |
commit | d80ba03e3c55996b4cbd43c63798a30f830c08c3 (patch) | |
tree | 2b602932505487bf20c4f34fd4d2c8c7b7e2dc5e /usr.sbin/jail | |
parent | b89a432ee1889ec29b188c301b5171234c9247bc (diff) | |
download | FreeBSD-src-d80ba03e3c55996b4cbd43c63798a30f830c08c3.zip FreeBSD-src-d80ba03e3c55996b4cbd43c63798a30f830c08c3.tar.gz |
Add ip4.saddrsel/ip4.nosaddrsel (and equivalent for ip6) to control
whether to use source address selection (default) or the primary
jail address for unbound outgoing connections.
This is intended to be used by people upgrading from single-IP
jails to multi-IP jails but not having to change firewall rules,
application ACLs, ... but to force their connections (unless
otherwise changed) to the primry jail IP they had been used for
years, as well as for people prefering to implement similar policies.
Note that for IPv6, if configured incorrectly, this might lead to
scope violations, which single-IPv6 jails could as well, as by the
design of jails. [1]
Reviewed by: jamie, hrs (ipv6 part)
Pointed out by: hrs [1]
MFC After: 2 weeks
Asked for by: Jase Thew (bazerka beardz.net)
Diffstat (limited to 'usr.sbin/jail')
-rw-r--r-- | usr.sbin/jail/jail.8 | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 3fc4a4b..77f1b95 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -34,7 +34,7 @@ .\" .\" $FreeBSD$ .\" -.Dd October 18, 2009 +.Dd January 17, 2010 .Dt JAIL 8 .Os .Sh NAME @@ -252,6 +252,13 @@ match. It is only possible to start multiple jails with the same IP address, if none of the jails has more than this single overlapping IP address assigned to itself. +.It Va ip4.saddrsel +A boolean option to change the formerly mentioned behaviour and disable +IPv4 source address selection for the prison in favour of the primary +IPv4 address of the jail. +Source address selection is enabled by default for all jails and a +.Va ip4.nosaddrsel +setting of a parent jail is not inherited for any child jails. .It Va ip4 Control the availablity of IPv4 addresses. Possible values are @@ -267,9 +274,10 @@ Setting the .Va ip4.addr parameter implies a value of .Dq new . -.It Va ip6.addr , Va ip6 -A list of IPv6 addresses assigned to the prison, the counterpart to -.Va ip4.addr +.It Va ip6.addr , Va ip6.saddrsel , Va ip6 +A set of IPv6 options for the prison, the counterparts to +.Va ip4.addr , +.Va ip4.saddrsel and .Va ip4 above. |