On Mon, 4 Aug 2003, Rus Foster wrote: > Is there a patch that will allow ping from inside a jail on 5.x? Google > didn't show anything? The problem is that, to generate pings, you have to have access to a raw socket. And unfortuantely, raw sockets imply access to a lot more than just the ability to send/receive ICMP: a number of management components in the IP stack assume that if you have a raw socket, you're also allowed to configure those components. Take a look at rip_ctloutput() in raw_ip.c for some examples. We have some local in-progress changes to modify this as part of our capabilities work, but there's no timeline for integrating it. The best short-term suggestion would be to write a privilege-separated ping tool -- a pingd running outside the jail, providing UNIX domain sockets in each jail that needs the ability to ping; ping then becomes a client that RPC's to pingd. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert_at_fledge.watson.org Network Associates LaboratoriesReceived on Mon Aug 04 2003 - 03:36:43 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:17 UTC