Bug 248029

Summary: Allow ability to use socket option SO_REUSEPORT_LB in jail
Product: Base System Reporter: Dmitry Wagin <dmitry.wagin>
Component: kernAssignee: freebsd-jail (Nobody) <jail>
Status: New ---    
Severity: Affects Some People CC: ae, drtr0jan, emaste, pi
Priority: --- Keywords: patch
Version: 12.0-STABLE   
Hardware: Any   
OS: Any   
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247956
Attachments:
Description Flags
SO_REUSEPORT_LB.diff none

Description Dmitry Wagin 2020-07-16 21:25:05 UTC
Created attachment 216500 [details]
SO_REUSEPORT_LB.diff

Now socket option SO_REUSEPORT_LB in jail does not work as intended
Comment 1 Andrey V. Elsukov freebsd_committer 2020-07-17 08:09:09 UTC
Can you explain the reason you want this feature?

It seems to me that this was explicitly disallowed for security reason.
E.g. You have host that provides jails and some load-balanced service, and jailed user can not run some bad service to join to load-balanced service. With your patch this seems possible.
Comment 2 Dmitry Wagin 2020-07-17 08:25:36 UTC
(In reply to Andrey V. Elsukov from comment #1)

without this it is impossible:
* running load-balanced service in single jail
* running load-balanced service in multiple jails

plus tasks to minimize downtime during upgrades services running in jail
Comment 3 Dmitry Wagin 2020-07-17 11:04:59 UTC
(In reply to Andrey V. Elsukov from comment #1)
> E.g. You have host that provides jails and some load-balanced service, and
> jailed user can not run some bad service to join to load-balanced service.
> With your patch this seems possible.

VNET should solve this problem?