Processes do not appear to be able to open routing sockets within jails, regardless of the setting of the security.jail.socket_unixiproute_only or security.jail.allow_raw_sockets sysctls. This manifests as not being able to use commands such as "route get" or "nmap" SYN scans. While it is understandable that one should not be able to write to routing sockets from a non-VIMAGE jail, being able to read this information is quite useful functionality (critical, in my case). http://marc.info/?l=freebsd-stable&m=133590147421290&w=2 http://seclists.org/nmap-dev/2012/q2/220 How-To-Repeat: Outside of a jail: [dthiel@host ~ 1350 ] sudo route get asdf.com route to: apache2-emu.malabo.dreamhost.com destination: default mask: default gateway: 210.15.12.11 interface: em0 flags: <UP,GATEWAY,DONE,STATIC> recvpipe sendpipe ssthresh rtt,msec mtu weight expire 0 0 0 0 1500 1 0 Inside jail: [dthiel@host ~ 1347 ] sudo jexec 15 /bin/sh # route get asdf.com route: writing to routing socket: No such process # nmap freebsd.org Starting Nmap 6.00 ( http://nmap.org ) at 2012-07-09 20:08 UTC nexthost: failed to determine route to freebsd.org (69.147.83.40) QUITTING!
Responsible Changed From-To: freebsd-bugs->freebsd-jail Over to maintainer(s).
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped