You've added an optional permission bit, but there's no option to change it. If it would make sense to allow it to all jails, there's no need for PR_ALLOW_ICMP_ACCESS. If it would make sense to restrict to some jails, there needs to be a matching jail.allow parameter, as defined in kern_jail.c's pr_flag_allow array and SYSCTL_JAIL_PARAM(_allow, ...).

I have a couple of comments for this:
(a) ICMP access is not just echo requests; this will alllow jails to send other things out which might not be a great idea, so if you do, default off.
(b) I'd love to have an ICMPv6 equivalent; ICMPv6 is even worse as to what people can do; see (a)
(c) I don't think this is a good idea.
(d) Even with this there'll be other issues (as are with raw sockets), such as source address selection, which was once was discussed in 2011 [ https://people.freebsd.org/~bz/20120407-01-ping-source-addr.diff ]; probably on freebsd-net or -jails back then.
(e) lastly we do have full network stacks these days, and even if they are not always needed the tradeoff to adding more hacks on top of classic IP-jails is questionable.

Please don't get me wrong about this, I not not saying no to it, I just think if it is done it needs a fully thought out solution and not just a bit less restrictive priv hack. I'll leave it in jamie's hands.

SOCK_RAW is still used by other subsystems, e.g. configuring firewalls rules among other things. This is the main reason raw sockets were restricted within jails in the first place. I am not seeing how this patch protects other subsystems.

Hi bz,

Thanks for taking the time to check this out.
You are right I'm just checking for ICMP protocol but I should check for ICMP echo requests, as my intention is just to allow what is needed to make PING(8) work.
I thought that allowing ICMP echo requests and don't allow to set IP_HDRINCL on the packets was enough to accomplish this.
In your expertise is something else needed to accomplish this ?.

Bests

In D26782#597187, @bz wrote:

I have a couple of comments for this:
(a) ICMP access is not just echo requests; this will alllow jails to send other things out which might not be a great idea, so if you do, default off.
(b) I'd love to have an ICMPv6 equivalent; ICMPv6 is even worse as to what people can do; see (a)
(c) I don't think this is a good idea.
(d) Even with this there'll be other issues (as are with raw sockets), such as source address selection, which was once was discussed in 2011 [ https://people.freebsd.org/~bz/20120407-01-ping-source-addr.diff ]; probably on freebsd-net or -jails back then.
(e) lastly we do have full network stacks these days, and even if they are not always needed the tradeoff to adding more hacks on top of classic IP-jails is questionable.

Please don't get me wrong about this, I not not saying no to it, I just think if it is done it needs a fully thought out solution and not just a bit less restrictive priv hack. I'll leave it in jamie's hands.

In D26782#597232, @csjp wrote:

SOCK_RAW is still used by other subsystems, e.g. configuring firewalls rules among other things. This is the main reason raw sockets were restricted within jails in the first place. I am not seeing how this patch protects other subsystems.

Hi csjp,

My intend is just to make PING(8) work by only allowing icmp echo requests, I don't want to give raw socket access to a jail to just use PING(8).
I thought it was straight forward to make this work.
You are right, I allowed icmp access but I'm not checking if the type if the echo request, I'll fix that.