# ISC-dhcpd in jail doesn't work anymore



## FormA (Aug 17, 2014)

Hey guys,

For several months I had used isc-dhcpd in a jail. I had the usual trouble in the beginning (jails are very restrictive...) but I kind of fixed them a long time ago. As I already said - it worked like a charm for months. Until yesterday. To my knowledge I only did the following things:

- `freebsd-update install`
- `portsnap fetch update` (which should not affect the jails)

Now isc-dhcpd doesn't start anymore and shows me the old error unable to create icmp socket: Operation not permitted. This was one of the old problems I had when I first installed the jail. I solved it back then with security.jail.allow_raw_sockets=1 in the rc.conf of the jail host system. I confirmed - this parameter is still set.

So I continued with /etc/devfs.rules definitions - add path net unhide,  add path 'net/*' unhide.

There are several blog Posts I used as examples and templates for my configuration:

https://forums.freebsd.org/viewtopic.php?&t=29934
http://lists.freebsd.org/pipermail/freebsd-jail/2012-November/001989.html
http://dan.langille.org/2013/08/18/creating-a-freebsd-jail-to-run-dhcp-and-dns/

Nothing works. I can't get dhcpd up anymore.

I rolled back the `freebsd-update`. Same problem.

I even rolled back a ZFS snapshot of the jail when it was definitely working - still nothing!

I am out of options now.I hope anybody here as an idea how to continue?

Thanks.

D


----------



## wblock@ (Aug 18, 2014)

You do not say which version of FreeBSD, either before or after the update.  Now, raw sockets are a per-jail setting.

Old format, in /etc/rc.conf:

```
...
jail_mydhcpjail_parameters="allow.raw_sockets=1"
```

For sysutils/ezjail, in /usr/local/etc/ezjail/mydhcpjail:

```
export jail_mydhcpjail_parameters="allow.raw_sockets=1"
```

New FreeBSD 10 format, in /etc/jail.conf:

```
mydhcpjail {
        ...
        allow.raw_sockets=1
}
```


----------



## junovitch@ (Aug 18, 2014)

It's the bpf() device that DHCPD requires to run in a jail.  If you are using FreeBSD 10, I am guessing your updates included applying SA 14-07.  https://www.freebsd.org/security/advisories/FreeBSD-SA-14:07.devfs.asc.  Prior to that, jails were able to see all devices.  If you are using FreeBSD 9 or 8, I am not sure as the bpf() device shouldn't have been seen without explicit config.

/etc/devfs.rules

```
[devfsrules_jail_with_bpf=6]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path 'bpf*' unhide
```

For sysutils/ezjail in /usr/local/etc/ezjail/mydhcpjail

```
export jail_mydhcpjail_devfs_ruleset="6"
export jail_mydhcpjail_parameters="allow.raw_sockets=1"
```

Equivalent /etc/jail.conf style.

```
allow.raw_sockets=1;
devfs_ruleset = "6";
```

The usual warning applies.  Access to the bpf device in a jail means the root user in the jail can use tcpdump to collect packets on any interface on the system, even ones where the jail doesn't have an IP.


----------



## wblock@ (Aug 18, 2014)

Whoops.  But raw sockets are still needed, because DHCP is supposed to ping an address to make sure nobody is using it before handing it out.  I just did this for /etc/devfs.rules on FreeBSD 10-stable:

```
[devfsrules_jail_dhcp=5]
add include $devfsrules_jail
add path 'bpf*' unhide
```


----------

