From owner-freebsd-hackers Tue Nov 16 20:41:11 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from orange.kame.net (orange.kame.net [203.178.141.194]) by hub.freebsd.org (Postfix) with ESMTP id 59BFE14FF7; Tue, 16 Nov 1999 20:41:05 -0800 (PST) (envelope-from shin@nd.net.fujitsu.co.jp) Received: from localhost (kame209.kame.net [203.178.141.209]) by orange.kame.net (8.9.1+3.1W/3.7W) with ESMTP id NAA17591; Wed, 17 Nov 1999 13:40:43 +0900 (JST) To: phk@critter.freebsd.dk Cc: beyssac@enst.fr Cc: freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Should jail treat ip-number? In-Reply-To: <19991110025853X.shin@nd.net.fujitsu.co.jp> References: <19991110022852N.shin@nd.net.fujitsu.co.jp> <24337.942169052@critter.freebsd.dk> <19991110025853X.shin@nd.net.fujitsu.co.jp> <19991110013913.A5181@enst.fr> X-Mailer: Mew version 1.94 on Emacs 20.4 / Mule 4.0 (HANANOEN) X-Prom-Mew: Prom-Mew 1.93.4 (procmail reader for Mew) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <19991117134132S.shin@nd.net.fujitsu.co.jp> Date: Wed, 17 Nov 1999 13:41:32 +0900 From: Yoshinobu Inoue X-Dispatcher: imput version 990905(IM130) Lines: 59 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > I'm not against adding IPv6 functionality to jail(2), my point is > > merely that until somebody who has sufficient time & ability to > > fiddle with it does it, it's not going to happen. > > > > The usual rule applies: > > > > "Great idea, why don't you send me patches which does this ?" > > OK, then I'll try making patches and send you. > My current Idea is that adding a new member, a pointer to > sockaddr to the jail structure, and leave current ip_number > member for backward compatibility. > (Also with associated changes in kernel and the jail command) > There's been a discussion a few weeks ago on freebsd-security on > this very matter. See attached mail below. > > The conclusion was that jail(2) should be fixed to use a sockaddr > instead of a 32 bit int to specify the address. > > That seems to be the first logical step, even before making jail(2) > IPv6-compliant. In implementing jail sockaddr extension trial, I found some problems, and now have an possible solution. problems: -Any process in a jail might want to use several protocol families at the same time. So jail(2) need to specify every adress of those possible address families. (AF_INET, AF_INET6, AF_IPX, AF_APPLETALK, and so on) To do this, jail structure need to have not only a sockaddr but several sockaddrs list, and they are specified via jail(2). But I don't like such a extension, because, -It is complicated. Error checking will be diffcult. -User interface will also become complicated, and difficult to use. -As already commented, checking those addresses which already specified by other jail'ed processes is necessary. solution: Don't specify addresses via jail(2), and let kernel select any non binded address. Loop in_ifaddr list and try in_pcblookup_hash() for each of addresses, just as in_pcbbind does it to search for non binded port. A weak point of this solution is that processes in a same jail won't be necessariliy binded to a same address, but does it matters? Yoshinobu Inoue To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message