Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 04 Sep 2023 08:53:49 +0000
From:      bugzilla-noreply@freebsd.org
To:        virtualization@FreeBSD.org
Subject:   [Bug 273557] Regression preventing bhyve from running inside a jail without IP after f74147e26999838e03a522bf59ea33bef470d356) breaks support for jailing bhyve with IPv4 and IPv6 disabled. Patch included.
Message-ID:  <bug-273557-27103@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D273557

            Bug ID: 273557
           Summary: Regression preventing bhyve from running inside a jail
                    without IP after
                    f74147e26999838e03a522bf59ea33bef470d356) breaks
                    support for jailing bhyve with IPv4 and IPv6 disabled.
                    Patch included.
           Product: Base System
           Version: 13.2-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bhyve
          Assignee: virtualization@FreeBSD.org
          Reporter: crest@rlwinm.de

Created attachment 244627
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D244627&action=
=3Dedit
Use VMIO_SIOCSIFFLAGS instead of SIOCGIFFLAGS

Bhyve used to require either the sysctl net.link.tap.up_on_open=3D1 or an
external wrapper to set the tap/vmnet interfaces link state after the device
has been opened. Bjoern A. Zeeb's solution to this uses an IP socket (trying
both IPv4 and IPv6). The code as shipped in FreeBSD 13.2 refuses to start b=
hyve
if it can't create an IP socket to set the link state of the tap/vmnet
interface.

It turns out there is a better way to set the link state on tap interfaces
since there is an equivalent ioctl() available directly on the tap/vmnet
device.

The included patch against FreeBSD 13.2 removes the unused variables (ifrq =
and
s) replaces ioctl(s, SIOCGIFFLAGS) on the socket with ioctl(be->fd,
VMIO_SIOCSIFFLAGS) on the tap/vmnet device.

The patch restores the ability to run bhyve inside a jail with ip4=3Ddisabl=
e and
ip6=3Ddisable. The guest running inside bhyve accesses the network through =
the
tap device without using IP sockets inside the bhyve process. This previous=
ly
supported configuration provides defense in depth against guest escapes.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-273557-27103>