From owner-freebsd-hackers@FreeBSD.ORG Wed Apr 16 05:02:10 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A4CA37B401; Wed, 16 Apr 2003 05:02:10 -0700 (PDT) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 712B143F3F; Wed, 16 Apr 2003 05:02:09 -0700 (PDT) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id 9074C3ABB4D; Wed, 16 Apr 2003 14:02:59 +0200 (CEST) Date: Wed, 16 Apr 2003 14:02:59 +0200 From: Pawel Jakub Dawidek To: Jan Grant Message-ID: <20030416120259.GB92137@garage.freebsd.pl> References: <20030415171757.GU52293@garage.freebsd.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="WhfpMioaduB5tiZL" Content-Disposition: inline In-Reply-To: X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: freebsd-hackers@freebsd.org cc: Martin Blapp cc: Robert Watson cc: Poul-Henning Kamp Subject: Re: Multiple ip-numbers in jails (fixed INADDR_ANY behaviour). X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2003 12:02:10 -0000 --WhfpMioaduB5tiZL Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 16, 2003 at 12:25:11PM +0100, Jan Grant wrote: +> > Another thing are priorities. +> > When port X is opened on main host and in jail as INADDR_ANY, current +> > implementation of jail converts INADDR_ANY to jail's IP. +> > When we're connecting to this port we will connect to jail's daemon, +> > because "exactly match" is there. +> > In my solution looking for opened port is in this order: +> > 1. non-jailed, non-wild. +> > 2. non-jailed, wild. +> > 3. jailed, non-wild. +> > 4. jailed, wild. +>=20 +> Hang on, so you're saying that if my machine has (say) 4 IP addresses, +> and the jail has two of them, and I've a process listening on INADDR_ANY +> in a non-jail, and one listening on INADDR_ANY in a jail, then a +> connection to one of the jailed IPs will wind up with the non-jail +> process? In current implelentation - yes, becuase there is no INADDR_ANY in jail, becuase INADDR_ANY address is translated to jail's ip when bind(2) is called. When connection arrives kernel choosing "exactly match" first and "exactly match" is real ip number. If there is no "exactly match" INADDR_ANY is taken. But check this out by yourself: # /usr/sbin/sshd -p 666 # jail / temp /usr/sbin/sshd -p 666 # ssh -p 666 # hostname (sshd binds to INADDR_ANY by default) --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --WhfpMioaduB5tiZL Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPp1Gcz/PhmMH/Mf1AQFF1AP/dhwjLFRYRUhA+xitP6Jlsbpph7ugXzDF n89Fvm5IE8BVxI4MY1RJnkx0H7eaCQlDpzGBDF0RhYOMncb3SMFFDzc4GlyiJC8k QU3E40mtAgy3qSSeXiaMoPm2fOt3dhTjdf2tcN/1QdleAvSRNcmCsfFljxNtBkeV F1Hwu3yQQyc= =Hgq8 -----END PGP SIGNATURE----- --WhfpMioaduB5tiZL--