From owner-svn-src-head@FreeBSD.ORG Tue Apr 27 15:07:09 2010 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F8A41065678; Tue, 27 Apr 2010 15:07:09 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 1471A8FC17; Tue, 27 Apr 2010 15:07:09 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id o3RF78Ef042817; Tue, 27 Apr 2010 15:07:08 GMT (envelope-from bz@svn.freebsd.org) Received: (from bz@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id o3RF78XG042814; Tue, 27 Apr 2010 15:07:08 GMT (envelope-from bz@svn.freebsd.org) Message-Id: <201004271507.o3RF78XG042814@svn.freebsd.org> From: "Bjoern A. Zeeb" Date: Tue, 27 Apr 2010 15:07:08 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r207277 - in head/sys: netinet netinet6 X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Apr 2010 15:07:09 -0000 Author: bz Date: Tue Apr 27 15:07:08 2010 New Revision: 207277 URL: http://svn.freebsd.org/changeset/base/207277 Log: Enhance the historic behaviour of raw sockets and jails in a way that we allow all possible jail IPs as source address rather than forcing the "primary". While IPv6 naturally has source address selection, for legacy IP we do not go through the pain in case IP_HDRINCL was not set. People should bind(2) for that. This will, for example, allow ping(|6) -S to work correctly for non-primary addresses. Reported by: (ten 211.ru) Tested by: (ten 211.ru) MFC after: 4 days Modified: head/sys/netinet/raw_ip.c head/sys/netinet6/raw_ip6.c Modified: head/sys/netinet/raw_ip.c ============================================================================== --- head/sys/netinet/raw_ip.c Tue Apr 27 15:05:03 2010 (r207276) +++ head/sys/netinet/raw_ip.c Tue Apr 27 15:07:08 2010 (r207277) @@ -427,11 +427,24 @@ rip_output(struct mbuf *m, struct socket ip->ip_p = inp->inp_ip_p; ip->ip_len = m->m_pkthdr.len; ip->ip_src = inp->inp_laddr; - error = prison_get_ip4(inp->inp_cred, &ip->ip_src); - if (error != 0) { - INP_RUNLOCK(inp); - m_freem(m); - return (error); + if (jailed(inp->inp_cred)) { + /* + * prison_local_ip4() would be good enough but would + * let a source of INADDR_ANY pass, which we do not + * want to see from jails. We do not go through the + * pain of in_pcbladdr() for raw sockets. + */ + if (ip->ip_src.s_addr == INADDR_ANY) + error = prison_get_ip4(inp->inp_cred, + &ip->ip_src); + else + error = prison_local_ip4(inp->inp_cred, + &ip->ip_src); + if (error != 0) { + INP_RUNLOCK(inp); + m_freem(m); + return (error); + } } ip->ip_dst.s_addr = dst; ip->ip_ttl = inp->inp_ip_ttl; Modified: head/sys/netinet6/raw_ip6.c ============================================================================== --- head/sys/netinet6/raw_ip6.c Tue Apr 27 15:05:03 2010 (r207276) +++ head/sys/netinet6/raw_ip6.c Tue Apr 27 15:07:08 2010 (r207277) @@ -465,7 +465,7 @@ rip6_output(m, va_alist) &oifp, &in6a); if (error) goto bad; - error = prison_get_ip6(in6p->inp_cred, &in6a); + error = prison_check_ip6(in6p->inp_cred, &in6a); if (error != 0) goto bad; ip6->ip6_src = in6a;