Date: Thu, 18 Nov 1999 04:24:04 +0900 From: Yoshinobu Inoue <shin@nd.net.fujitsu.co.jp> To: phk@critter.freebsd.dk Cc: beyssac@enst.fr, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Should jail treat ip-number? Message-ID: <19991118042404X.shin@nd.net.fujitsu.co.jp> In-Reply-To: <289.942825543@critter.freebsd.dk> References: <19991117153126C.shin@nd.net.fujitsu.co.jp> <289.942825543@critter.freebsd.dk> <199911172340.PAA23345@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> >-Jail(2) specify "ip_number" and/or "ip6_number" into the kernel. > > Well, I guess we want it to be "and", right ? Will people want to > bind both a IPv4 and IPv6 address (does it make sense to do so ?) > or will people only need to bind one of them ? I also think it is "and", but maybe some time some application just use one of them and specify another familiy's addr as null. So I used "and/or". > > What about multiple IPv6 or IPv4 addresses per jail? It might be a > > good idea while Inoue-san is at it. Or is this an incredibly stupid > > question? > > I don't know how technically difficult it would be to allow multiple > IPv4 and IPv6 addresses per jail, but I can think of a few very good > things to do with it. I spend a fair amount of time playing with > routing protocols and it would be wonderful to be able to create > jailed version of gated/zebra/rodscode on the same box and watch > them interact. It would probably cut the size of my hardware lab > used for this now in half or maybe even quarter it! I'm not sure if multiple addrs for each address familiy will be useful or not. But at least, I think several other change(e.g. kernel routing table implementation change, or prepare several virtual ones on user-land) will also be necessary for several instances of each routing protocol implementation to operate on a system. > >-Kernel treat "ip6_number" as just a same kind of extension > > for IPv6 as "ip_number" for IPv4. > > I'm not against them being sockaddr's. I think it depends on if we allow multiple addrs per address family. If we don't allow it, I think sockaddr is not better, because, -Need to explicitely forbid multiple same families specification(e.g. either of sockaddr is AF_INET) as API. -Kernel side also need to check (1) case, and do some additional work. (return error, or prefer the former or the latter) -When more sockaddr's are added in the future, things will be more complicated. If we allow it(multiple addrs per address family), then I think sockaddr list pointer member, and total sockaddr's number member should be added, and they are searched in prison_ip(), prison_ip6() or such like that in kernel. But again, I'm not sure how multiple addrs per address family is useful. If explicit needs for "multiple addrs per address family" are not clear now, I would like to try to implement just adding ip6_number member for this time. Yoshinobu Inoue To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991118042404X.shin>