From owner-freebsd-hackers Tue Jun 18 17: 4:16 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from malyn.eiomail.com (relay.trecorp.com [64.71.177.139]) by hub.freebsd.org (Postfix) with SMTP id 3554237B408 for ; Tue, 18 Jun 2002 17:04:03 -0700 (PDT) Message-ID: <774.2.1024445039934@malyn.eiomail.com> Date: Tue, 18 Jun 2002 17:03:59 -0700 From: Michael Alyn Miller Subject: jail with multiple IPs (patch) To: freebsd-hackers@freebsd.org MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="774.2.1024445039934@malyn.eiomail.com" Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --774.2.1024445039934@malyn.eiomail.com Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit Hi, folks, I recently became interested in the jail code and have been very impressed with what I have seen so far. The one thing I found a bit surprising was the lack of support for multiple IP addresses in jail environments. I did some research into the issue, and I found the various posts discussing why this decision was made. While a ``true'' multiple IP address implementation (INADDR_ANY, loopback, etc.) may be rather involved, getting more than one IP address into the jailed environment might be much simpler. Here is my proposal: Rather than specifying a single IP address when constructing the jail, supply an IP address and netmask. The kernel can then use the IP address in conjunction with the netmask to determine what range of addresses are allowed in the jail without having to run through an actual list of addresses. This approach is similar to how ISPs assign CIDR blocks to their customers. It has various advantages and disadvantages over the method of providing a list of allowed addresses. I consider its primary advantage to be that it is extremely simple to implement (as can be seen by the attached diff) and does not affect jail's runtime performance. Granted, this method does not solve the INADDR_ANY and localhost issues, but any solution to that side of the jail puzzle is sure to be an invasive one. The attached diff is based on 4.6-RELEASE. To use it, build and install the jail binary and a new kernel. By default, this diff results in a jail binary that acts the same as before. Adding a ``/ne.tm.as.k'' to the jail call will allow the jail to allocate any of the IP addresses in the netmask. For example.. jail /home/jail myhost 10.20.30.8/255.255.255.248 /bin/sh ..would allow the jail to use all of the following addresses.. 10.20.30.8 10.20.30.9 10.20.30.10 10.20.30.11 10.20.30.12 10.20.30.13 10.20.30.14 10.20.30.15 INADDR_ANY and 127.0.0.1 still use the first address. I changed jail's version number (from 0 to 1) as this affects the syscall. I look forward to your comments, suggestions, criticisms, etc. Thank you for your time! Michael Alyn Miller ------------------------------- The best kept secret in e-mail. http://eioMAIL.com/ --774.2.1024445039934@malyn.eiomail.com Content-Type: text/plain Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="jail.diff" KioqIHN5cy9rZXJuL2tlcm5famFpbC5jLm9yaWcJVGh1IEF1ZyAxNiAxODowMDoyNiAyMDAxCi0t LSBzeXMva2Vybi9rZXJuX2phaWwuYwlUdWUgSnVuIDE4IDEzOjUyOjI3IDIwMDIKKioqKioqKioq KioqKioqCioqKiA2Miw2OCAqKioqCiAgCWVycm9yID0gY29weWluKHVhcC0+amFpbCwgJmosIHNp emVvZiBqKTsKICAJaWYgKGVycm9yKQogIAkJcmV0dXJuIChlcnJvcik7CiEgCWlmIChqLnZlcnNp b24gIT0gMCkKICAJCXJldHVybiAoRUlOVkFMKTsKICAJTUFMTE9DKHByLCBzdHJ1Y3QgcHJpc29u ICosIHNpemVvZiAqcHIgLCBNX1BSSVNPTiwgTV9XQUlUT0spOwogIAliemVybygoY2FkZHJfdClw ciwgc2l6ZW9mICpwcik7Ci0tLSA2Miw2OCAtLS0tCiAgCWVycm9yID0gY29weWluKHVhcC0+amFp bCwgJmosIHNpemVvZiBqKTsKICAJaWYgKGVycm9yKQogIAkJcmV0dXJuIChlcnJvcik7CiEgCWlm IChqLnZlcnNpb24gIT0gMSkKICAJCXJldHVybiAoRUlOVkFMKTsKICAJTUFMTE9DKHByLCBzdHJ1 Y3QgcHJpc29uICosIHNpemVvZiAqcHIgLCBNX1BSSVNPTiwgTV9XQUlUT0spOwogIAliemVybygo Y2FkZHJfdClwciwgc2l6ZW9mICpwcik7CioqKioqKioqKioqKioqKgoqKiogNzAsNzUgKioqKgot LS0gNzAsNzYgLS0tLQogIAlpZiAoZXJyb3IpIAogIAkJZ290byBiYWlsOwogIAlwci0+cHJfaXAg PSBqLmlwX251bWJlcjsKKyAJcHItPnByX21hc2sgPSBqLmlwX21hc2s7CiAgCiAgCWNhLnBhdGgg PSBqLnBhdGg7CiAgCWVycm9yID0gY2hyb290KHAsICZjYSk7CioqKioqKioqKioqKioqKgoqKiog MTExLDExNyAqKioqCiAgCQkJKmlwID0gaHRvbmwocC0+cF9wcmlzb24tPnByX2lwKTsKICAJCXJl dHVybiAoMCk7CiAgCX0KISAJaWYgKHAtPnBfcHJpc29uLT5wcl9pcCAhPSB0bXApCiAgCQlyZXR1 cm4gKDEpOwogIAlyZXR1cm4gKDApOwogIH0KLS0tIDExMiwxMTkgLS0tLQogIAkJCSppcCA9IGh0 b25sKHAtPnBfcHJpc29uLT5wcl9pcCk7CiAgCQlyZXR1cm4gKDApOwogIAl9CiEgCWlmICgocC0+ cF9wcmlzb24tPnByX21hc2sgJiBwLT5wX3ByaXNvbi0+cHJfaXApCiEgCQkJIT0gKHAtPnBfcHJp c29uLT5wcl9tYXNrICYgdG1wKSkKICAJCXJldHVybiAoMSk7CiAgCXJldHVybiAoMCk7CiAgfQoq Kiogc3lzL25ldGluZXQvaW5fcGNiLmMub3JpZwlXZWQgTWF5ICAxIDE5OjM2OjUwIDIwMDIKLS0t IHN5cy9uZXRpbmV0L2luX3BjYi5jCVR1ZSBKdW4gMTggMTM6NTI6MTUgMjAwMgoqKioqKioqKioq KioqKioKKioqIDEwMjgsMTAzNCAqKioqCiAgewogIAlpZiAoIXAtPnBfcHJpc29uKQogIAkJcmV0 dXJuICgwKTsKISAJaWYgKG50b2hsKGlucC0+aW5wX2xhZGRyLnNfYWRkcikgPT0gcC0+cF9wcmlz b24tPnByX2lwKQogIAkJcmV0dXJuICgwKTsKICAJcmV0dXJuICgxKTsKICB9Ci0tLSAxMDI4LDEw MzUgLS0tLQogIHsKICAJaWYgKCFwLT5wX3ByaXNvbikKICAJCXJldHVybiAoMCk7CiEgCWlmICgo cC0+cF9wcmlzb24tPnByX21hc2sgJiBudG9obChpbnAtPmlucF9sYWRkci5zX2FkZHIpKQohIAkJ CT09IChwLT5wX3ByaXNvbi0+cHJfbWFzayAmIHAtPnBfcHJpc29uLT5wcl9pcCkpCiAgCQlyZXR1 cm4gKDApOwogIAlyZXR1cm4gKDEpOwogIH0KKioqIHN5cy9zeXMvamFpbC5oLm9yaWcJV2VkIE5v diAgMSAwOTo1ODowNiAyMDAwCi0tLSBzeXMvc3lzL2phaWwuaAlUdWUgSnVuIDE4IDEzOjMzOjI4 IDIwMDIKKioqKioqKioqKioqKioqCioqKiAxOCwyMyAqKioqCi0tLSAxOCwyNCAtLS0tCiAgCWNo YXIJCSpwYXRoOwogIAljaGFyCQkqaG9zdG5hbWU7CiAgCXVfaW50MzJfdAlpcF9udW1iZXI7Cisg CXVfaW50MzJfdAlpcF9tYXNrOwogIH07CiAgCiAgI2lmbmRlZiBfS0VSTkVMCioqKioqKioqKioq KioqKgoqKiogNDAsNDUgKioqKgotLS0gNDEsNDcgLS0tLQogIAlpbnQJCXByX3JlZjsKICAJY2hh ciAJCXByX2hvc3RbTUFYSE9TVE5BTUVMRU5dOwogIAl1X2ludDMyX3QJcHJfaXA7CisgCXVfaW50 MzJfdAlwcl9tYXNrOwogIAl2b2lkCQkqcHJfbGludXg7CiAgfTsKICAKKioqIHVzci5zYmluL2ph aWwvamFpbC5jLm9yaWcJTW9uIEp1bCAzMCAwMzoxOTo1NCAyMDAxCi0tLSB1c3Iuc2Jpbi9qYWls L2phaWwuYwlUdWUgSnVuIDE4IDE0OjI4OjM2IDIwMDIKKioqKioqKioqKioqKioqCioqKiAyNCw0 MCAqKioqCiAgCXN0cnVjdCBqYWlsIGo7CiAgCWludCBpOwogIAlzdHJ1Y3QgaW5fYWRkciBpbjsK ICAKICAJaWYgKGFyZ2MgPCA1KSAKISAJCWVycngoMSwgIlVzYWdlOiAlcyBwYXRoIGhvc3RuYW1l IGlwLW51bWJlciBjb21tYW5kIC4uLlxuIiwKICAJCSAgICBhcmd2WzBdKTsKICAJaSA9IGNoZGly KGFyZ3ZbMV0pOwogIAlpZiAoaSkKICAJCWVycigxLCAiY2hkaXIgJXMiLCBhcmd2WzFdKTsKICAJ bWVtc2V0KCZqLCAwLCBzaXplb2YoaikpOwohIAlqLnZlcnNpb24gPSAwOwogIAlqLnBhdGggPSBh cmd2WzFdOwogIAlqLmhvc3RuYW1lID0gYXJndlsyXTsKICAJaSA9IGluZXRfYXRvbihhcmd2WzNd LCAmaW4pOwogIAlpZiAoIWkpCiAgCQllcnJ4KDEsICJDb3VsZG4ndCBtYWtlIHNlbnNlIG9mIGlw LW51bWJlclxuIik7Ci0tLSAyNCw1MSAtLS0tCiAgCXN0cnVjdCBqYWlsIGo7CiAgCWludCBpOwog IAlzdHJ1Y3QgaW5fYWRkciBpbjsKKyAJY2hhciAqcDsKICAKICAJaWYgKGFyZ2MgPCA1KSAKISAJ CWVycngoMSwgIlVzYWdlOiAlcyBwYXRoIGhvc3RuYW1lIGlwLW51bWJlclsvaXAtbWFza10gY29t bWFuZCAuLi5cbiIsCiAgCQkgICAgYXJndlswXSk7CiAgCWkgPSBjaGRpcihhcmd2WzFdKTsKICAJ aWYgKGkpCiAgCQllcnIoMSwgImNoZGlyICVzIiwgYXJndlsxXSk7CiAgCW1lbXNldCgmaiwgMCwg c2l6ZW9mKGopKTsKISAJai52ZXJzaW9uID0gMTsKICAJai5wYXRoID0gYXJndlsxXTsKICAJai5o b3N0bmFtZSA9IGFyZ3ZbMl07CisgCXAgPSBzdHJjaHIoYXJndlszXSwgJy8nKTsKKyAJaWYgKHAg IT0gTlVMTCkgeworIAkJaSA9IGluZXRfYXRvbihwICsgMSwgJmluKTsKKyAJCWlmICghaSkKKyAJ CQllcnJ4KDEsICJDb3VsZG4ndCBtYWtlIHNlbnNlIG9mIGlwLW1hc2tcbiIpOworIAkJai5pcF9t YXNrID0gbnRvaGwoaW4uc19hZGRyKTsKKyAJCSpwID0gJ1wwJzsKKyAJfSBlbHNlIHsKKyAJCWou aXBfbWFzayA9IDB4ZmZmZmZmZmY7CisgCX0KICAJaSA9IGluZXRfYXRvbihhcmd2WzNdLCAmaW4p OwogIAlpZiAoIWkpCiAgCQllcnJ4KDEsICJDb3VsZG4ndCBtYWtlIHNlbnNlIG9mIGlwLW51bWJl clxuIik7Cg== --774.2.1024445039934@malyn.eiomail.com-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message