From owner-svn-src-all@freebsd.org Fri Apr 14 22:02:10 2017 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 440BAD3CBDD; Fri, 14 Apr 2017 22:02:10 +0000 (UTC) (envelope-from smh@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 05290FC9; Fri, 14 Apr 2017 22:02:09 +0000 (UTC) (envelope-from smh@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v3EM296f059632; Fri, 14 Apr 2017 22:02:09 GMT (envelope-from smh@FreeBSD.org) Received: (from smh@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v3EM28wG059629; Fri, 14 Apr 2017 22:02:08 GMT (envelope-from smh@FreeBSD.org) Message-Id: <201704142202.v3EM28wG059629@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: smh set sender to smh@FreeBSD.org using -f From: Steven Hartland Date: Fri, 14 Apr 2017 22:02:08 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r316944 - in stable/11: . sys/netinet sys/netinet6 X-SVN-Group: stable-11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Apr 2017 22:02:10 -0000 Author: smh Date: Fri Apr 14 22:02:08 2017 New Revision: 316944 URL: https://svnweb.freebsd.org/changeset/base/316944 Log: MFC r316313, r316328: Allow explicitly assigned IPv4 & IPv6 loopback addresses to be used in jails. Relnotes: Yes Sponsored by: Multiplay Modified: stable/11/UPDATING stable/11/sys/netinet/in_jail.c stable/11/sys/netinet6/in6_jail.c Directory Properties: stable/11/ (props changed) Modified: stable/11/UPDATING ============================================================================== --- stable/11/UPDATING Fri Apr 14 21:49:20 2017 (r316943) +++ stable/11/UPDATING Fri Apr 14 22:02:08 2017 (r316944) @@ -16,6 +16,11 @@ from older versions of FreeBSD, try WITH the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20170414: + Binds and sends to the loopback addresses, IPv6 and IPv4, will now + use any explicitly assigned loopback address available in the jail + instead of using the first assigned address of the jail. + 20170402: Clang, llvm, lldb, compiler-rt and libc++ have been upgraded to 4.0.0. Please see the 20141231 entry below for information about prerequisites Modified: stable/11/sys/netinet/in_jail.c ============================================================================== --- stable/11/sys/netinet/in_jail.c Fri Apr 14 21:49:20 2017 (r316943) +++ stable/11/sys/netinet/in_jail.c Fri Apr 14 22:02:08 2017 (r316944) @@ -306,11 +306,6 @@ prison_local_ip4(struct ucred *cred, str } ia0.s_addr = ntohl(ia->s_addr); - if (ia0.s_addr == INADDR_LOOPBACK) { - ia->s_addr = pr->pr_ip4[0].s_addr; - mtx_unlock(&pr->pr_mtx); - return (0); - } if (ia0.s_addr == INADDR_ANY) { /* @@ -323,6 +318,11 @@ prison_local_ip4(struct ucred *cred, str } error = prison_check_ip4_locked(pr, ia); + if (error == EADDRNOTAVAIL && ia0.s_addr == INADDR_LOOPBACK) { + ia->s_addr = pr->pr_ip4[0].s_addr; + error = 0; + } + mtx_unlock(&pr->pr_mtx); return (error); } @@ -354,7 +354,8 @@ prison_remote_ip4(struct ucred *cred, st return (EAFNOSUPPORT); } - if (ntohl(ia->s_addr) == INADDR_LOOPBACK) { + if (ntohl(ia->s_addr) == INADDR_LOOPBACK && + prison_check_ip4_locked(pr, ia) == EADDRNOTAVAIL) { ia->s_addr = pr->pr_ip4[0].s_addr; mtx_unlock(&pr->pr_mtx); return (0); @@ -370,9 +371,8 @@ prison_remote_ip4(struct ucred *cred, st /* * Check if given address belongs to the jail referenced by cred/prison. * - * Returns 0 if jail doesn't restrict IPv4 or if address belongs to jail, - * EADDRNOTAVAIL if the address doesn't belong, or EAFNOSUPPORT if the jail - * doesn't allow IPv4. Address passed in in NBO. + * Returns 0 if address belongs to jail, + * EADDRNOTAVAIL if the address doesn't belong to the jail. */ int prison_check_ip4_locked(const struct prison *pr, const struct in_addr *ia) Modified: stable/11/sys/netinet6/in6_jail.c ============================================================================== --- stable/11/sys/netinet6/in6_jail.c Fri Apr 14 21:49:20 2017 (r316943) +++ stable/11/sys/netinet6/in6_jail.c Fri Apr 14 22:02:08 2017 (r316944) @@ -293,12 +293,6 @@ prison_local_ip6(struct ucred *cred, str return (EAFNOSUPPORT); } - if (IN6_IS_ADDR_LOOPBACK(ia6)) { - bcopy(&pr->pr_ip6[0], ia6, sizeof(struct in6_addr)); - mtx_unlock(&pr->pr_mtx); - return (0); - } - if (IN6_IS_ADDR_UNSPECIFIED(ia6)) { /* * In case there is only 1 IPv6 address, and v6only is true, @@ -311,6 +305,11 @@ prison_local_ip6(struct ucred *cred, str } error = prison_check_ip6_locked(pr, ia6); + if (error == EADDRNOTAVAIL && IN6_IS_ADDR_LOOPBACK(ia6)) { + bcopy(&pr->pr_ip6[0], ia6, sizeof(struct in6_addr)); + error = 0; + } + mtx_unlock(&pr->pr_mtx); return (error); } @@ -341,7 +340,8 @@ prison_remote_ip6(struct ucred *cred, st return (EAFNOSUPPORT); } - if (IN6_IS_ADDR_LOOPBACK(ia6)) { + if (IN6_IS_ADDR_LOOPBACK(ia6) && + prison_check_ip6_locked(pr, ia6) == EADDRNOTAVAIL) { bcopy(&pr->pr_ip6[0], ia6, sizeof(struct in6_addr)); mtx_unlock(&pr->pr_mtx); return (0); @@ -357,9 +357,8 @@ prison_remote_ip6(struct ucred *cred, st /* * Check if given address belongs to the jail referenced by cred/prison. * - * Returns 0 if jail doesn't restrict IPv6 or if address belongs to jail, - * EADDRNOTAVAIL if the address doesn't belong, or EAFNOSUPPORT if the jail - * doesn't allow IPv6. + * Returns 0 if address belongs to jail, + * EADDRNOTAVAIL if the address doesn't belong to the jail. */ int prison_check_ip6_locked(const struct prison *pr, const struct in6_addr *ia6)