From owner-svn-src-all@FreeBSD.ORG Tue Oct 15 04:04:15 2013 Return-Path: Delivered-To: svn-src-all@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id AA2AD2E2; Tue, 15 Oct 2013 04:04:15 +0000 (UTC) (envelope-from hrs@FreeBSD.org) Received: from mail.allbsd.org (gatekeeper.allbsd.org [IPv6:2001:2f0:104:e001::32]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 74C982DA1; Tue, 15 Oct 2013 04:04:14 +0000 (UTC) Received: from alph.d.allbsd.org (p4181-ipbf1307funabasi.chiba.ocn.ne.jp [123.225.173.181]) (authenticated bits=128) by mail.allbsd.org (8.14.5/8.14.5) with ESMTP id r9F43sUo078392 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 15 Oct 2013 13:04:05 +0900 (JST) (envelope-from hrs@FreeBSD.org) Received: from localhost (localhost [IPv6:::1]) (authenticated bits=0) by alph.d.allbsd.org (8.14.7/8.14.5) with ESMTP id r9F43quZ028475; Tue, 15 Oct 2013 13:03:53 +0900 (JST) (envelope-from hrs@FreeBSD.org) Date: Tue, 15 Oct 2013 13:03:25 +0900 (JST) Message-Id: <20131015.130325.1303921217567498427.hrs@allbsd.org> To: peter@wemm.org Subject: Re: svn commit: r256256 - in head: . etc etc/defaults etc/rc.d share/man/man5 usr.sbin/jail From: Hiroki Sato In-Reply-To: <525CB6E8.9080407@wemm.org> References: <20131012.015639.236155929172394900.hrs@allbsd.org> <525CB6E8.9080407@wemm.org> X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530 FFD7 4F2C D3D8 2793 CF2D X-Mailer: Mew version 6.5 on Emacs 24.3 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Multipart/Signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="--Security_Multipart0(Tue_Oct_15_13_03_25_2013_850)--" Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97.4 at gatekeeper.allbsd.org X-Virus-Status: Clean X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (mail.allbsd.org [133.31.130.32]); Tue, 15 Oct 2013 13:04:07 +0900 (JST) X-Spam-Status: No, score=-99.0 required=13.0 tests=CONTENT_TYPE_PRESENT, SPF_SOFTFAIL,USER_IN_WHITELIST,X_CHINESE_RELAY autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on gatekeeper.allbsd.org Cc: svn-src-head@FreeBSD.org, remko@FreeBSD.org, gavin@FreeBSD.org, src-committers@FreeBSD.org, svn-src-all@FreeBSD.org X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Oct 2013 04:04:15 -0000 ----Security_Multipart0(Tue_Oct_15_13_03_25_2013_850)-- Content-Type: Multipart/Mixed; boundary="--Next_Part(Tue_Oct_15_13_03_25_2013_377)--" Content-Transfer-Encoding: 7bit ----Next_Part(Tue_Oct_15_13_03_25_2013_377)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Peter Wemm wrote in <525CB6E8.9080407@wemm.org>: pe> Note how they're all on bge0 and the lo1|127.x is ignored. pe> pe> There's some other problems I haven't pinned down yet. Something has pe> changed radically with source address selection and some standard setups pe> from 7.x through 10.x (as of a few months ago) don't work anymore. I pe> haven't yet figured out how to do the per-jail lo1|127.x thing in the new pe> scheme even with an old rc.d/jail - anything attempting to bind to localhost pe> gets remapped to the public, fully exposed address. pe> pe> I'm still looking. Can you test the attached patch? -- Hiroki ----Next_Part(Tue_Oct_15_13_03_25_2013_377)-- Content-Type: Text/X-Patch; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="jail_20131015-1.diff" Index: etc/rc.d/jail =================================================================== --- etc/rc.d/jail (revision 256440) +++ etc/rc.d/jail (working copy) @@ -329,9 +329,9 @@ # jail_handle_ips_option() { - local _x _type _i _iface + local _x _type _i _defif _x=$1 - _iface=$2 + _defif=$2 if [ -z "${_x}" ]; then # No IP given. This can happen for the primary address @@ -355,7 +355,8 @@ _type="" _addr="" _mask="" - jail_extract_address $_i $_iface + _iface="" + jail_extract_address $_i $_defif # make sure we got an address. case $_addr in @@ -366,10 +367,10 @@ # Append address to list of addresses for the jail command. case $_type in inet) - echo " ip4.addr += \"${_addr}${_mask}\";" + echo " ip4.addr += \"${_iface}|${_addr}${_mask}\";" ;; inet6) - echo " ip6.addr += \"${_addr}${_mask}\";" + echo " ip6.addr += \"${_iface}|${_addr}${_mask}\";" need_dad_wait=1 ;; esac @@ -414,7 +415,7 @@ jail_start() { - local _j + local _j _jid _jn if [ $# = 0 ]; then return @@ -426,7 +427,15 @@ command=$jail_program rc_flags=$jail_flags command_args="-f $jail_conf -c" - $command $rc_flags $command_args "*" + jls -nq | while read IN; do + _jn=$(echo $IN | tr " " "\n" | grep name=) + _jid=$(echo $IN | tr " " "\n" | grep jid=) + if $command $rc_flags $command_args ${_jn#name=}; then + echo -n " ${_jn#name=}" + echo "${_jid#jid=}" \ + > /var/run/jail_${_jn#name=}.id + fi + done echo '.' return ;; @@ -446,7 +455,10 @@ if $command $rc_flags $command_args \ >> $_tmp 2>&1 /var/run/jail_${_j}.id else + rm -f /var/run/jail_${_j}.id echo " cannot start jail \"${_hostname:-${_j}}\": " cat $_tmp fi @@ -457,7 +469,7 @@ jail_stop() { - local _j + local _j _jn if [ $# = 0 ]; then return @@ -469,7 +481,14 @@ command=$jail_program rc_flags=$jail_flags command_args="-f $jail_conf -r" - $command $rc_flags $command_args "*" + $jail_jls -nq | while read IN; do + _jn=$(echo $IN | tr " " "\n" | grep name=) + echo -n " ${_jn#name=}" + $command $rc_flags $command_args ${_jn#name=} + if ! $jail_jls -j ${_jn#name=} > /dev/null 2>&1; then + rm -f /var/run/jail_${_jn#name=}.id + fi + done echo '.' return ;; @@ -477,9 +496,14 @@ for _j in $@; do _j=$(echo $_j | tr /. _) parse_options $_j || continue + if ! $jail_jls -j $_j > /dev/null 2>&1; then + continue + fi eval command=\${jail_${_j}_program:-$jail_program} - if $command -q -f $_conf -r $_j; then - echo -n " ${_hostname:-${_j}}" + echo -n " ${_hostname:-${_j}}" + $command -q -f $_conf -r $_j + if ! $jail_jls -j $_j > /dev/null 2>&1; then + rm -f /var/run/jail_${_j}.id fi done echo '.' ----Next_Part(Tue_Oct_15_13_03_25_2013_377)---- ----Security_Multipart0(Tue_Oct_15_13_03_25_2013_850)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (FreeBSD) iEYEABECAAYFAlJcvo0ACgkQTyzT2CeTzy2FyQCfcWgoz3FPCVVK9W+r3Pc0h7Hu 5iwAoIDWkoVouvseIXuDokvLGzk2ni9g =9PM/ -----END PGP SIGNATURE----- ----Security_Multipart0(Tue_Oct_15_13_03_25_2013_850)----