From owner-freebsd-hackers Thu Feb 20 9:59:58 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD16237B401; Thu, 20 Feb 2003 09:59:56 -0800 (PST) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF76143F85; Thu, 20 Feb 2003 09:59:55 -0800 (PST) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id 097C43ABB63; Thu, 20 Feb 2003 19:00:55 +0100 (CET) Date: Thu, 20 Feb 2003 19:00:54 +0100 From: Pawel Jakub Dawidek To: Robert Watson Cc: freebsd-hackers@freebsd.org, phk@freebsd.org Subject: Re: Multi-level jailing. Message-ID: <20030220180054.GD76998@garage.freebsd.pl> References: <20030217070554.GE10767@garage.freebsd.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="2hMgfIw2X+zgXrFs" Content-Disposition: inline In-Reply-To: X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.7-STABLE i386 User-Agent: Mutt/1.5.1i Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --2hMgfIw2X+zgXrFs Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 20, 2003 at 10:05:52AM -0500, Robert Watson wrote: +> > I have prepared patch for jail functionality against FreeBSD +> > 5.0-CURRENT. It provides multi-level jailing and multiple ips for +> > jails.=20 +>=20 +> Sounds cool, although I haven't had a chance to read the patch yet. +> Question: how did you handle the problem (if at all) that INADDR_ANY +> doesn't perform a wildcard binding with multiple IPs in the same jail? +> It's not strictly required that it be handled, but it was always one of +> the semantic problems I bumped into when I experimented with more IPs. A +> single-IP jail "works" because it maps INADDR_ANY into the only IP +> available. I'll try to get a box up and running with these changes in t= he +> next few days and give them a spin. Hmm, this problem is still there, but I think that we could resolve it by changing all code where IP is compared to INADDR_ANY, to function like this: int prison_inaddr_any(struct ucred *cred, u_int32_t ip) { register u_int i; register struct prison *pr =3D cred->cr_prison; if (!jailed(cred)) return (ip =3D=3D INADDR_ANY); for (i =3D 0; i < pr->pr_nips; ++i) { if (pr->pr_ips[i] =3D=3D ip) return (1); } return (0); } And remove mapping to specified IP, INADDR_ANY should stay there. --=20 Pawel Jakub Dawidek UNIX Systems Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am. --2hMgfIw2X+zgXrFs Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPlUX1j/PhmMH/Mf1AQFuygP5AatpA/DgGtMWTGKSUc0BKnDjmbJXp/Vx cOs8GEg93nqHwmvH9m8K2X0hFzHAbwQ9qq5ZI/dX+aRAFa1nPxQLytS2yRlc9Uuk x0EPhC1OTa2VHlhY1gQUF+8wRlqgspmgT8rBq8MWXLWTE6zvFD3Jr3kUgjHpvYCk 5PnoJWO7oxY= =f1tn -----END PGP SIGNATURE----- --2hMgfIw2X+zgXrFs-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message