Date: Sun, 17 Sep 2000 15:40:22 +0200 From: Poul-Henning Kamp <phk@critter.freebsd.dk> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet in_pcb.c Message-ID: <78668.969198022@critter> In-Reply-To: Your message of "Sun, 17 Sep 2000 06:35:43 PDT." <200009171335.GAA01313@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <200009171335.GAA01313@freefall.freebsd.org>, Poul-Henning Kamp writ es: >phk 2000/09/17 06:35:43 PDT > > Modified files: > sys/netinet in_pcb.c > Log: > Properly jail UDP sockets. This is quite a bit more tricky than TCP. > > This fixes a !root userland panic, and some cases where the wrong > interface was chosen for a jailed UDP socket. > > PR: 20167, 19839, 20946 There is still two wrinkle to UDP in jails: When you send an UDP to 127.0.0.1 you get the answer from the jails IP address: # dig @127.0.0.1 cybercity.dk ns ; <<>> DiG 8.3 <<>> @127.0.0.1 cybercity.dk ns ; (1 server found) ;; res options: init recurs defnam dnsrch ;; not our server: [...] I don't know what the practical upshot of that is, but if you use the jails IP number in /etc/resolv.conf it works as expected. The other wrinkle is that you have to use a lo0 alias address, even if your jail-IP lives on one of your ethernets. The workaround for that is to add an permanent arp entry for your jail-IP and your own ethernet address on the correct interface. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD coreteam member | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?78668.969198022>