Date: Wed, 16 Aug 2023 13:06:12 GMT From: Doug Rabson <dfr@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 182e8ae26d7c - main - netstat(1): teach netstat to attach to jails Message-ID: <202308161306.37GD6Cbu075863@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by dfr: URL: https://cgit.FreeBSD.org/src/commit/?id=182e8ae26d7cad119bcfce7cc788c1f5cb06e226 commit 182e8ae26d7cad119bcfce7cc788c1f5cb06e226 Author: Doug Rabson <dfr@FreeBSD.org> AuthorDate: 2023-08-14 08:01:28 +0000 Commit: Doug Rabson <dfr@FreeBSD.org> CommitDate: 2023-08-16 13:05:13 +0000 netstat(1): teach netstat to attach to jails Add -j <jail> flag to netstat(1) to allow access to network information from a jail. MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D41446 --- usr.bin/netstat/Makefile | 5 +++ usr.bin/netstat/main.c | 57 ++++++++++++++++++++++++++-------- usr.bin/netstat/netstat.1 | 79 +++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 128 insertions(+), 13 deletions(-) diff --git a/usr.bin/netstat/Makefile b/usr.bin/netstat/Makefile index 92f8aa9c30fa..e578cea03183 100644 --- a/usr.bin/netstat/Makefile +++ b/usr.bin/netstat/Makefile @@ -69,4 +69,9 @@ SRCS+= route_netlink.c CFLAGS+=-DWITHOUT_NETLINK .endif +.if ${MK_JAIL} != "no" && !defined(RESCUE) +CFLAGS+= -DJAIL +LIBADD+= jail +.endif + .include <bsd.prog.mk> diff --git a/usr.bin/netstat/main.c b/usr.bin/netstat/main.c index 61b4536a5788..e8a808bb4f56 100644 --- a/usr.bin/netstat/main.c +++ b/usr.bin/netstat/main.c @@ -46,6 +46,9 @@ __FBSDID("$FreeBSD$"); #include <sys/param.h> #include <sys/file.h> +#ifdef JAIL +#include <sys/jail.h> +#endif #include <sys/protosw.h> #include <sys/socket.h> #include <sys/socketvar.h> @@ -60,6 +63,9 @@ __FBSDID("$FreeBSD$"); #include <ctype.h> #include <err.h> #include <errno.h> +#ifdef JAIL +#include <jail.h> +#endif #include <kvm.h> #include <limits.h> #include <netdb.h> @@ -233,6 +239,9 @@ int interval; /* repeat interval for i/f stats */ char *interface; /* desired i/f for stats, or NULL for all i/fs */ int unit; /* unit number for above */ +#ifdef JAIL +char *jail_name; /* desired jail to operate in */ +#endif static int af; /* address family */ int live; /* true if we are examining a live system */ @@ -245,6 +254,9 @@ main(int argc, char *argv[]) int fib = -1; char *endptr; bool first = true; +#ifdef JAIL + int jid; +#endif af = AF_UNSPEC; @@ -252,7 +264,7 @@ main(int argc, char *argv[]) if (argc < 0) exit(EXIT_FAILURE); - while ((ch = getopt(argc, argv, "46AaBbCcdF:f:ghI:iLlM:mN:nOoPp:Qq:RrSTsuWw:xz")) + while ((ch = getopt(argc, argv, "46AaBbCcdF:f:ghI:ij:LlM:mN:nOoPp:Qq:RrSTsuWw:xz")) != -1) switch(ch) { case '4': @@ -340,6 +352,15 @@ main(int argc, char *argv[]) case 'i': iflag = 1; break; + case 'j': +#ifdef JAIL + if (optarg == NULL) + usage(); + jail_name = optarg; +#else + errx(1, "Jail support is not compiled in"); +#endif + break; case 'L': Lflag = 1; break; @@ -436,6 +457,16 @@ main(int argc, char *argv[]) } #endif +#ifdef JAIL + if (jail_name != NULL) { + jid = jail_getid(jail_name); + if (jid == -1) + errx(1, "Jail not found"); + if (jail_attach(jid) != 0) + errx(1, "Cannot attach to jail"); + } +#endif + /* * Discard setgid privileges if not the running kernel so that bad * guys can't print interesting stuff from kernel memory. @@ -890,24 +921,24 @@ static void usage(void) { (void)xo_error("%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n", -"usage: netstat [-46AaCcLnRSTWx] [-f protocol_family | -p protocol]\n" +"usage: netstat [-j jail] [-46AaCcLnRSTWx] [-f protocol_family | -p protocol]\n" " [-M core] [-N system]", -" netstat -i | -I interface [-46abdhnW] [-f address_family]\n" +" netstat [-j jail] -i | -I interface [-46abdhnW] [-f address_family]\n" " [-M core] [-N system]", -" netstat -w wait [-I interface] [-46d] [-M core] [-N system]\n" +" netstat [-j jail] -w wait [-I interface] [-46d] [-M core] [-N system]\n" " [-q howmany]", -" netstat -s [-46sz] [-f protocol_family | -p protocol]\n" +" netstat [-j jail] -s [-46sz] [-f protocol_family | -p protocol]\n" " [-M core] [-N system]", -" netstat -i | -I interface -s [-46s]\n" +" netstat [-j jail] -i | -I interface -s [-46s]\n" " [-f protocol_family | -p protocol] [-M core] [-N system]", -" netstat -m [-M core] [-N system]", -" netstat -B [-z] [-I interface]", -" netstat -r [-46AnW] [-F fibnum] [-f address_family]\n" +" netstat [-j jail] -m [-M core] [-N system]", +" netstat [-j jail] -B [-z] [-I interface]", +" netstat [-j jail] -r [-46AnW] [-F fibnum] [-f address_family]\n" " [-M core] [-N system]", -" netstat -rs [-s] [-M core] [-N system]", -" netstat -g [-46W] [-f address_family] [-M core] [-N system]", -" netstat -gs [-46s] [-f address_family] [-M core] [-N system]", -" netstat -Q"); +" netstat [-j jail] -rs [-s] [-M core] [-N system]", +" netstat [-j jail] -g [-46W] [-f address_family] [-M core] [-N system]", +" netstat [-j jail] -gs [-46s] [-f address_family] [-M core] [-N system]", +" netstat [-j jail] -Q"); xo_finish(); exit(1); } diff --git a/usr.bin/netstat/netstat.1 b/usr.bin/netstat/netstat.1 index 3ba0b1d191f6..df95651499c7 100644 --- a/usr.bin/netstat/netstat.1 +++ b/usr.bin/netstat/netstat.1 @@ -38,16 +38,19 @@ .Bk -words .Bl -tag -width "netstat" .It Nm +.Op Fl j Ar jail .Op Fl -libxo .Op Fl 46AaCLnPRSTWx .Op Fl f Ar protocol_family | Fl p Ar protocol .It Nm Fl i | I Ar interface +.Op Fl j Ar jail .Op Fl -libxo .Op Fl 46abdhnW .Op Fl f Ar address_family .Op Fl M Ar core .Op Fl N Ar system .It Nm Fl w Ar wait +.Op Fl j Ar jail .Op Fl -libxo .Op Fl I Ar interface .Op Fl 46d @@ -55,46 +58,55 @@ .Op Fl N Ar system .Op Fl q Ar howmany .It Nm Fl s +.Op Fl j Ar jail .Op Fl -libxo .Op Fl 46sz .Op Fl f Ar protocol_family | Fl p Ar protocol .Op Fl M Ar core .Op Fl N Ar system .It Nm Fl i | I Ar interface Fl s +.Op Fl j Ar jail .Op Fl -libxo .Op Fl 46s .Op Fl f Ar protocol_family | Fl p Ar protocol .Op Fl M Ar core .Op Fl N Ar system .It Nm Fl m +.Op Fl j Ar jail .Op Fl -libxo .Op Fl M Ar core .Op Fl N Ar system .It Nm Fl B +.Op Fl j Ar jail .Op Fl -libxo .Op Fl z .Op Fl I Ar interface .It Nm Fl r +.Op Fl j Ar jail .Op Fl -libxo .Op Fl 46nW .Op Fl F Ar fibnum .Op Fl f Ar address_family .It Nm Fl rs +.Op Fl j Ar jail .Op Fl -libxo .Op Fl s .Op Fl M Ar core .Op Fl N Ar system .It Nm Fl g +.Op Fl j Ar jail .Op Fl -libxo .Op Fl 46W .Op Fl f Ar address_family .It Nm Fl gs +.Op Fl j Ar jail .Op Fl -libxo .Op Fl 46s .Op Fl f Ar address_family .Op Fl M Ar core .Op Fl N Ar system .It Nm Fl Q +.Op Fl j Ar jail .Op Fl -libxo .El .Ek @@ -111,6 +123,7 @@ command uses. .Nm .Op Fl 46AaCLnRSTWx .Op Fl f Ar protocol_family | Fl p Ar protocol +.Op Fl j Ar jail .Ek .Xc Display a list of active sockets @@ -238,6 +251,10 @@ Filter by .Ar protocol . See .Sx GENERAL OPTIONS . +.It Fl j Ar jail +Run inside a jail. +See +.Sx GENERAL OPTIONS . .El .It Xo .Bk -words @@ -247,6 +264,7 @@ See .Op Fl f Ar address_family .Op Fl M Ar core .Op Fl N Ar system +.Op Fl j Ar jail .Ek .Xc Show the state of all network interfaces or a single @@ -316,6 +334,10 @@ Filter by .Ar protocol_family . See .Sx GENERAL OPTIONS . +.It Fl j Ar jail +Run inside a jail. +See +.Sx GENERAL OPTIONS . .El .It Xo .Bk -words @@ -326,6 +348,7 @@ See .Op Fl M Ar core .Op Fl N Ar system .Op Fl q Ar howmany +.Op Fl j Ar jail .Ek .Xc At intervals of @@ -374,6 +397,10 @@ See Exit after .Ar howmany outputs. +.It Fl j Ar jail +Run inside a jail. +See +.Sx GENERAL OPTIONS . .El .It Xo .Bk -words @@ -383,6 +410,7 @@ outputs. .Op Fl f Ar protocol_family | Fl p Ar protocol .Op Fl M Ar core .Op Fl N Ar system +.Op Fl j Ar jail .Ek .Xc Display system-wide statistics for each network protocol. @@ -419,6 +447,10 @@ See Use an alternative kernel image See .Sx GENERAL OPTIONS . +.It Fl j Ar jail +Run inside a jail. +See +.Sx GENERAL OPTIONS . .El .It Xo .Bk -words @@ -428,6 +460,7 @@ See .Op Fl f Ar protocol_family | Fl p Ar protocol .Op Fl M Ar core .Op Fl N Ar system +.Op Fl j Ar jail .Ek .Xc Display per-interface statistics for each network protocol. @@ -470,6 +503,10 @@ See Use an alternative kernel image See .Sx GENERAL OPTIONS . +.It Fl j Ar jail +Run inside a jail. +See +.Sx GENERAL OPTIONS . .El .It Xo .Bk -words @@ -477,6 +514,7 @@ See .Fl m .Op Fl M Ar core .Op Fl N Ar system +.Op Fl j Ar jail .Ek .Xc Show statistics recorded by the memory management routines @@ -491,6 +529,10 @@ See Use an alternative kernel image See .Sx GENERAL OPTIONS . +.It Fl j Ar jail +Run inside a jail. +See +.Sx GENERAL OPTIONS . .El .It Xo .Bk -words @@ -498,6 +540,7 @@ See .Fl B .Op Fl z .Op Fl I Ar interface +.Op Fl j Ar jail .Ek .Xc Show statistics about @@ -534,6 +577,10 @@ For more information about these flags, please refer to .Bl -tag -width indent .It Fl z Reset statistic counters after displaying them. +.It Fl j Ar jail +Run inside a jail. +See +.Sx GENERAL OPTIONS . .El .It Xo .Bk -words @@ -544,6 +591,7 @@ Reset statistic counters after displaying them. .Op Fl f Ar address_family .Op Fl M Ar core .Op Fl N Ar system +.Op Fl j Ar jail .Ek .Xc Display the contents of routing tables. @@ -628,6 +676,10 @@ See Use an alternative kernel image See .Sx GENERAL OPTIONS . +.It Fl j Ar jail +Run inside a jail. +See +.Sx GENERAL OPTIONS . .El .It Xo .Bk -words @@ -636,6 +688,7 @@ See .Op Fl s .Op Fl M Ar core .Op Fl N Ar system +.Op Fl j Ar jail .Ek .Xc Display routing statistics. @@ -652,6 +705,10 @@ See Use an alternative kernel image See .Sx GENERAL OPTIONS . +.It Fl j Ar jail +Run inside a jail. +See +.Sx GENERAL OPTIONS . .El .It Xo .Bk -words @@ -661,6 +718,7 @@ See .Op Fl f Ar address_family .Op Fl M Ar core .Op Fl N Ar system +.Op Fl j Ar jail .Ek .Xc Display the contents of the multicast virtual interface tables, @@ -696,6 +754,10 @@ See Use an alternative kernel image See .Sx GENERAL OPTIONS . +.It Fl j Ar jail +Run inside a jail. +See +.Sx GENERAL OPTIONS . .El .It Xo .Bk -words @@ -705,6 +767,7 @@ See .Op Fl f Ar address_family .Op Fl M Ar core .Op Fl N Ar system +.Op Fl j Ar jail .Ek .Xc Show multicast routing statistics. @@ -734,11 +797,16 @@ See Use an alternative kernel image See .Sx GENERAL OPTIONS . +.It Fl j Ar jail +Run inside a jail. +See +.Sx GENERAL OPTIONS . .El .It Xo .Bk -words .Nm .Fl Q +.Op Fl j Ar jail .Ek .Xc Show @@ -749,6 +817,10 @@ The flags field shows available ISR handlers: .It Li C Ta Dv NETISR_SNP_FLAGS_M2CPUID Ta "Able to map mbuf to cpu id" .It Li D Ta Dv NETISR_SNP_FLAGS_DRAINEDCPU Ta "Has queue drain handler" .It Li F Ta Dv NETISR_SNP_FLAGS_M2FLOW Ta "Able to map mbuf to flow id" +.It Fl j Ar jail +Run inside a jail. +See +.Sx GENERAL OPTIONS . .El .El .Ss GENERAL OPTIONS @@ -808,6 +880,13 @@ Wider output; expand address fields, etc, to avoid truncation. Non-numeric values such as domain names may still be truncated; use the .Fl n option if necessary to avoid ambiguity. +.It Fl j Ar jail +Perform the actions inside the +.Ar jail . +This allows network state to be accessed even if the +.Cm netstat +binary is not available in the +.Ar jail . .El .Sh EXAMPLES Show packet traffic information (packets, bytes, errors, packet drops, etc) for
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202308161306.37GD6Cbu075863>