From owner-freebsd-jail@FreeBSD.ORG  Thu Mar 12 21:38:48 2009
Return-Path: <owner-freebsd-jail@FreeBSD.ORG>
Delivered-To: freebsd-jail@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7DEEE106564A
	for <freebsd-jail@FreeBSD.org>; Thu, 12 Mar 2009 21:38:48 +0000 (UTC)
	(envelope-from jamie@FreeBSD.org)
Received: from gritton.org (gritton.org [161.58.222.4])
	by mx1.freebsd.org (Postfix) with ESMTP id 3D7198FC47
	for <freebsd-jail@FreeBSD.org>; Thu, 12 Mar 2009 21:38:47 +0000 (UTC)
	(envelope-from jamie@FreeBSD.org)
Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net
	[198.65.168.24]) (authenticated bits=0)
	by gritton.org (8.13.6.20060614/8.13.6) with ESMTP id n2CLckBN060890;
	Thu, 12 Mar 2009 15:38:47 -0600 (MDT)
Message-ID: <49B980E1.30203@FreeBSD.org>
Date: Thu, 12 Mar 2009 15:38:41 -0600
From: Jamie Gritton <jamie@FreeBSD.org>
User-Agent: Thunderbird 2.0.0.19 (X11/20090109)
MIME-Version: 1.0
To: Kage <kagekonjou@gmail.com>
References: <d1556b2b0903081122p1753b34ej3677083988124805@mail.gmail.com>	<d1556b2b0903081405r62961134i1296c571b22eac95@mail.gmail.com>
	<49B55CA2.7090300@FreeBSD.org>
In-Reply-To: <49B55CA2.7090300@FreeBSD.org>
Content-Type: multipart/mixed; boundary="------------070206030304030508090404"
X-Virus-Scanned: ClamAV 0.94.2/9102/Thu Mar 12 14:54:00 2009 on gritton.org
X-Virus-Status: Clean
Cc: freebsd-jail@FreeBSD.org
Subject: Re: Problem using bz's multi-IP/IPv6/No-IP Jail Patch (7-STABLE)
X-BeenThere: freebsd-jail@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
	<mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
	<mailto:freebsd-jail-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2009 21:38:48 -0000

This is a multi-part message in MIME format.
--------------070206030304030508090404
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

I wrote:
> Kage wrote:
> 
>> Encountering more issues now.  Binding just an IPv6 address to a jail
>> shows up in jls -v, but when I run ifconfig -a in the jail, I get an
>> error I've never encountered, and doesn't show up on any Google
>> search:
>>
>> [root@nub:/etc] jls -v
>>    JID  Hostname                      Path
>>         Name                          State
>>         CPUSetID
>>         IP Address(es)
>>      9  jail.template.tld             /usr/jails/TEMPLATE
>>                                       ALIVE
>>         10
>>         2610:150:c248:dead:beef:c0ff:eec0:deaa
>>
>> [root@jail:/] ifconfig -a
>> ifconfig: socket(family 2,SOCK_DGRAM): Protocol not supported
> 
> Recent patches reject sockets in jails that have no addresses in the
> socket's family.  So if you jail has no IPv6 addresses, you won't be
> able to create any IPv6 sockets.  Likewise your case: if that jail has
> no IPv4 addresses, then it's an IPv4-less jail, and IPv4 sockets won't
> work (Protocol not supported).  For actual network connections, this
> makes sense: you won't be able to bind or connect with this socket, as
> there are no IPv4 addresses in the system.
> 
> But ifconfig is a different situation.  It just needs a socket of some
> sort, and AF_INET has always worked, because any networked system always
> has IPv4 support.  But in an IPv4-less system (which an IPv4-less jail
> not acts like), this default isn't useful.  Something will need to be
> fixed.  I'm not sure if that something is ifconfig or the kernel.

Here's a patch for ifconfig.  It allows "ifconfig -a" and a few other
similar informative ifconfig options to run inside an IPv4-less jail
(of course trying to set anything still fails).  Outside of a jail, you
should see no change.  Apply it inside your /usr/src tree, and install
it both in the root system (under /sbin) and in your jails
(/usr/jails/TEMPLATE or wherever).  Just in case I broke something, keep
a copy of the old one :-).  But I've tested it on my own system so I
don't expect anything to be broken.

This is under review and I expect to be able to commit it to Current
shortly, then MFC it a week or so after that.  If you have any trouble
with it, feel free to ask me - I'm the one who broke ifconfig in the
first place.

- Jamie

--------------070206030304030508090404
Content-Type: text/plain;
 name="ifconfig.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="ifconfig.diff"

Index: sbin/ifconfig/ifgroup.c
===================================================================
--- isbin/ifconfig/fgroup.c	(revision 189318)
+++ sbin/ifconfig/ifgroup.c	(working copy)
@@ -131,9 +131,9 @@
 	int			 len, cnt = 0;
 	int			 s;
 
-	s = socket(AF_INET, SOCK_DGRAM, 0);
+	s = socket(AF_LOCAL, SOCK_DGRAM, 0);
 	if (s == -1)
-		err(1, "socket(AF_INET,SOCK_DGRAM)");
+		err(1, "socket(AF_LOCAL,SOCK_DGRAM)");
 	bzero(&ifgr, sizeof(ifgr));
 	strlcpy(ifgr.ifgr_name, groupname, sizeof(ifgr.ifgr_name));
 	if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == -1) {
Index: sbin/ifconfig/ifclone.c
===================================================================
--- sbin/ifconfig/ifclone.c	(revision 189318)
+++ sbin/ifconfig/ifclone.c	(working copy)
@@ -54,9 +54,9 @@
 	int idx;
 	int s;
 
-	s = socket(AF_INET, SOCK_DGRAM, 0);
+	s = socket(AF_LOCAL, SOCK_DGRAM, 0);
 	if (s == -1)
-		err(1, "socket(AF_INET,SOCK_DGRAM)");
+		err(1, "socket(AF_LOCAL,SOCK_DGRAM)");
 
 	memset(&ifcr, 0, sizeof(ifcr));
 
Index: sbin/ifconfig/ifconfig.c
===================================================================
--- sbin/ifconfig/ifconfig.c	(revision 189318)
+++ sbin/ifconfig/ifconfig.c	(working copy)
@@ -441,22 +441,23 @@
 	DEF_CMD("ifdstaddr", 0, setifdstaddr);
 
 static int
-ifconfig(int argc, char *const *argv, int iscreate, const struct afswtch *afp)
+ifconfig(int argc, char *const *argv, int iscreate, const struct afswtch *uafp)
 {
-	const struct afswtch *nafp;
+	const struct afswtch *afp, *nafp;
 	const struct cmd *p;
 	struct callback *cb;
 	int s;
 
 	strncpy(ifr.ifr_name, name, sizeof ifr.ifr_name);
+	afp = uafp != NULL ? uafp : af_getbyname("inet");
 top:
-	if (afp == NULL)
-		afp = af_getbyname("inet");
 	ifr.ifr_addr.sa_family =
 		afp->af_af == AF_LINK || afp->af_af == AF_UNSPEC ?
-		AF_INET : afp->af_af;
+		AF_LOCAL : afp->af_af;
 
-	if ((s = socket(ifr.ifr_addr.sa_family, SOCK_DGRAM, 0)) < 0)
+	if ((s = socket(ifr.ifr_addr.sa_family, SOCK_DGRAM, 0)) < 0 &&
+	    (uafp != NULL || errno != EPROTONOSUPPORT ||
+	     (s = socket(AF_LOCAL, SOCK_DGRAM, 0)) < 0))
 		err(1, "socket(family %u,SOCK_DGRAM", ifr.ifr_addr.sa_family);
 
 	while (argc > 0) {
@@ -803,11 +804,12 @@
 
 	if (afp == NULL) {
 		allfamilies = 1;
-		afp = af_getbyname("inet");
-	} else
+		ifr.ifr_addr.sa_family = AF_LOCAL;
+	} else {
 		allfamilies = 0;
-
-	ifr.ifr_addr.sa_family = afp->af_af == AF_LINK ? AF_INET : afp->af_af;
+		ifr.ifr_addr.sa_family =
+		    afp->af_af == AF_LINK ? AF_LOCAL : afp->af_af;
+	}
 	strncpy(ifr.ifr_name, name, sizeof(ifr.ifr_name));
 
 	s = socket(ifr.ifr_addr.sa_family, SOCK_DGRAM, 0);

--------------070206030304030508090404--