Date: Thu, 10 Aug 2000 04:21:38 +0900 (JST) From: akr@m17n.org To: FreeBSD-gnats-submit@freebsd.org Subject: kern/20508: process in jail(8) with 127.0.0.2 cannot connect servers on 127.0.0.1. Message-ID: <20000809192138.54089404@flux.etl.go.jp>
next in thread | raw e-mail | index | archive | help
>Number: 20508
>Category: kern
>Synopsis: process in jail(8) with 127.0.0.2 cannot connect servers on 127.0.0.1
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Aug 09 12:30:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Tanaka Akira
>Release: FreeBSD 4.0-RELEASE i386
>Organization:
m17n
>Environment:
FreeBSD flux 4.0-RELEASE FreeBSD 4.0-RELEASE #0: Fri Jul 7 00:53:54 JST 2000 akr@flux:/usr/src/sys/compile/AKR i386
>Description:
When jail is created with 127.0.0.2 and jailed process try to connect
127.0.0.1:79 (finger daemon), it cannot connect.
This problem is reproduced for all daemons that is explicitly bind to
127.0.0.1 and not reproduced for daemons that accepts connection for all
interfaces.
>How-To-Repeat:
Insert following lines in /etc/rc.conf.
ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
inetd_flags="-wW -a 127.0.0.1"
Check lo0 configuration.
# ifconfig lo0
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
inet 127.0.0.2 netmask 0xffffffff
Check inetd. inetd listens 127.0.0.1:79.
inetd listens 127.0.0.1:79 and telnet to it works well
even if source IP address is specified as 127.0.0.2.
# netstat -n -a |grep 79
tcp4 0 0 127.0.0.1.79 *.* LISTEN
# grep finger /etc/inetd.conf
finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s
finger stream tcp6 nowait/3/10 nobody /usr/libexec/fingerd fingerd -s
# ps auxww|grep inetd
root 372 0.0 0.5 1020 660 p0 S+ 4:11AM 0:00.00 grep inetd
root 160 0.0 0.5 1012 676 ?? Ss 4:05AM 0:00.02 inetd -wW -a 127.0.0.1
# grep \^finger /etc/services
finger 79/tcp
finger 79/udp
Without jail, telnet to it works well even if source IP address is
specified as 127.0.0.2.
# telnet -s 127.0.0.2 127.0.0.1 79
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
root
Login: root Name: Charlie Root
Directory: /root Shell: /bin/csh
Last login Tue Aug 8 14:59 (JST) on ttyv1
No Mail.
No Plan.
Connection closed by foreign host.
Setup jail to run telnet.
# cd /var/tmp
# mkdir jail
# cd jail
# mkdir -p usr/lib usr/libexec
# cp /usr/libexec/ld-elf.so.1 usr/libexec
# ldd /usr/bin/telnet
/usr/bin/telnet:
libncurses.so.5 => /usr/lib/libncurses.so.5 (0x2807a000)
libcrypto.so.1 => /usr/lib/libcrypto.so.1 (0x280b9000)
libkrb.so.3 => /usr/lib/libkrb.so.3 (0x28156000)
libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x2816f000)
libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x28184000)
libmp.so.3 => /usr/lib/libmp.so.3 (0x28186000)
libipsec.so.0 => /usr/lib/libipsec.so.0 (0x28190000)
libc.so.4 => /usr/lib/libc.so.4 (0x2819a000)
# cp /usr/lib/libncurses.so.5 /usr/lib/libcrypto.so.1 /usr/lib/libkrb.so.3 /usr/lib/libcrypt.so.2 /usr/lib/libcom_err.so.2 /usr/lib/libmp.so.3 /usr/lib/libipsec.so.0 /usr/lib/libc.so.4 usr/lib
# cp /usr/bin/telnet .
Run telnet and it fails.
# jail /var/tmp/jail xxx 127.0.0.2 /telnet 127.0.0.1 79
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host
I think it shouldn't be failed.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000809192138.54089404>