Date: Tue, 20 Dec 2022 12:37:56 -0500 From: Mark Johnston <markj@freebsd.org> To: "Bjoern A. Zeeb" <bz@freebsd.org> Cc: Andrew Gallatin <gallatin@gmail.com>, "pjd@FreeBSD.org" <pjd@freebsd.org>, James Gritton <jamie@freebsd.org>, jail@freebsd.org, "glebius@FreeBSD.org" <glebius@freebsd.org> Subject: Re: prison_flag() check in hot path of in_pcblookup() Message-ID: <Y6Hy9Hbi8wTuCfpa@nuc> In-Reply-To: <6r10qop4-7p83-qs6s-q3r0-64756n243rp5@serrofq.bet> References: <CADwhF6VuoPCNEqyBmt%2BdZgDwHdaGty2%2BsYU4eYg0_62CMHq-BA@mail.gmail.com> <e5ef5a4dfae8f7723c10dfb8db9b7d9a@freebsd.org> <CADwhF6XyxCdW_PGX5iGd_mX-MFZKCxt5xPhYHDkzgkkQ0kunMg@mail.gmail.com> <6on81os3-501-s5n2-8nos-p85n8op23232@serrofq.bet> <CADwhF6XSQE%2BLg5wOH8BG9G%2BjyBkb1fbArz3KmnQ1FaP_yTgDeg@mail.gmail.com> <6r10qop4-7p83-qs6s-q3r0-64756n243rp5@serrofq.bet>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Dec 13, 2022 at 11:54:17PM +0000, Bjoern A. Zeeb wrote:
> On Tue, 13 Dec 2022, Andrew Gallatin wrote:
>
> > [ I added pjd, since the original patch came from him ]
> >
> > Just to make sure I understand, I have a simple yes/no question:
> >
> > Can jails and the host ever share the same (local) port and the same IP?
>
> Can they currently (I tested only for TCP)?
>
> - local binds can overlap like they can with just the base system.
> so bind(... {AF_INET, laddr, lport} ... ) works fine (REUSEPORT).
>
> - tcp connect of a 2nd socket to the same {faddr, fport} from the above
> bind will fail with 'Address already in use' [currently]
> [I believe that would mean your patch could go in? Where does the error come from [%]?] [*]
I presume that the patch just causes the first loop in
in_pcblookup_hash_locked() to return immediately upon an exact match? I
think this is only valid if in_pcblookup_hash_locked() can assume that
faddr != INADDR_ANY. I'm pretty sure this is true but it's not entirely
obvious to me.
> - tcp listen will work on {laddr, lport} if run in paralllel (REUSEPORT)
> or in base and jail at the same time.
I wonder if we can improve wildcard matching by enforcing an invariant
that jailed sockets always appear first in a hash chain? That would
make hash insertion more expensive but that might be a reasonable
tradeoff.
> [%] likely in_pcbconnect_setup() ? Also one should check the other
> order (jail first then base); also we assume no other race
> conditions in this rather simple testing...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Y6Hy9Hbi8wTuCfpa>