Date: Tue, 20 Dec 2022 12:37:56 -0500 From: Mark Johnston <markj@freebsd.org> To: "Bjoern A. Zeeb" <bz@freebsd.org> Cc: Andrew Gallatin <gallatin@gmail.com>, "pjd@FreeBSD.org" <pjd@freebsd.org>, James Gritton <jamie@freebsd.org>, jail@freebsd.org, "glebius@FreeBSD.org" <glebius@freebsd.org> Subject: Re: prison_flag() check in hot path of in_pcblookup() Message-ID: <Y6Hy9Hbi8wTuCfpa@nuc> In-Reply-To: <6r10qop4-7p83-qs6s-q3r0-64756n243rp5@serrofq.bet> References: <CADwhF6VuoPCNEqyBmt%2BdZgDwHdaGty2%2BsYU4eYg0_62CMHq-BA@mail.gmail.com> <e5ef5a4dfae8f7723c10dfb8db9b7d9a@freebsd.org> <CADwhF6XyxCdW_PGX5iGd_mX-MFZKCxt5xPhYHDkzgkkQ0kunMg@mail.gmail.com> <6on81os3-501-s5n2-8nos-p85n8op23232@serrofq.bet> <CADwhF6XSQE%2BLg5wOH8BG9G%2BjyBkb1fbArz3KmnQ1FaP_yTgDeg@mail.gmail.com> <6r10qop4-7p83-qs6s-q3r0-64756n243rp5@serrofq.bet>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Dec 13, 2022 at 11:54:17PM +0000, Bjoern A. Zeeb wrote: > On Tue, 13 Dec 2022, Andrew Gallatin wrote: > > > [ I added pjd, since the original patch came from him ] > > > > Just to make sure I understand, I have a simple yes/no question: > > > > Can jails and the host ever share the same (local) port and the same IP? > > Can they currently (I tested only for TCP)? > > - local binds can overlap like they can with just the base system. > so bind(... {AF_INET, laddr, lport} ... ) works fine (REUSEPORT). > > - tcp connect of a 2nd socket to the same {faddr, fport} from the above > bind will fail with 'Address already in use' [currently] > [I believe that would mean your patch could go in? Where does the error come from [%]?] [*] I presume that the patch just causes the first loop in in_pcblookup_hash_locked() to return immediately upon an exact match? I think this is only valid if in_pcblookup_hash_locked() can assume that faddr != INADDR_ANY. I'm pretty sure this is true but it's not entirely obvious to me. > - tcp listen will work on {laddr, lport} if run in paralllel (REUSEPORT) > or in base and jail at the same time. I wonder if we can improve wildcard matching by enforcing an invariant that jailed sockets always appear first in a hash chain? That would make hash insertion more expensive but that might be a reasonable tradeoff. > [%] likely in_pcbconnect_setup() ? Also one should check the other > order (jail first then base); also we assume no other race > conditions in this rather simple testing...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Y6Hy9Hbi8wTuCfpa>