Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 18 Jun 2002 17:03:59 -0700
From:      Michael Alyn Miller <freebsd-hackers@malyn.eiomail.com>
To:        freebsd-hackers@freebsd.org
Subject:   jail with multiple IPs (patch)
Message-ID:  <774.2.1024445039934@malyn.eiomail.com>

next in thread | raw e-mail | index | archive | help
--774.2.1024445039934@malyn.eiomail.com
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit

Hi, folks,

I recently became interested in the jail code and have been very
impressed with what I have seen so far.  The one thing I found a
bit surprising was the lack of support for multiple IP addresses
in jail environments.  I did some research into the issue, and I
found the various posts discussing why this decision was made.

While a ``true'' multiple IP address implementation (INADDR_ANY,
loopback, etc.) may be rather involved, getting more than one IP
address into the jailed environment might be much simpler.  Here
is my proposal:

Rather than specifying a single IP address when constructing the
jail, supply an IP address and netmask.  The kernel can then use
the IP address in conjunction with the netmask to determine what
range of addresses are allowed in the jail without having to run
through an actual list of addresses.

This approach is similar to how ISPs assign CIDR blocks to their
customers.  It has various advantages and disadvantages over the
method of providing a list of allowed addresses.  I consider its
primary advantage to be that it is extremely simple to implement
(as can be seen by the attached diff) and does not affect jail's
runtime performance.

Granted, this method does not solve the INADDR_ANY and localhost
issues, but any solution to that side of the jail puzzle is sure
to be an invasive one.

The attached diff is based on 4.6-RELEASE.  To use it, build and
install the jail binary and a new kernel.  By default, this diff
results in a jail binary that acts the same as before.  Adding a
``/ne.tm.as.k'' to the jail call will allow the jail to allocate
any of the IP addresses in the netmask.  For example..

  jail /home/jail myhost 10.20.30.8/255.255.255.248 /bin/sh

..would allow the jail to use all of the following addresses..

  10.20.30.8
  10.20.30.9
  10.20.30.10
  10.20.30.11
  10.20.30.12
  10.20.30.13
  10.20.30.14
  10.20.30.15

INADDR_ANY and 127.0.0.1 still use the first address.  I changed
jail's version number (from 0 to 1) as this affects the syscall.

I look forward to your comments, suggestions, criticisms, etc.

Thank you for your time!

Michael Alyn Miller


-------------------------------
The best kept secret in e-mail.
http://eioMAIL.com/

--774.2.1024445039934@malyn.eiomail.com
Content-Type: text/plain
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="jail.diff"

KioqIHN5cy9rZXJuL2tlcm5famFpbC5jLm9yaWcJVGh1IEF1ZyAxNiAxODowMDoyNiAyMDAxCi0t
LSBzeXMva2Vybi9rZXJuX2phaWwuYwlUdWUgSnVuIDE4IDEzOjUyOjI3IDIwMDIKKioqKioqKioq
KioqKioqCioqKiA2Miw2OCAqKioqCiAgCWVycm9yID0gY29weWluKHVhcC0+amFpbCwgJmosIHNp
emVvZiBqKTsKICAJaWYgKGVycm9yKQogIAkJcmV0dXJuIChlcnJvcik7CiEgCWlmIChqLnZlcnNp
b24gIT0gMCkKICAJCXJldHVybiAoRUlOVkFMKTsKICAJTUFMTE9DKHByLCBzdHJ1Y3QgcHJpc29u
ICosIHNpemVvZiAqcHIgLCBNX1BSSVNPTiwgTV9XQUlUT0spOwogIAliemVybygoY2FkZHJfdClw
ciwgc2l6ZW9mICpwcik7Ci0tLSA2Miw2OCAtLS0tCiAgCWVycm9yID0gY29weWluKHVhcC0+amFp
bCwgJmosIHNpemVvZiBqKTsKICAJaWYgKGVycm9yKQogIAkJcmV0dXJuIChlcnJvcik7CiEgCWlm
IChqLnZlcnNpb24gIT0gMSkKICAJCXJldHVybiAoRUlOVkFMKTsKICAJTUFMTE9DKHByLCBzdHJ1
Y3QgcHJpc29uICosIHNpemVvZiAqcHIgLCBNX1BSSVNPTiwgTV9XQUlUT0spOwogIAliemVybygo
Y2FkZHJfdClwciwgc2l6ZW9mICpwcik7CioqKioqKioqKioqKioqKgoqKiogNzAsNzUgKioqKgot
LS0gNzAsNzYgLS0tLQogIAlpZiAoZXJyb3IpIAogIAkJZ290byBiYWlsOwogIAlwci0+cHJfaXAg
PSBqLmlwX251bWJlcjsKKyAJcHItPnByX21hc2sgPSBqLmlwX21hc2s7CiAgCiAgCWNhLnBhdGgg
PSBqLnBhdGg7CiAgCWVycm9yID0gY2hyb290KHAsICZjYSk7CioqKioqKioqKioqKioqKgoqKiog
MTExLDExNyAqKioqCiAgCQkJKmlwID0gaHRvbmwocC0+cF9wcmlzb24tPnByX2lwKTsKICAJCXJl
dHVybiAoMCk7CiAgCX0KISAJaWYgKHAtPnBfcHJpc29uLT5wcl9pcCAhPSB0bXApCiAgCQlyZXR1
cm4gKDEpOwogIAlyZXR1cm4gKDApOwogIH0KLS0tIDExMiwxMTkgLS0tLQogIAkJCSppcCA9IGh0
b25sKHAtPnBfcHJpc29uLT5wcl9pcCk7CiAgCQlyZXR1cm4gKDApOwogIAl9CiEgCWlmICgocC0+
cF9wcmlzb24tPnByX21hc2sgJiBwLT5wX3ByaXNvbi0+cHJfaXApCiEgCQkJIT0gKHAtPnBfcHJp
c29uLT5wcl9tYXNrICYgdG1wKSkKICAJCXJldHVybiAoMSk7CiAgCXJldHVybiAoMCk7CiAgfQoq
Kiogc3lzL25ldGluZXQvaW5fcGNiLmMub3JpZwlXZWQgTWF5ICAxIDE5OjM2OjUwIDIwMDIKLS0t
IHN5cy9uZXRpbmV0L2luX3BjYi5jCVR1ZSBKdW4gMTggMTM6NTI6MTUgMjAwMgoqKioqKioqKioq
KioqKioKKioqIDEwMjgsMTAzNCAqKioqCiAgewogIAlpZiAoIXAtPnBfcHJpc29uKQogIAkJcmV0
dXJuICgwKTsKISAJaWYgKG50b2hsKGlucC0+aW5wX2xhZGRyLnNfYWRkcikgPT0gcC0+cF9wcmlz
b24tPnByX2lwKQogIAkJcmV0dXJuICgwKTsKICAJcmV0dXJuICgxKTsKICB9Ci0tLSAxMDI4LDEw
MzUgLS0tLQogIHsKICAJaWYgKCFwLT5wX3ByaXNvbikKICAJCXJldHVybiAoMCk7CiEgCWlmICgo
cC0+cF9wcmlzb24tPnByX21hc2sgJiBudG9obChpbnAtPmlucF9sYWRkci5zX2FkZHIpKQohIAkJ
CT09IChwLT5wX3ByaXNvbi0+cHJfbWFzayAmIHAtPnBfcHJpc29uLT5wcl9pcCkpCiAgCQlyZXR1
cm4gKDApOwogIAlyZXR1cm4gKDEpOwogIH0KKioqIHN5cy9zeXMvamFpbC5oLm9yaWcJV2VkIE5v
diAgMSAwOTo1ODowNiAyMDAwCi0tLSBzeXMvc3lzL2phaWwuaAlUdWUgSnVuIDE4IDEzOjMzOjI4
IDIwMDIKKioqKioqKioqKioqKioqCioqKiAxOCwyMyAqKioqCi0tLSAxOCwyNCAtLS0tCiAgCWNo
YXIJCSpwYXRoOwogIAljaGFyCQkqaG9zdG5hbWU7CiAgCXVfaW50MzJfdAlpcF9udW1iZXI7Cisg
CXVfaW50MzJfdAlpcF9tYXNrOwogIH07CiAgCiAgI2lmbmRlZiBfS0VSTkVMCioqKioqKioqKioq
KioqKgoqKiogNDAsNDUgKioqKgotLS0gNDEsNDcgLS0tLQogIAlpbnQJCXByX3JlZjsKICAJY2hh
ciAJCXByX2hvc3RbTUFYSE9TVE5BTUVMRU5dOwogIAl1X2ludDMyX3QJcHJfaXA7CisgCXVfaW50
MzJfdAlwcl9tYXNrOwogIAl2b2lkCQkqcHJfbGludXg7CiAgfTsKICAKKioqIHVzci5zYmluL2ph
aWwvamFpbC5jLm9yaWcJTW9uIEp1bCAzMCAwMzoxOTo1NCAyMDAxCi0tLSB1c3Iuc2Jpbi9qYWls
L2phaWwuYwlUdWUgSnVuIDE4IDE0OjI4OjM2IDIwMDIKKioqKioqKioqKioqKioqCioqKiAyNCw0
MCAqKioqCiAgCXN0cnVjdCBqYWlsIGo7CiAgCWludCBpOwogIAlzdHJ1Y3QgaW5fYWRkciBpbjsK
ICAKICAJaWYgKGFyZ2MgPCA1KSAKISAJCWVycngoMSwgIlVzYWdlOiAlcyBwYXRoIGhvc3RuYW1l
IGlwLW51bWJlciBjb21tYW5kIC4uLlxuIiwKICAJCSAgICBhcmd2WzBdKTsKICAJaSA9IGNoZGly
KGFyZ3ZbMV0pOwogIAlpZiAoaSkKICAJCWVycigxLCAiY2hkaXIgJXMiLCBhcmd2WzFdKTsKICAJ
bWVtc2V0KCZqLCAwLCBzaXplb2YoaikpOwohIAlqLnZlcnNpb24gPSAwOwogIAlqLnBhdGggPSBh
cmd2WzFdOwogIAlqLmhvc3RuYW1lID0gYXJndlsyXTsKICAJaSA9IGluZXRfYXRvbihhcmd2WzNd
LCAmaW4pOwogIAlpZiAoIWkpCiAgCQllcnJ4KDEsICJDb3VsZG4ndCBtYWtlIHNlbnNlIG9mIGlw
LW51bWJlclxuIik7Ci0tLSAyNCw1MSAtLS0tCiAgCXN0cnVjdCBqYWlsIGo7CiAgCWludCBpOwog
IAlzdHJ1Y3QgaW5fYWRkciBpbjsKKyAJY2hhciAqcDsKICAKICAJaWYgKGFyZ2MgPCA1KSAKISAJ
CWVycngoMSwgIlVzYWdlOiAlcyBwYXRoIGhvc3RuYW1lIGlwLW51bWJlclsvaXAtbWFza10gY29t
bWFuZCAuLi5cbiIsCiAgCQkgICAgYXJndlswXSk7CiAgCWkgPSBjaGRpcihhcmd2WzFdKTsKICAJ
aWYgKGkpCiAgCQllcnIoMSwgImNoZGlyICVzIiwgYXJndlsxXSk7CiAgCW1lbXNldCgmaiwgMCwg
c2l6ZW9mKGopKTsKISAJai52ZXJzaW9uID0gMTsKICAJai5wYXRoID0gYXJndlsxXTsKICAJai5o
b3N0bmFtZSA9IGFyZ3ZbMl07CisgCXAgPSBzdHJjaHIoYXJndlszXSwgJy8nKTsKKyAJaWYgKHAg
IT0gTlVMTCkgeworIAkJaSA9IGluZXRfYXRvbihwICsgMSwgJmluKTsKKyAJCWlmICghaSkKKyAJ
CQllcnJ4KDEsICJDb3VsZG4ndCBtYWtlIHNlbnNlIG9mIGlwLW1hc2tcbiIpOworIAkJai5pcF9t
YXNrID0gbnRvaGwoaW4uc19hZGRyKTsKKyAJCSpwID0gJ1wwJzsKKyAJfSBlbHNlIHsKKyAJCWou
aXBfbWFzayA9IDB4ZmZmZmZmZmY7CisgCX0KICAJaSA9IGluZXRfYXRvbihhcmd2WzNdLCAmaW4p
OwogIAlpZiAoIWkpCiAgCQllcnJ4KDEsICJDb3VsZG4ndCBtYWtlIHNlbnNlIG9mIGlwLW51bWJl
clxuIik7Cg==

--774.2.1024445039934@malyn.eiomail.com--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?774.2.1024445039934>