From owner-freebsd-security@FreeBSD.ORG Thu Apr 22 02:21:54 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA3D116A4CE; Thu, 22 Apr 2004 02:21:54 -0700 (PDT) Received: from dragonfly.sitetronics.com (zp-c-13e65.mxs.adsl.euronet.nl [81.69.92.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79F3A43D60; Thu, 22 Apr 2004 02:21:53 -0700 (PDT) (envelope-from dodell@dragonfly.sitetronics.com) Received: from dragonfly.sitetronics.com (dragonfly [127.0.0.1]) i3MBLKhQ001102; Thu, 22 Apr 2004 11:21:20 GMT (envelope-from dodell@dragonfly.sitetronics.com) Received: (from dodell@localhost)i3MBLK9I001101; Thu, 22 Apr 2004 11:21:20 GMT (envelope-from dodell) Date: Thu, 22 Apr 2004 11:21:20 +0000 From: "Devon H. O'Dell" To: "Christian S.J. Peron" Message-ID: <20040422112120.GB888@sitetronics.com> References: <20040420015638.A84821@staff.seccuris.com> <14522.1082452837@critter.freebsd.dk> <20040420200027.A51891@staff.seccuris.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040420200027.A51891@staff.seccuris.com> User-Agent: Mutt/1.4.2.1i X-Mailer: Mutt 1.3.23i (2001-10-09) X-Editor: Vim http://www.vim.org/ cc: freebsd-hackers@freebsd.org cc: Poul-Henning Kamp cc: freebsd-security@freebsd.org Subject: Re: [patch] Raw sockets in jails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Apr 2004 09:21:55 -0000 Christian S.J. Peron scribbled: > Poul/group > > The following patch makes raw sockets comply with prison IP addresses. > Some tools such as traceroute(8) may require that the prison IP address > be specified on the command line. I.E. > > traceroute -s > > Otherwise it might fail. > > (because of this we may want to get rid of the > create_raw_sockets MIB all together). > > Anyway, take a gander at it (testers feedback welcome): > > Regards > Christian S.J. Peron Nice work! It doesn't seem that it would be very difficult to get this to comply with Pawels multiple IPs in jail patch, but it would have to be optimized a bit as the IPs are currently stored in a linked list in his patch and traversing that list to determine whether the IP complies with the jails allotted IP range is sub-optimal (as it would have to be done on a per-packet basis). If we could store those IPs in a hash table with a fast algorithm for O(1) lookup times, the prison subsystem would experience significant feature improvements. -- Kind regards, Devon H. O'Dell | dodell@sitetronics.com ICQ: 2903604 | IRC: dho@freenode/dodell@efnet