From owner-freebsd-jail@FreeBSD.ORG Sun May 25 17:55:05 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 18BF7106564A for ; Sun, 25 May 2008 17:55:05 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [91.103.162.4]) by mx1.freebsd.org (Postfix) with ESMTP id C5A3C8FC1A for ; Sun, 25 May 2008 17:55:04 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 47A5219E019; Sun, 25 May 2008 19:55:02 +0200 (CEST) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id E2B7B19E023; Sun, 25 May 2008 19:54:56 +0200 (CEST) Message-ID: <4839A802.70005@quip.cz> Date: Sun, 25 May 2008 19:55:14 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: freebsd-jail@freebsd.org References: <822C1BB6-3591-4CE1-AFEA-8B07B9F5ED8D@pean.org> <483556DB.9070602@quip.cz> <20080522133115.84622rwkp784zi04@webmail.leidinger.net> <4835F48C.5080303@quip.cz> <20080522224614.K47338@maildrop.int.zabbadoz.net> In-Reply-To: <20080522224614.K47338@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Wildcard IP (INADDR_ANY) should not bind inside a jail [was: Re: Jail resource limits] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 May 2008 17:55:05 -0000 Bjoern A. Zeeb wrote: > On Fri, 23 May 2008, Miroslav Lachman wrote: [...] > The person to talk to about implementation/integrations/coordination > might be me. As I am searching for and adding some more patches to the http://wiki.freebsd.org/Jails, I found "Wildcard IP (INADDR_ANY) should not bind inside a jail". The PR http://www.freebsd.org/cgi/query-pr.cgi?pr=84215 is from year 2005 with patch for FreeBSD 6.x and as you have already hands on "Multi-IPv4/v6/no-IP jails", can you take a look at this patch and try to incorporate it in to you work for FreeBSD 7.x / 8.x? Miroslav Lachman From owner-freebsd-jail@FreeBSD.ORG Sun May 25 18:39:01 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9D95B106564A for ; Sun, 25 May 2008 18:39:01 +0000 (UTC) (envelope-from frank@pinky.sax.de) Received: from post.frank-behrens.de (unknown [IPv6:2a01:170:1023::1:2]) by mx1.freebsd.org (Postfix) with ESMTP id EA0C18FC14 for ; Sun, 25 May 2008 18:39:00 +0000 (UTC) (envelope-from frank@pinky.sax.de) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pinky.sax.de; h=from:to:date:mime-version:subject:in-reply-to:references:content-type:content-transfer-encoding:content-description; q=dns/txt; s=pinky1; t=1211740739; i=frank@pinky.sax.de; bh=CYVr1Z1xdANMTA2sZsYD5XJD7Rb0Y1jJC9lUwvwc1G4=; b=PGfjEfWZZd9YS47K9oOLUwim+N+H7pRYls9ETJBr4VfnQ17pN79s57TxKDpqtV1EdJIe5qpYhlgGPsEX7tN6yg== Received: from sun.behrens ([IPv6:2a01:170:1023:0:8b5:9b66:8520:554]) by post.frank-behrens.de (8.14.2/8.14.2) with ESMTP-MSA id m4PIcro1017917 for ; Sun, 25 May 2008 20:38:53 +0200 (CEST) (envelope-from frank@pinky.sax.de) Message-Id: <200805251838.m4PIcro1017917@post.frank-behrens.de> From: "Frank Behrens" To: freebsd-jail@freebsd.org Date: Sun, 25 May 2008 20:34:37 +0200 MIME-Version: 1.0 Priority: normal In-reply-to: <4839A802.70005@quip.cz> References: <20080522224614.K47338@maildrop.int.zabbadoz.net> X-mailer: Pegasus Mail for Windows (4.31, DE v4.31 R1) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Hashcash: 1:24:080525:freebsd-jail@freebsd.org::L7H5CeDAvHudXPPV:000000000n1iV Subject: Re: Wildcard IP (INADDR_ANY) should not bind inside a jail [was: Re: Jail resource limits] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 May 2008 18:39:01 -0000 Miroslav Lachman <000.fbsd@quip.cz> wrote on 25 May 2008 19:55: > As I am searching for and adding some more patches to the > http://wiki.freebsd.org/Jails, I found "Wildcard IP (INADDR_ANY) should > not bind inside a jail". The PR > http://www.freebsd.org/cgi/query-pr.cgi?pr=84215 is from year 2005 with > patch for FreeBSD 6.x and as you have already hands on > "Multi-IPv4/v6/no-IP jails", can you take a look at this patch and try > to incorporate it in to you work for FreeBSD 7.x / 8.x? I'm the author of the mentioned patch/PR. Meanwhile I'm testing Bjoern's multi jail patch on FreeBSD-7 and I can confirm, that the functionality is already included. When the multi jail patch is committed this PR should be closed with state "resolved". BTW, Bjoern's patch works very well. Regards, Frank -- Frank Behrens, Osterwieck, Germany PGP-key 0x5B7C47ED on public servers available. From owner-freebsd-jail@FreeBSD.ORG Sun May 25 18:40:07 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B840F106566B for ; Sun, 25 May 2008 18:40:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 6D6338FC19 for ; Sun, 25 May 2008 18:40:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id B80BE41C796; Sun, 25 May 2008 20:40:05 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id feB38FJtoGHe; Sun, 25 May 2008 20:40:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 6BA4D41C795; Sun, 25 May 2008 20:40:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id CD72244487F; Sun, 25 May 2008 18:36:48 +0000 (UTC) Date: Sun, 25 May 2008 18:36:48 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Miroslav Lachman <000.fbsd@quip.cz> In-Reply-To: <4839A802.70005@quip.cz> Message-ID: <20080525183343.W65662@maildrop.int.zabbadoz.net> References: <822C1BB6-3591-4CE1-AFEA-8B07B9F5ED8D@pean.org> <483556DB.9070602@quip.cz> <20080522133115.84622rwkp784zi04@webmail.leidinger.net> <4835F48C.5080303@quip.cz> <20080522224614.K47338@maildrop.int.zabbadoz.net> <4839A802.70005@quip.cz> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@freebsd.org Subject: Re: Wildcard IP (INADDR_ANY) should not bind inside a jail [was: Re: Jail resource limits] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 May 2008 18:40:07 -0000 On Sun, 25 May 2008, Miroslav Lachman wrote: Hi, > Bjoern A. Zeeb wrote: >> On Fri, 23 May 2008, Miroslav Lachman wrote: > > [...] > >> The person to talk to about implementation/integrations/coordination >> might be me. > > As I am searching for and adding some more patches to the > http://wiki.freebsd.org/Jails, I found "Wildcard IP (INADDR_ANY) should not > bind inside a jail". The PR http://www.freebsd.org/cgi/query-pr.cgi?pr=84215 > is from year 2005 with patch for FreeBSD 6.x and as you have already hands on > "Multi-IPv4/v6/no-IP jails", can you take a look at this patch and try to > incorporate it in to you work for FreeBSD 7.x / 8.x? If you look more closely you'll find a bunch of jail patches in PRs. I intend to deal with all of them once I am done, but not before. There are several reasons for this. I checked the list a few weeks ago. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From owner-freebsd-jail@FreeBSD.ORG Sun May 25 20:12:49 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B860E106566B for ; Sun, 25 May 2008 20:12:49 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [91.103.162.4]) by mx1.freebsd.org (Postfix) with ESMTP id 6C3578FC1E for ; Sun, 25 May 2008 20:12:49 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 6361019E023; Sun, 25 May 2008 22:12:47 +0200 (CEST) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id E030B19E019; Sun, 25 May 2008 22:12:41 +0200 (CEST) Message-ID: <4839C84B.9060307@quip.cz> Date: Sun, 25 May 2008 22:12:59 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <822C1BB6-3591-4CE1-AFEA-8B07B9F5ED8D@pean.org> <483556DB.9070602@quip.cz> <20080522133115.84622rwkp784zi04@webmail.leidinger.net> <4835F48C.5080303@quip.cz> <20080522224614.K47338@maildrop.int.zabbadoz.net> <4839A802.70005@quip.cz> <20080525183343.W65662@maildrop.int.zabbadoz.net> In-Reply-To: <20080525183343.W65662@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org Subject: Re: Wildcard IP (INADDR_ANY) should not bind inside a jail [was: Re: Jail resource limits] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 May 2008 20:12:49 -0000 Bjoern A. Zeeb wrote: > On Sun, 25 May 2008, Miroslav Lachman wrote: > > Hi, > >> Bjoern A. Zeeb wrote: >> >>> On Fri, 23 May 2008, Miroslav Lachman wrote: >> >> [...] >> >>> The person to talk to about implementation/integrations/coordination >>> might be me. >> >> >> As I am searching for and adding some more patches to the >> http://wiki.freebsd.org/Jails, I found "Wildcard IP (INADDR_ANY) >> should not bind inside a jail". The PR >> http://www.freebsd.org/cgi/query-pr.cgi?pr=84215 is from year 2005 >> with patch for FreeBSD 6.x and as you have already hands on >> "Multi-IPv4/v6/no-IP jails", can you take a look at this patch and try >> to incorporate it in to you work for FreeBSD 7.x / 8.x? > > > If you look more closely you'll find a bunch of jail patches in PRs. I > intend to deal with all of them once I am done, but not before. > There are several reasons for this. > > I checked the list a few weeks ago. I am aware of all PRs from problem reports assigned to freebsd-jail@FreeBSD.org and few others and I will add them to the wiki page later as time permits. I am not trying to make any pressure to you or somebody else but PR database is not always including informations if somebody is working on it etc. I just ask you, if you have some plans / if you know about this PR. And your answer is positive. ;) It would be nice, if you (and other developers too) can publish more informations about "what is in progress" to this list, so I can put it on the page, update status of patches or items on the list of ideas. And thank you for your work! Miroslav Lachman From owner-freebsd-jail@FreeBSD.ORG Sun May 25 21:00:00 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6ED21106566C for ; Sun, 25 May 2008 21:00:00 +0000 (UTC) (envelope-from dgeo@ec-marseille.fr) Received: from tac.ec-marseille.fr (tac.ec-marseille.fr [147.94.19.13]) by mx1.freebsd.org (Postfix) with ESMTP id 161F78FC24 for ; Sun, 25 May 2008 20:59:59 +0000 (UTC) (envelope-from dgeo@ec-marseille.fr) Received: from localhost (amavis2.serv.int [10.3.0.46]) by tac.ec-marseille.fr (IronQ 1024 STF) with ESMTP id 4111E1D1CF5; Sun, 25 May 2008 22:41:53 +0200 (CEST) X-Virus-Scanned: amavisd-new at ec-marseille.fr Received: from tac.ec-marseille.fr ([10.3.0.11]) by localhost (amavis2.egim-mrs.fr [10.3.0.46]) (amavisd-new, port 10024) with LMTP id 2QupRJyUyjX1; Sun, 25 May 2008 22:41:53 +0200 (CEST) Received: from [10.0.3.10] (schizoII.ec-marseille.fr [147.94.19.24]) (Authenticated sender: dgeo) by tac.ec-marseille.fr (IronQ 1024 STF) with ESMTPSA id 642831D1C7C; Sun, 25 May 2008 22:41:46 +0200 (CEST) Message-ID: <4839CEFC.1050605@ec-marseille.fr> Date: Sun, 25 May 2008 22:41:32 +0200 From: Geoffroy DESVERNAY User-Agent: Thunderbird 2.0.0.14 (X11/20080505) MIME-Version: 1.0 To: Steven Hartland , freebsd-jail@freebsd.org References: <822C1BB6-3591-4CE1-AFEA-8B07B9F5ED8D@pean.org><483556DB.9070602@quip.cz><08244555-5BD2-4F67-B311-CCC5E316A068@pean.org> <20080522165219.D47338@maildrop.int.zabbadoz.net> <8068148B75CB4B3E953144A0DF47E496@multiplay.co.uk> In-Reply-To: <8068148B75CB4B3E953144A0DF47E496@multiplay.co.uk> X-Enigmail-Version: 0.95.0 OpenPGP: id=017C80AA Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig280BA4CFB11DF0A721CEA420" Cc: Subject: Re: Jail resource limits X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 May 2008 21:00:00 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig280BA4CFB11DF0A721CEA420 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Steven Hartland a =E9crit : > This is something we're really looking forward to tbh a great > feature :) One of the reasons for this is hosting jails, with > the addition of multi IP support we will be able to enable > jails to connect to "backdoor" secure services such as a > mysql server. >=20 We are already doing this (sql on a separated(physical) LAN, but jail don't need a second interface for that: the real host's routing table is used for outgoing packets. Note we still need a static route on the SQL server for the packets to come back the same way I still don't know if this behaviour is the better one (one may think that jail's packets should not go through different interface ?), but it works quite well ;) That said, we are interested in testing IPv6 and limitation stuff on i386/amd64 machines... But not able to code (I may discover a missing ';' bug, not not much more ;) --=20 Geoffroy Desvernay Ecole Centrale de Marseille --------------enig280BA4CFB11DF0A721CEA420 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIOc78GbFYzwF8gKoRAhzTAKCZvRfDyDzoqdfi0dEWns43UdP72ACfbvfb tq/DO0w9WHtrh//BNwRxSyQ= =zu1Q -----END PGP SIGNATURE----- --------------enig280BA4CFB11DF0A721CEA420-- From owner-freebsd-jail@FreeBSD.ORG Sun May 25 22:04:02 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5C3F31065671 for ; Sun, 25 May 2008 22:04:02 +0000 (UTC) (envelope-from prvs=10311e3df6=killing@multiplay.co.uk) Received: from mail1.multiplay.co.uk (core6.multiplay.co.uk [85.236.96.23]) by mx1.freebsd.org (Postfix) with ESMTP id D94008FC13 for ; Sun, 25 May 2008 22:04:01 +0000 (UTC) (envelope-from prvs=10311e3df6=killing@multiplay.co.uk) DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=multiplay.co.uk; s=Multiplay; t=1211752084; x=1212356884; q=dns/txt; h=Received: Message-ID:From:To:References:Subject:Date:MIME-Version: Content-Type:Content-Transfer-Encoding; bh=0hbDBZ9u3uKlnybx2gaXb k7Wa+Ou5xk/WBtM9fGEylg=; b=K7AtPiinUmPb7OtMf4kpgPtyIwy8TvHlmLATB 1R/oh0xTHZ3nOsGcSVOGgoq3RmZp4K2Tv0YbHGfzSiR8rxJxUEMfS9rOqiNMVUd4 RUYCVIojCtBSQJIRTXOVEpU+E4nCDv9dK3fOLTWHgJnqubjffZ+PbtBNRiRToUAM jjLXSY= X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on mail1.multiplay.co.uk X-Spam-Level: X-Spam-Status: No, score=-14.7 required=6.0 tests=BAYES_00, FORGED_MUA_OUTLOOK, USER_IN_WHITELIST,USER_IN_WHITELIST_TO autolearn=ham version=3.1.8 Received: from r2d2 by mail1.multiplay.co.uk (MDaemon PRO v9.6.5) with ESMTP id md50005667929.msg for ; Sun, 25 May 2008 22:48:01 +0100 X-Authenticated-Sender: Killing@multiplay.co.uk X-MDRemoteIP: 212.135.219.182 X-Return-Path: prvs=10311e3df6=killing@multiplay.co.uk X-Envelope-From: killing@multiplay.co.uk X-MDaemon-Deliver-To: freebsd-jail@freebsd.org Message-ID: <1F08E6231F60497A9BF556590BB56E9A@multiplay.co.uk> From: "Steven Hartland" To: "Geoffroy DESVERNAY" , References: <822C1BB6-3591-4CE1-AFEA-8B07B9F5ED8D@pean.org><483556DB.9070602@quip.cz><08244555-5BD2-4F67-B311-CCC5E316A068@pean.org> <20080522165219.D47338@maildrop.int.zabbadoz.net> <8068148B75CB4B3E953144A0DF47E496@multiplay.co.uk> <4839CEFC.1050605@ec-marseille.fr> Date: Sun, 25 May 2008 22:47:55 +0100 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5512 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512 X-Spam-Processed: mail1.multiplay.co.uk, Sun, 25 May 2008 22:48:03 +0100 X-MDAV-Processed: mail1.multiplay.co.uk, Sun, 25 May 2008 22:48:04 +0100 Cc: Subject: Re: Jail resource limits X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 May 2008 22:04:02 -0000 ----- Original Message ----- From: "Geoffroy DESVERNAY" >> This is something we're really looking forward to tbh a great >> feature :) One of the reasons for this is hosting jails, with >> the addition of multi IP support we will be able to enable >> jails to connect to "backdoor" secure services such as a >> mysql server. >> > We are already doing this (sql on a separated(physical) LAN, but jail > don't need a second interface for that: the real host's routing table is > used for outgoing packets. > Note we still need a static route on the SQL server for the packets to > come back the same way > > I still don't know if this behaviour is the better one (one may think > that jail's packets should not go through different interface ?), but it > works quite well ;) Surely that compromises jail security i.e. being able to access resources from the host box even it the jail has no perceivable access to them? I assume this still doesn't work if the server is in fact run on the main host only running on localhost? Regards Steve ================================================ This e.mail is private and confidential between Multiplay (UK) Ltd. and the person or entity to whom it is addressed. In the event of misdirection, the recipient is prohibited from using, copying, printing or otherwise disseminating it or any information contained in it. In the event of misdirection, illegible or incomplete transmission please telephone +44 845 868 1337 or return the E.mail to postmaster@multiplay.co.uk. From owner-freebsd-jail@FreeBSD.ORG Mon May 26 06:15:59 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 02EA3106566C for ; Mon, 26 May 2008 06:15:59 +0000 (UTC) (envelope-from dgeo@ec-marseille.fr) Received: from tac.ec-marseille.fr (tac.ec-marseille.fr [147.94.19.13]) by mx1.freebsd.org (Postfix) with ESMTP id 9141F8FC12 for ; Mon, 26 May 2008 06:15:58 +0000 (UTC) (envelope-from dgeo@ec-marseille.fr) Received: from localhost (amavis2.serv.int [10.3.0.46]) by tac.ec-marseille.fr (IronQ 1024 STF) with ESMTP id 3DBE71D1D88; Mon, 26 May 2008 08:15:57 +0200 (CEST) X-Virus-Scanned: amavisd-new at ec-marseille.fr X-Amavis-Alert: BAD HEADER, MIME error: error: couldn't parse head; error near:; >> come back the same way; >>; >> I still don't know if this behaviour is the better one (one may think; >> that jail's packets should not go through different interface ?), but =; it; >> works quite well ;); [...] Received: from tac.ec-marseille.fr ([10.3.0.11]) by localhost (amavis2.egim-mrs.fr [10.3.0.46]) (amavisd-new, port 10024) with LMTP id jSjWEHG0-3Ex; Mon, 26 May 2008 08:15:57 +0200 (CEST) Received: from [10.0.3.10] (schizoII.ec-marseille.fr [147.94.19.24]) (Authenticated sender: dgeo) by tac.ec-marseille.fr (IronQ 1024 STF) with ESMTPSA id 7987F1D1C91; Mon, 26 May 2008 08:15:56 +0200 (CEST) Message-ID: <483A5593.60003@ec-marseille.fr> Date: Mon, 26 May 2008 08:15:47 +0200 From: Geoffroy DESVERNAY User-Agent: Thunderbird 2.0.0.14 (X11/20080505) MIME-Version: 1.0 To: Steven Hartland References: <822C1BB6-3591-4CE1-AFEA-8B07B9F5ED8D@pean.org><483556DB.9070602@quip.cz><08244555-5BD2-4F67-B311-CCC5E316A068@pean.org> <20080522165219.D47338@maildrop.int.zabbadoz.net> <8068148B75CB4B3E953144A0DF47E496@multiplay.co.uk> <4839CEFC.1050605@ec-marseille.fr> <1F08E6231F60497A9BF556590BB56E9A@multiplay.co.uk> In-Reply-To: <1F08E6231F60497A9BF556590BB56E9A@multiplay.co.uk> X-Enigmail-Version: 0.95.0 OpenPGP: id=017C80AA Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig616781BC0655B6DB3F81C8E3" Cc: freebsd-jail@freebsd.org Subject: Re: Jail resource limits X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2008 06:15:59 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig616781BC0655B6DB3F81C8E3 >> come back the same way >> >> I still don't know if this behaviour is the better one (one may think >> that jail's packets should not go through different interface ?), but = it >> works quite well ;) >=20 > Surely that compromises jail security i.e. being able to access > resources from the host box even it the jail has no perceivable > access to them? >=20 It have to be took in consideration before production time at least ;) > I assume this still doesn't work if the server is in fact run on > the main host only running on localhost? >=20 I think the main host is never 'only' on localhost, since you must add interfaces and addresses for the different jails it hosts, and those interfaces are used by host's routing table... The IP addresses you use for jails are usable by main host, and routing table of main host is used to route jail's packets... so any jail you host can use any other jail's route. (if you have only localhost on main an *only one* interface for all jour jails, it doesn't hurt). In our case, one of our jail host is using pf's 'route-to' to re-route packets going to 'forbidden' interface from jails. Regards, --=20 Geoffroy Desvernay Ecole Centrale de Marseille --------------enig616781BC0655B6DB3F81C8E3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIOlWaGbFYzwF8gKoRAisGAJ4zDNrDSAhOP6tFFNs2svDu9YNMCACffb5S 3eKr54rqyPAaNXHTddIQtDs= =fCmA -----END PGP SIGNATURE----- --------------enig616781BC0655B6DB3F81C8E3-- From owner-freebsd-jail@FreeBSD.ORG Mon May 26 11:06:51 2008 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1739010656AE for ; Mon, 26 May 2008 11:06:51 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 02C1C8FC30 for ; Mon, 26 May 2008 11:06:51 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m4QB6og8064946 for ; Mon, 26 May 2008 11:06:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m4QB6oaX064942 for freebsd-jail@FreeBSD.org; Mon, 26 May 2008 11:06:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 26 May 2008 11:06:50 GMT Message-Id: <200805261106.m4QB6oaX064942@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2008 11:06:51 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail 2 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/119305 jail [jail] [patch] jexec(8): jexec -n prisonname: selectio o kern/120753 jail [jail] Zombie jails (jailed child process exits while 10 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon May 26 13:40:44 2008 Return-Path: Delivered-To: freebsd-jail@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DCA3A106567A; Mon, 26 May 2008 13:40:44 +0000 (UTC) (envelope-from mr@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B23A58FC19; Mon, 26 May 2008 13:40:44 +0000 (UTC) (envelope-from mr@FreeBSD.org) Received: from freefall.freebsd.org (mr@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m4QDei9C081338; Mon, 26 May 2008 13:40:44 GMT (envelope-from mr@freefall.freebsd.org) Received: (from mr@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m4QDehi6081334; Mon, 26 May 2008 13:40:43 GMT (envelope-from mr) Date: Mon, 26 May 2008 13:40:43 GMT Message-Id: <200805261340.m4QDehi6081334@freefall.freebsd.org> To: frank+pr20070103@harz.behrens.de, mr@FreeBSD.org, freebsd-jail@FreeBSD.org From: mr@FreeBSD.org Cc: Subject: Re: bin/119305: [jail] [patch] jexec(8): jexec -n prisonname: selection by jail name X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2008 13:40:45 -0000 Synopsis: [jail] [patch] jexec(8): jexec -n prisonname: selection by jail name State-Changed-From-To: open->closed State-Changed-By: mr State-Changed-When: Mon May 26 13:38:20 UTC 2008 State-Changed-Why: Different patch committed to HEAD. http://www.freebsd.org/cgi/query-pr.cgi?pr=119305 From owner-freebsd-jail@FreeBSD.ORG Mon May 26 19:30:06 2008 Return-Path: Delivered-To: freebsd-jail@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 745EA1065689 for ; Mon, 26 May 2008 19:30:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5CCBD8FC39 for ; Mon, 26 May 2008 19:30:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m4QJU6WV006351 for ; Mon, 26 May 2008 19:30:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m4QJU61n006348; Mon, 26 May 2008 19:30:06 GMT (envelope-from gnats) Date: Mon, 26 May 2008 19:30:06 GMT Message-Id: <200805261930.m4QJU61n006348@freefall.freebsd.org> To: freebsd-jail@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: bin/119305: commit references a PR X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2008 19:30:06 -0000 The following reply was made to PR bin/119305; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: bin/119305: commit references a PR Date: Mon, 26 May 2008 19:25:00 +0000 (UTC) mr 2008-05-26 19:24:45 UTC FreeBSD src repository Modified files: usr.sbin/jexec jexec.8 jexec.c Log: Add CAUTIONS section to the manpage and update .Dd. Spelling fix. PR: bin/119305 (reminded by Frank Behrens) Suggested by: rwatson, maxim MFC after: 2 weeks Revision Changes Path 1.6 +5 -1 src/usr.sbin/jexec/jexec.8 1.6 +1 -1 src/usr.sbin/jexec/jexec.c _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"