From owner-freebsd-jail@freebsd.org Mon Jun 11 08:57:21 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 797B71001894 for ; Mon, 11 Jun 2018 08:57:21 +0000 (UTC) (envelope-from ole@free.de) Received: from smtp.free.de (smtp.free.de [91.204.6.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0A7467768A for ; Mon, 11 Jun 2018 08:57:21 +0000 (UTC) (envelope-from ole@free.de) Received: from bard (x4e306e46.dyn.telefonica.de [78.48.110.70]) by smtp.free.de (Postfix) with ESMTPSA id 0DC201686C for ; Mon, 11 Jun 2018 10:57:20 +0200 (CEST) Date: Mon, 11 Jun 2018 10:57:19 +0200 From: Ole To: freebsd-jail@freebsd.org Subject: Re: Jails routing and localhost Message-ID: <20180611105719.324f28cc.ole@free.de> In-Reply-To: <1516303926.3867424.1240160096.44CF04A6@webmail.messagingengine.com> References: <20180118132304.3455fa43.ole@free.de> <1516303926.3867424.1240160096.44CF04A6@webmail.messagingengine.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/HTXSJ2NvZKiSEmO+EEOUXMU"; protocol="application/pgp-signature" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jun 2018 08:57:21 -0000 --Sig_/HTXSJ2NvZKiSEmO+EEOUXMU Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Thu, 18 Jan 2018 14:32:06 -0500 - "Isaac (.ike) Levy" : > Hope this helps, tell us how it goes! Sorry for the delay. I couldn't figure out how to solve this problem and I decided to to take the bull by the horns and migrated everything from ezjail to iocage with vnet interfaces. This solves the problem. Ole --Sig_/HTXSJ2NvZKiSEmO+EEOUXMU Content-Type: application/pgp-signature Content-Description: Digitale Signatur von OpenPGP -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJbHjlvAAoJECWWkUao5JRQZwwP/RrHhNYywUImqK0IDIraLyQU nwbIv77ZhgTgdICyvETTbGPUqev61PW3Agguh/CoBXIMr1tF8jtjz76mEzQCYx2k 0QDJRHstAqA9k+qQnBn2M6ELl/CvWnWIgTpgWYs2DHsmTYPY7hcrl11erJuEMivh 97LpBXZj79rbtDh3Q/FVCdsXlwyRfh2KX1Fm8DfczLRTKKZX6Oz0R3YT/vGZ6H+3 cpGOQg+gX4IV3GA+1IyqT3cD37g8CON+8WvXVlNQOeIxMh34BBzYbn4gW6g0VU2L sEOW4jXKj7FeJhjHC8sKacw/cSq3Ck22jBAuEPvsmvwOJZjwvbGmmq3ZI9HTmvlp AaPUfaPFVb++Bp2xdh8Xo71AnEAytnVaA8ZXlCPGAS5JG+06Ywd/AVSC77WhY9et ihROKqEaK9l3Fma+HTJddQPcabhv9DhIFTViNfIW9pgMggVJmLdJwakkLA89gMc3 Kkc8jmaVI4846gyCe8JlPY2SNisrsojl6dbkjT9WJmiGHxUJuNrjV70DSDiLXX77 2tJU/oUlzIlSkxKG9nVeYWP6tzqvl+MDi6h9CoFXeQH/xYhv7Pl8LTaDo2P7iv+R pgaMqP1YvjqddJCgu7AR84TyLBW3UKU2XdHkwECJRYPsqQMO4+soGVagmG5vsITt rePhcL2EG3xvAXHwZPba =7m+R -----END PGP SIGNATURE----- --Sig_/HTXSJ2NvZKiSEmO+EEOUXMU-- From owner-freebsd-jail@freebsd.org Mon Jun 11 16:24:50 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9E75D10170AE for ; Mon, 11 Jun 2018 16:24:50 +0000 (UTC) (envelope-from info@worldmail3.us) Received: from mail.worldmail3.us (mail.worldmail3.us [108.170.31.66]) by mx1.freebsd.org (Postfix) with ESMTP id A91B96DFFD for ; Mon, 11 Jun 2018 16:24:49 +0000 (UTC) (envelope-from info@worldmail3.us) Received: from mail.worldmail3.us (WIN-113SAP4RMCB [108.170.31.66]) by mail.worldmail3.us with SMTP; Mon, 11 Jun 2018 09:24:31 -0700 From: "=?utf-8?Q?Information=20Update?=" To: "freebsd-jail@freebsd.org" Reply-To: mrwest@o2loto.co.uk Date: Mon, 11 Jun 2018 09:24:31 -0700 Subject: =?utf-8?Q?Important=20Notification?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-ID: X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jun 2018 16:24:50 -0000 Dear Recipent ,=0D=0A=0D=0AThis email address has won Three Million Pound= s on the o2 mobile sweepstakes=2EPlease Contact Payment Cordinator Mat on= email : mrwest=40o2loto=2Eco=2Euk for explanation and payment processin= g =2E=0D=0A=0D=0AYours Faithfully =0D=0A=0D=0ADebbie Spence =0D=0A=0D=0AC= ordinator O2 Mobile Promotional Sweepstakes=2E From owner-freebsd-jail@freebsd.org Sat Jun 16 17:32:03 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E6DE8101CE3E; Sat, 16 Jun 2018 17:32:02 +0000 (UTC) (envelope-from fabian.freyer@physik.tu-berlin.de) Received: from mail.physik.tu-berlin.de (mail.physik-pool.tu-berlin.de [130.149.50.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8575068EDA; Sat, 16 Jun 2018 17:32:01 +0000 (UTC) (envelope-from fabian.freyer@physik.tu-berlin.de) Received: from [192.168.0.114] (unknown [130.149.50.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.physik.tu-berlin.de (Postfix) with ESMTPSA id 4EE0761F99; Sat, 16 Jun 2018 17:31:52 +0000 (UTC) Subject: Re: sizeof jail parameter values To: James Gritton , freebsd-jail@freebsd.org Cc: freebsd-hackers@freebsd.org References: From: Fabian Freyer Message-ID: Date: Sat, 16 Jun 2018 19:31:44 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jun 2018 17:32:03 -0000 [reordered parts of the reply for better reading flow] On 05/18/2018 18:49, James Gritton wrote: > I would recommend skipping out on jail_getv(), which is really only > good for getting a few well-known parameters, and instead use the more > complete but more complex jailparam_init/get/export/free. Thanks! I ended up writing wrappers around the jail_get(2) and jail_set(2) interfaces and constructing the iovectors myself, which ended up quite a bit cleaner. The jailparam_{init,get,export,free} APIs are unnecessarily complex and don't seem to be a good fit (writing wrappers around wrappers around wrappers etc...). > There is a way to find the length of a string parameter, though there > isn't a good library interface for it.  The security.jail.param.* > sysctls describe the form of the parameters, giving the type. The > "contents" of these sysctls  are generally unused (and set to zero), but > for string parameters there's actually the max length of the string > (itself in string form). Thanks, this works great for strings! > For non-string parameters, the length in > string form depends on the type of the parameters, so for an int you'll > need as long as the string representation of an ant can be, etc.  I > don't know how much good C code will do for you for Rust work, but you > might want to take a look at jailparam_type() in the libjail source code. > It gets more complicated with array parameters, those that can hold an > arbitrary number of values.  The IP addresses are the best example of > that. I've now hit that snag. I see that the security.jail.param.ip4.addr and security.jail.param.ip6.addr sysctls contain the sizes of an in_addr_t and an in6_addr_t, respectively. How would I now determine the number of IPv4 and IPv6 addresses, or should I just allocate security.jail.jail_max_af_ips per family? I've tried to go through how libjail does it, but don't quite understand it, nor the implied race conditions (?) it attempts to mitigate by reading the vector multiple times: lib/libjail/jail.c: /* * Get the prison. If there are array elements, retry a few times * in case their sizes changed from under us. */ for (sanity = 0;; sanity++) { [...] Fabian From owner-freebsd-jail@freebsd.org Sat Jun 16 23:32:09 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 459881002034; Sat, 16 Jun 2018 23:32:09 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from gritton.org (gritton.org [199.192.165.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gritton.org", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D315073A1B; Sat, 16 Jun 2018 23:32:08 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from gritton.org ([127.0.0.131]) by gritton.org (8.15.2/8.15.2) with ESMTP id w5GNC185071868; Sat, 16 Jun 2018 17:12:02 -0600 (MDT) (envelope-from jamie@freebsd.org) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Sat, 16 Jun 2018 17:12:01 -0600 From: James Gritton To: Fabian Freyer Cc: freebsd-jail@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: sizeof jail parameter values In-Reply-To: References: Message-ID: <92cb2f93a546e02a7fb5e11ea976e846@freebsd.org> X-Sender: jamie@freebsd.org User-Agent: Roundcube Webmail/1.3.6 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jun 2018 23:32:09 -0000 On 2018-06-16 11:31, Fabian Freyer wrote: > On 05/18/2018 18:49, James Gritton wrote: > >> I would recommend skipping out on jail_getv(), which is really only >> good for getting a few well-known parameters, and instead use the more >> complete but more complex jailparam_init/get/export/free. > Thanks! I ended up writing wrappers around the jail_get(2) and > jail_set(2) interfaces and constructing the iovectors myself, which > ended up quite a bit cleaner. The jailparam_{init,get,export,free} > APIs are unnecessarily complex and don't seem to be a good fit > (writing wrappers around wrappers around wrappers etc...). They're an attempt to make generic handlers in C, which isn't exactly a language geared toward such things. If you're working only with a few specific known fields, your way is just as well. >> It gets more complicated with array parameters, those that can hold an >> arbitrary number of values.  The IP addresses are the best example of >> that. > I've now hit that snag. I see that the security.jail.param.ip4.addr > and security.jail.param.ip6.addr sysctls contain the sizes of an > in_addr_t and an in6_addr_t, respectively. How would I now determine > the number of IPv4 and IPv6 addresses, or should I just allocate > security.jail.jail_max_af_ips per family? I've tried to go through how > libjail does it, but don't quite understand it, nor the implied race > conditions (?) it attempts to mitigate by reading the vector multiple > times: > > lib/libjail/jail.c: > /* > * Get the prison. If there are array elements, retry a few times > * in case their sizes changed from under us. > */ > for (sanity = 0;; sanity++) { > [...] If you read a parameters with the value's iov_base set to NULL, it will return the parameter's length into your iov_len. So the way to read any variable-length parameter is to call jail_get(2) once with a NULL value, allocate a buffer according to the returned length, and then call it again with the allocated iov_base. The race condition I look for is the jail changing between the time I get the length and the time I read the value - like most races, very unlikely. Once again, this is for the generic case. If you have a value with a known (and reasonably sized) maximum, such as MAXHOSTNAMELEN or max_af_ips, it's easier to just use that. - James