Date: Thu, 18 Oct 2018 20:35:24 -0600 From: James Gritton <jamie@freebsd.org> To: Julian Elischer <julian@freebsd.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: Re: svn commit: r339411 - stable/11/sys/kern Message-ID: <e128b6a0c893aaaea2eb69d5489c5e9a@freebsd.org> In-Reply-To: <e5b40f8b-6ac1-54bf-073f-ffc7cb95d574@freebsd.org> References: <201810171617.w9HGHvVx031753@repo.freebsd.org> <e5b40f8b-6ac1-54bf-073f-ffc7cb95d574@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2018-10-18 16:14, Julian Elischer wrote: > On 17/10/18 9:17 am, Jamie Gritton wrote: >> Author: jamie >> Date: Wed Oct 17 16:17:57 2018 >> New Revision: 339411 >> URL: https://svnweb.freebsd.org/changeset/base/339411 >> >> Log: >> MFC r339211: >> Fix the test prohibiting jails from sharing IP addresses. >> It's not supposed to be legal for two jails to contain the >> same IP address, >> unless both jails contain only that one address. This is the >> behavior >> documented in jail(8), and is there to prevent confusion when >> multiple >> jails are listening on IADDR_ANY. >> VIMAGE jails (now the default for GENERIC kernels) test this >> correctly, >> but non-VIMAGE jails have been performing an incomplete test when >> nested >> jails are used. > I think VIMAGE Jails should be able to have the same address > optionally.. who says they are even in the same universe? Indeed. This is just bad wording - vnet jails didn't have such a restriction before this commit, and nothing has changed. When I said they test this correctly, it was about how jails that are descendants of vnet jails correctly check all other descendants of their vnet-enabled ancestor (also correct before, and unchanged). For vnet jails themselves, the altered code blocks aren't even executed (because "ip4s > 0" and "ip6s > 0" apply only to non-vnet). - Jamie >> >> Modified: >> stable/11/sys/kern/kern_jail.c >> Directory Properties: >> stable/11/ (props changed) >> >> Modified: stable/11/sys/kern/kern_jail.c >> ============================================================================== >> --- stable/11/sys/kern/kern_jail.c Wed Oct 17 16:17:56 2018 (r339410) >> +++ stable/11/sys/kern/kern_jail.c Wed Oct 17 16:17:57 2018 (r339411) >> @@ -1411,11 +1411,12 @@ kern_jail_set(struct thread *td, struct uio >> *optuio, i >> * there is a duplicate on a jail with more than one >> * IP stop checking and return error. >> */ >> - tppr = ppr; >> #ifdef VIMAGE >> - for (; tppr != &prison0; tppr = tppr->pr_parent) >> + for (tppr = ppr; tppr != &prison0; tppr = tppr->pr_parent) >> if (tppr->pr_flags & PR_VNET) >> break; >> +#else >> + tppr = &prison0; >> #endif >> FOREACH_PRISON_DESCENDANT(tppr, tpr, descend) { >> if (tpr == pr || >> @@ -1478,11 +1479,12 @@ kern_jail_set(struct thread *td, struct uio >> *optuio, i >> } >> } >> /* Check for conflicting IP addresses. */ >> - tppr = ppr; >> #ifdef VIMAGE >> - for (; tppr != &prison0; tppr = tppr->pr_parent) >> + for (tppr = ppr; tppr != &prison0; tppr = tppr->pr_parent) >> if (tppr->pr_flags & PR_VNET) >> break; >> +#else >> + tppr = &prison0; >> #endif >> FOREACH_PRISON_DESCENDANT(tppr, tpr, descend) { >> if (tpr == pr || >> >>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e128b6a0c893aaaea2eb69d5489c5e9a>