Date: Tue, 15 Oct 2013 13:03:25 +0900 (JST) From: Hiroki Sato <hrs@FreeBSD.org> To: peter@wemm.org Cc: svn-src-head@FreeBSD.org, remko@FreeBSD.org, gavin@FreeBSD.org, src-committers@FreeBSD.org, svn-src-all@FreeBSD.org Subject: Re: svn commit: r256256 - in head: . etc etc/defaults etc/rc.d share/man/man5 usr.sbin/jail Message-ID: <20131015.130325.1303921217567498427.hrs@allbsd.org> In-Reply-To: <525CB6E8.9080407@wemm.org> References: <20131012.015639.236155929172394900.hrs@allbsd.org> <alpine.BSF.2.00.1310141941570.79845@thunderhorn.york.ac.uk> <525CB6E8.9080407@wemm.org>
next in thread | previous in thread | raw e-mail | index | archive | help
----Security_Multipart0(Tue_Oct_15_13_03_25_2013_850)--
Content-Type: Multipart/Mixed;
boundary="--Next_Part(Tue_Oct_15_13_03_25_2013_377)--"
Content-Transfer-Encoding: 7bit
----Next_Part(Tue_Oct_15_13_03_25_2013_377)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Peter Wemm <peter@wemm.org> wrote
in <525CB6E8.9080407@wemm.org>:
pe> Note how they're all on bge0 and the lo1|127.x is ignored.
pe>
pe> There's some other problems I haven't pinned down yet. Something has
pe> changed radically with source address selection and some standard setups
pe> from 7.x through 10.x (as of a few months ago) don't work anymore. I
pe> haven't yet figured out how to do the per-jail lo1|127.x thing in the new
pe> scheme even with an old rc.d/jail - anything attempting to bind to localhost
pe> gets remapped to the public, fully exposed address.
pe>
pe> I'm still looking.
Can you test the attached patch?
-- Hiroki
----Next_Part(Tue_Oct_15_13_03_25_2013_377)--
Content-Type: Text/X-Patch; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="jail_20131015-1.diff"
Index: etc/rc.d/jail
===================================================================
--- etc/rc.d/jail (revision 256440)
+++ etc/rc.d/jail (working copy)
@@ -329,9 +329,9 @@
#
jail_handle_ips_option()
{
- local _x _type _i _iface
+ local _x _type _i _defif
_x=$1
- _iface=$2
+ _defif=$2
if [ -z "${_x}" ]; then
# No IP given. This can happen for the primary address
@@ -355,7 +355,8 @@
_type=""
_addr=""
_mask=""
- jail_extract_address $_i $_iface
+ _iface=""
+ jail_extract_address $_i $_defif
# make sure we got an address.
case $_addr in
@@ -366,10 +367,10 @@
# Append address to list of addresses for the jail command.
case $_type in
inet)
- echo " ip4.addr += \"${_addr}${_mask}\";"
+ echo " ip4.addr += \"${_iface}|${_addr}${_mask}\";"
;;
inet6)
- echo " ip6.addr += \"${_addr}${_mask}\";"
+ echo " ip6.addr += \"${_iface}|${_addr}${_mask}\";"
need_dad_wait=1
;;
esac
@@ -414,7 +415,7 @@
jail_start()
{
- local _j
+ local _j _jid _jn
if [ $# = 0 ]; then
return
@@ -426,7 +427,15 @@
command=$jail_program
rc_flags=$jail_flags
command_args="-f $jail_conf -c"
- $command $rc_flags $command_args "*"
+ jls -nq | while read IN; do
+ _jn=$(echo $IN | tr " " "\n" | grep name=)
+ _jid=$(echo $IN | tr " " "\n" | grep jid=)
+ if $command $rc_flags $command_args ${_jn#name=}; then
+ echo -n " ${_jn#name=}"
+ echo "${_jid#jid=}" \
+ > /var/run/jail_${_jn#name=}.id
+ fi
+ done
echo '.'
return
;;
@@ -446,7 +455,10 @@
if $command $rc_flags $command_args \
>> $_tmp 2>&1 </dev/null; then
echo -n " ${_hostname:-${_j}}"
+ _jid=$(jls -n -j $_j | tr " " "\n" | grep jid=)
+ echo "${_jid#jid=}" > /var/run/jail_${_j}.id
else
+ rm -f /var/run/jail_${_j}.id
echo " cannot start jail \"${_hostname:-${_j}}\": "
cat $_tmp
fi
@@ -457,7 +469,7 @@
jail_stop()
{
- local _j
+ local _j _jn
if [ $# = 0 ]; then
return
@@ -469,7 +481,14 @@
command=$jail_program
rc_flags=$jail_flags
command_args="-f $jail_conf -r"
- $command $rc_flags $command_args "*"
+ $jail_jls -nq | while read IN; do
+ _jn=$(echo $IN | tr " " "\n" | grep name=)
+ echo -n " ${_jn#name=}"
+ $command $rc_flags $command_args ${_jn#name=}
+ if ! $jail_jls -j ${_jn#name=} > /dev/null 2>&1; then
+ rm -f /var/run/jail_${_jn#name=}.id
+ fi
+ done
echo '.'
return
;;
@@ -477,9 +496,14 @@
for _j in $@; do
_j=$(echo $_j | tr /. _)
parse_options $_j || continue
+ if ! $jail_jls -j $_j > /dev/null 2>&1; then
+ continue
+ fi
eval command=\${jail_${_j}_program:-$jail_program}
- if $command -q -f $_conf -r $_j; then
- echo -n " ${_hostname:-${_j}}"
+ echo -n " ${_hostname:-${_j}}"
+ $command -q -f $_conf -r $_j
+ if ! $jail_jls -j $_j > /dev/null 2>&1; then
+ rm -f /var/run/jail_${_j}.id
fi
done
echo '.'
----Next_Part(Tue_Oct_15_13_03_25_2013_377)----
----Security_Multipart0(Tue_Oct_15_13_03_25_2013_850)--
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (FreeBSD)
iEYEABECAAYFAlJcvo0ACgkQTyzT2CeTzy2FyQCfcWgoz3FPCVVK9W+r3Pc0h7Hu
5iwAoIDWkoVouvseIXuDokvLGzk2ni9g
=9PM/
-----END PGP SIGNATURE-----
----Security_Multipart0(Tue_Oct_15_13_03_25_2013_850)----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20131015.130325.1303921217567498427.hrs>