Date: Tue, 15 Oct 2013 13:03:25 +0900 (JST) From: Hiroki Sato <hrs@FreeBSD.org> To: peter@wemm.org Cc: svn-src-head@FreeBSD.org, remko@FreeBSD.org, gavin@FreeBSD.org, src-committers@FreeBSD.org, svn-src-all@FreeBSD.org Subject: Re: svn commit: r256256 - in head: . etc etc/defaults etc/rc.d share/man/man5 usr.sbin/jail Message-ID: <20131015.130325.1303921217567498427.hrs@allbsd.org> In-Reply-To: <525CB6E8.9080407@wemm.org> References: <20131012.015639.236155929172394900.hrs@allbsd.org> <alpine.BSF.2.00.1310141941570.79845@thunderhorn.york.ac.uk> <525CB6E8.9080407@wemm.org>
next in thread | previous in thread | raw e-mail | index | archive | help
----Security_Multipart0(Tue_Oct_15_13_03_25_2013_850)-- Content-Type: Multipart/Mixed; boundary="--Next_Part(Tue_Oct_15_13_03_25_2013_377)--" Content-Transfer-Encoding: 7bit ----Next_Part(Tue_Oct_15_13_03_25_2013_377)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Peter Wemm <peter@wemm.org> wrote in <525CB6E8.9080407@wemm.org>: pe> Note how they're all on bge0 and the lo1|127.x is ignored. pe> pe> There's some other problems I haven't pinned down yet. Something has pe> changed radically with source address selection and some standard setups pe> from 7.x through 10.x (as of a few months ago) don't work anymore. I pe> haven't yet figured out how to do the per-jail lo1|127.x thing in the new pe> scheme even with an old rc.d/jail - anything attempting to bind to localhost pe> gets remapped to the public, fully exposed address. pe> pe> I'm still looking. Can you test the attached patch? -- Hiroki ----Next_Part(Tue_Oct_15_13_03_25_2013_377)-- Content-Type: Text/X-Patch; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="jail_20131015-1.diff" Index: etc/rc.d/jail =================================================================== --- etc/rc.d/jail (revision 256440) +++ etc/rc.d/jail (working copy) @@ -329,9 +329,9 @@ # jail_handle_ips_option() { - local _x _type _i _iface + local _x _type _i _defif _x=$1 - _iface=$2 + _defif=$2 if [ -z "${_x}" ]; then # No IP given. This can happen for the primary address @@ -355,7 +355,8 @@ _type="" _addr="" _mask="" - jail_extract_address $_i $_iface + _iface="" + jail_extract_address $_i $_defif # make sure we got an address. case $_addr in @@ -366,10 +367,10 @@ # Append address to list of addresses for the jail command. case $_type in inet) - echo " ip4.addr += \"${_addr}${_mask}\";" + echo " ip4.addr += \"${_iface}|${_addr}${_mask}\";" ;; inet6) - echo " ip6.addr += \"${_addr}${_mask}\";" + echo " ip6.addr += \"${_iface}|${_addr}${_mask}\";" need_dad_wait=1 ;; esac @@ -414,7 +415,7 @@ jail_start() { - local _j + local _j _jid _jn if [ $# = 0 ]; then return @@ -426,7 +427,15 @@ command=$jail_program rc_flags=$jail_flags command_args="-f $jail_conf -c" - $command $rc_flags $command_args "*" + jls -nq | while read IN; do + _jn=$(echo $IN | tr " " "\n" | grep name=) + _jid=$(echo $IN | tr " " "\n" | grep jid=) + if $command $rc_flags $command_args ${_jn#name=}; then + echo -n " ${_jn#name=}" + echo "${_jid#jid=}" \ + > /var/run/jail_${_jn#name=}.id + fi + done echo '.' return ;; @@ -446,7 +455,10 @@ if $command $rc_flags $command_args \ >> $_tmp 2>&1 </dev/null; then echo -n " ${_hostname:-${_j}}" + _jid=$(jls -n -j $_j | tr " " "\n" | grep jid=) + echo "${_jid#jid=}" > /var/run/jail_${_j}.id else + rm -f /var/run/jail_${_j}.id echo " cannot start jail \"${_hostname:-${_j}}\": " cat $_tmp fi @@ -457,7 +469,7 @@ jail_stop() { - local _j + local _j _jn if [ $# = 0 ]; then return @@ -469,7 +481,14 @@ command=$jail_program rc_flags=$jail_flags command_args="-f $jail_conf -r" - $command $rc_flags $command_args "*" + $jail_jls -nq | while read IN; do + _jn=$(echo $IN | tr " " "\n" | grep name=) + echo -n " ${_jn#name=}" + $command $rc_flags $command_args ${_jn#name=} + if ! $jail_jls -j ${_jn#name=} > /dev/null 2>&1; then + rm -f /var/run/jail_${_jn#name=}.id + fi + done echo '.' return ;; @@ -477,9 +496,14 @@ for _j in $@; do _j=$(echo $_j | tr /. _) parse_options $_j || continue + if ! $jail_jls -j $_j > /dev/null 2>&1; then + continue + fi eval command=\${jail_${_j}_program:-$jail_program} - if $command -q -f $_conf -r $_j; then - echo -n " ${_hostname:-${_j}}" + echo -n " ${_hostname:-${_j}}" + $command -q -f $_conf -r $_j + if ! $jail_jls -j $_j > /dev/null 2>&1; then + rm -f /var/run/jail_${_j}.id fi done echo '.' ----Next_Part(Tue_Oct_15_13_03_25_2013_377)---- ----Security_Multipart0(Tue_Oct_15_13_03_25_2013_850)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (FreeBSD) iEYEABECAAYFAlJcvo0ACgkQTyzT2CeTzy2FyQCfcWgoz3FPCVVK9W+r3Pc0h7Hu 5iwAoIDWkoVouvseIXuDokvLGzk2ni9g =9PM/ -----END PGP SIGNATURE----- ----Security_Multipart0(Tue_Oct_15_13_03_25_2013_850)----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20131015.130325.1303921217567498427.hrs>