jail questions

Chuck Musser cmusser at sonic.net
Wed Jun 3 17:22:10 PDT 2020


Yup, it all seems to work as documented. I haven't looked at the sysctl
variables yet, but it's on my list. 

If the jail was unique local address (in 127.0.0.0/8), the translation
from 127.0.0.1 to the assigned local address makes sense during a
bind(2) operation. The rationale is that jails can be assumed to have
the "normal" loopback address. You can just specify "localhost" rather
than have every jail be a special case. The host adminstrator may
configure the jails so that they have distinct local addresses and not
clash, but "inmates" don't need to know that. The comments in the
kernel's jail basically state that, and it does seem straightforward. 

I don't quite understand the rationale of translating from 127.0.0.1 to
a non-local address however. If you create the jail with only a
non-local address (like 192.168.50.200, or whatever), a bind to
127.0.0.1 binds to that non-local address outside the jail. It does mean
that programs binding to localhost are available on that non-local
address, which may not be what was expected. I don't think it's
necessarily wrong, and preventing "exposure" is just a matter of
assigning a local address. But I wanted to understand the back story
there. 

Chuck
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dragonflybsd.org/pipermail/users/attachments/20200603/8d93c3f5/attachment.htm>


More information about the Users mailing list