Name resolution from a jail
Simon 'corecode' Schubert
corecode at fs.ei.tum.de
Wed Jan 17 07:33:49 PST 2007
Simon 'corecode' Schubert wrote:
This is a multi-part message in MIME format.
--------------000808030508040705030804
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
YONETANI Tomokazu wrote:
$ w
6:13PM up 2:52, 1 user, load averages: 0.19, 0.25, 0.13
USER TTY FROM LOGIN@ IDLE WHAT
(press control+Z here, as it's stuck on reverse name resolution)
$ netstat -anfinet |fgrep .53
udp4 0 0 64.125.66.215.1119 192.168.2.175.53
~~~~~~~~~~~~~
this address doesn't belong to our network.
I found a stack reference bug and took the chance to clean up the code. =
Please have a look at attached patch. If victor agrees, I'll commit this=
=2E
sorry for the broken MIME. My enigmail from cvs seems to be quite broken. patch attached again.
somebody please commit this if it works.
cheers
simon
--
Serve - BSD +++ RENT this banner advert +++ ASCII Ribbon /"\
Work - Mac +++ space for low €€€ NOW!1 +++ Campaign \ /
Party Enjoy Relax | http://dragonflybsd.org Against HTML \
Dude 2c 2 the max ! http://golden-apple.biz Mail + News / \
Index: sys/jail.h
===================================================================
RCS file: /home/dcvs/src/sys/sys/jail.h,v
retrieving revision 1.9
diff -u -p -r1.9 jail.h
--- sys/jail.h 29 Dec 2006 18:02:56 -0000 1.9
+++ sys/jail.h 17 Jan 2007 12:45:47 -0000
@@ -68,8 +68,8 @@ MALLOC_DECLARE(M_PRISON);
/* Used to store the IPs of the jail */
struct jail_ip_storage {
- SLIST_ENTRY(jail_ip_storage) entries;
struct sockaddr_storage ip;
+ SLIST_ENTRY(jail_ip_storage) entries;
};
/*
@@ -85,10 +85,10 @@ struct prison {
struct nchandle pr_root; /* namecache entry of root */
char pr_host[MAXHOSTNAMELEN]; /* host name */
SLIST_HEAD(iplist, jail_ip_storage) pr_ips; /* list of IP addresses */
- struct sockaddr_storage *local_ip4; /* cache for a loopback ipv4 address */
- struct sockaddr_storage *nonlocal_ip4; /* cache for a non loopback ipv4 address */
- struct sockaddr_storage *local_ip6; /* cache for a loopback ipv6 address */
- struct sockaddr_storage *nonlocal_ip6; /* cache for a non loopback ipv6 address */
+ struct sockaddr_in *local_ip4; /* cache for a loopback ipv4 address */
+ struct sockaddr_in *nonlocal_ip4; /* cache for a non loopback ipv4 address */
+ struct sockaddr_in6 *local_ip6; /* cache for a loopback ipv6 address */
+ struct sockaddr_in6 *nonlocal_ip6; /* cache for a non loopback ipv6 address */
void *pr_linux; /* Linux ABI emulation */
int pr_securelevel; /* jail securelevel */
struct varsymset pr_varsymset; /* jail varsyms */
@@ -105,8 +105,10 @@ extern int jail_chflags_allowed;
void prison_hold(struct prison *);
void prison_free(struct prison *);
int jailed_ip(struct prison *, struct sockaddr *);
-int prison_get_local(struct prison *pr, struct sockaddr *);
-int prison_get_nonlocal(struct prison *pr, struct sockaddr *);
+struct sockaddr *
+ prison_get_local(struct prison *pr, sa_family_t, struct sockaddr *);
+struct sockaddr *
+ prison_get_nonlocal(struct prison *pr, sa_family_t, struct sockaddr *);
/*
* Return 1 if the passed credential is in a jail, otherwise 0.
Index: kern/kern_jail.c
===================================================================
RCS file: /home/dcvs/src/sys/kern/kern_jail.c,v
retrieving revision 1.16
diff -u -p -r1.16 kern_jail.c
--- kern/kern_jail.c 1 Jan 2007 19:45:54 -0000 1.16
+++ kern/kern_jail.c 17 Jan 2007 12:53:16 -0000
@@ -59,6 +59,7 @@
#include <netinet6/in6_var.h>
static struct prison *prison_find(int);
+static void prison_ipcache_init(struct prison *);
MALLOC_DEFINE(M_PRISON, "prison", "Prison structures");
@@ -195,6 +196,7 @@ sys_jail(struct jail_args *uap)
cache_copy(&nd.nl_nch, &pr->pr_root);
varsymset_init(&pr->pr_varsymset, NULL);
+ prison_ipcache_init(pr);
tryprid = lastprid + 1;
if (tryprid == JAIL_MAX)
@@ -255,6 +257,45 @@ sys_jail_attach(struct jail_attach_args
return(kern_jail_attach(uap->jid));
}
+static void
+prison_ipcache_init(struct prison *pr)
+{
+ struct jail_ip_storage *jis;
+ struct sockaddr_in *ip4;
+ struct sockaddr_in6 *ip6;
+
+ SLIST_FOREACH(jis, &pr->pr_ips, entries) {
+ switch (jis->ip.ss_family) {
+ case AF_INET:
+ ip4 = (struct sockaddr_in *)&jis->ip;
+ if ((ntohl(ip4->sin_addr.s_addr) >> IN_CLASSA_NSHIFT) ==
+ IN_LOOPBACKNET) {
+ /* loopback address */
+ if (pr->local_ip4 == NULL)
+ pr->local_ip4 = ip4;
+ } else {
+ /* public address */
+ if (pr->nonlocal_ip4 == NULL)
+ pr->nonlocal_ip4 = ip4;
+ }
+ break;
+
+ case AF_INET6:
+ ip6 = (struct sockaddr_in6 *)&jis->ip;
+ if (IN6_IS_ADDR_LOOPBACK(&ip6->sin6_addr)) {
+ /* loopback address */
+ if (pr->local_ip6 == NULL)
+ pr->local_ip6 = ip6;
+ } else {
+ /* public address */
+ if (pr->nonlocal_ip6 == NULL)
+ pr->nonlocal_ip6 = ip6;
+ }
+ break;
+ }
+ }
+}
+
/*
* Changes INADDR_LOOPBACK for a valid jail address.
* ip is in network byte order.
@@ -284,7 +325,8 @@ prison_replace_wildcards(struct thread *
ip4->sin_addr.s_addr == htonl(INADDR_LOOPBACK)) ||
(ip->sa_family == AF_INET6 &&
IN6_IS_ADDR_LOOPBACK(&ip6->sin6_addr))) {
- if (!prison_get_local(pr, ip) && !prison_get_nonlocal(pr, ip))
+ if (!prison_get_local(pr, ip->sa_family, ip) &&
+ !prison_get_nonlocal(pr, ip->sa_family, ip))
return(0);
else
return(1);
@@ -309,7 +351,8 @@ prison_remote_ip(struct thread *td, stru
ip4->sin_addr.s_addr == htonl(INADDR_LOOPBACK)) ||
(ip->sa_family == AF_INET6 &&
IN6_IS_ADDR_LOOPBACK(&ip6->sin6_addr))) {
- if (!prison_get_local(pr, ip) && !prison_get_nonlocal(pr, ip))
+ if (!prison_get_local(pr, ip->sa_family, ip) &&
+ !prison_get_nonlocal(pr, ip->sa_family, ip))
return(0);
else
return(1);
@@ -319,135 +362,68 @@ prison_remote_ip(struct thread *td, stru
/*
* Prison get non loopback ip:
- * Put on *ip the first IP address that is not a loopback address.
- * af is the address family of the ip we want (AF_INET|AF_INET6).
+ * - af is the address family of the ip we want (AF_INET|AF_INET6).
+ * - If ip != NULL, put the first IP address that is not a loopback address
+ * into *ip.
+ *
* ip is in network by order and we don't touch it unless we find a valid ip.
- * Return 1 if we've found a non loopback ip, else return 0.
+ * No matter if ip == NULL or not, we return either a valid struct sockaddr *,
+ * or NULL. This struct may not be modified.
*/
-int
-prison_get_nonlocal(struct prison *pr, struct sockaddr *ip)
+struct sockaddr *
+prison_get_nonlocal(struct prison *pr, sa_family_t af, struct sockaddr *ip)
{
- struct jail_ip_storage *jis;
- struct sockaddr_in *jip4, *ip4;
- struct sockaddr_in6 *jip6, *ip6;
+ struct sockaddr_in *ip4 = (struct sockaddr_in *)ip;
+ struct sockaddr_in6 *ip6 = (struct sockaddr_in6 *)ip;
- ip4 = (struct sockaddr_in *)ip;
- ip6 = (struct sockaddr_in6 *)ip;
/* Check if it is cached */
- switch(ip->sa_family) {
- case AF_INET:
- /* -1 Means that we don't have any address */
- if (pr->nonlocal_ip4 == (struct sockaddr_storage *)-1)
- return(0);
- if (pr->nonlocal_ip4 != NULL) {
- jip4 = (struct sockaddr_in *) pr->nonlocal_ip4;
- ip4->sin_addr.s_addr = jip4->sin_addr.s_addr;
- }
- break;
- case AF_INET6:
- /* -1 Means that we don't have any address */
- if (pr->nonlocal_ip6 == (struct sockaddr_storage *)-1)
- return(0);
- if (pr->nonlocal_ip6 != NULL) {
- jip6 = (struct sockaddr_in6 *) pr->nonlocal_ip6;
- ip6->sin6_addr = jip6->sin6_addr;
- }
- break;
- };
- SLIST_FOREACH(jis, &pr->pr_ips, entries) {
- switch (ip->sa_family) {
- case AF_INET:
- jip4 = (struct sockaddr_in *) &jis->ip;
- if (jip4->sin_family == AF_INET &&
- ((ntohl(jip4->sin_addr.s_addr) >> IN_CLASSA_NSHIFT) != IN_LOOPBACKNET)) {
- pr->nonlocal_ip4 = &jis->ip;
- ip4->sin_addr.s_addr = jip4->sin_addr.s_addr;
- return(1);
- }
- break;
- case AF_INET6:
- jip6 = (struct sockaddr_in6 *) &jis->ip;
- if ( jip6->sin6_family == AF_INET6 &&
- !IN6_IS_ADDR_LOOPBACK(&jip6->sin6_addr)) {
- pr->nonlocal_ip6 = &jis->ip;
- ip6->sin6_addr = jip6->sin6_addr;
- return(1);
- }
- break;
- }
+ switch(af) {
+ case AF_INET:
+ if (ip4 != NULL && pr->nonlocal_ip4 != NULL)
+ ip4->sin_addr.s_addr = pr->nonlocal_ip4->sin_addr.s_addr;
+ return (struct sockaddr *)pr->nonlocal_ip4;
+
+ case AF_INET6:
+ if (ip6 != NULL && pr->nonlocal_ip6 != NULL)
+ ip6->sin6_addr = pr->nonlocal_ip6->sin6_addr;
+ return (struct sockaddr *)pr->nonlocal_ip6;
}
- if (ip->sa_family == AF_INET)
- pr->nonlocal_ip4 = (struct sockaddr_storage *)-1;
- else
- pr->nonlocal_ip6 = (struct sockaddr_storage *)-1;
- return(0);
+
+ /* NOTREACHED */
+ return NULL;
}
/*
* Prison get loopback ip.
- * Put on *ip the first loopback IP address.
- * af is the address family of the ip we want (AF_INET|PF_INET).
- * *ip is in network by order and we don't touch it unless we find a valid ip.
- * return 1 if we've found a loopback ip, else return 0.
+ * - af is the address family of the ip we want (AF_INET|AF_INET6).
+ * - If ip != NULL, put the first IP address that is not a loopback address
+ * into *ip.
+ *
+ * ip is in network by order and we don't touch it unless we find a valid ip.
+ * No matter if ip == NULL or not, we return either a valid struct sockaddr *,
+ * or NULL. This struct may not be modified.
*/
-int
-prison_get_local(struct prison *pr, struct sockaddr *ip)
+struct sockaddr *
+prison_get_local(struct prison *pr, sa_family_t af, struct sockaddr *ip)
{
- struct jail_ip_storage *jis;
- struct sockaddr_in *jip4, *ip4;
- struct sockaddr_in6 *jip6, *ip6;
+ struct sockaddr_in *ip4 = (struct sockaddr_in *)ip;
+ struct sockaddr_in6 *ip6 = (struct sockaddr_in6 *)ip;
- ip4 = (struct sockaddr_in *)ip;
- ip6 = (struct sockaddr_in6 *)ip;
/* Check if it is cached */
- switch(ip->sa_family) {
- case AF_INET:
- /* -1 Means that we don't have any address */
- if (pr->local_ip4 == (struct sockaddr_storage *)-1)
- return(0);
- if (pr->local_ip4 != NULL) {
- jip4 = (struct sockaddr_in *) pr->local_ip4;
- ip4->sin_addr.s_addr = jip4->sin_addr.s_addr;
- }
- break;
- case AF_INET6:
- /* -1 Means that we don't have any address */
- if (pr->local_ip6 == (struct sockaddr_storage *)-1)
- return(0);
- if (pr->local_ip6 != NULL) {
- jip6 = (struct sockaddr_in6 *) pr->local_ip6;
- ip6->sin6_addr = jip6->sin6_addr;
- }
- break;
- };
- SLIST_FOREACH(jis, &pr->pr_ips, entries) {
- switch(ip->sa_family) {
- case AF_INET:
- jip4 = (struct sockaddr_in *) &jis->ip;
- if (jip4->sin_family == AF_INET &&
- ((ntohl(jip4->sin_addr.s_addr) >> IN_CLASSA_NSHIFT)
- == IN_LOOPBACKNET)) {
- pr->local_ip4 = &jis->ip;
- ip4->sin_addr.s_addr = jip4->sin_addr.s_addr;
- return(1);
- }
- break;
- case AF_INET6:
- jip6 = (struct sockaddr_in6 *) &jis->ip;
- if (jip6->sin6_family == AF_INET6 &&
- IN6_IS_ADDR_LOOPBACK(&jip6->sin6_addr)) {
- pr->local_ip6 = &jis->ip;
- ip6->sin6_addr = jip6->sin6_addr;
- return(1);
- }
- break;
- }
+ switch(af) {
+ case AF_INET:
+ if (ip4 != NULL && pr->local_ip4 != NULL)
+ ip4->sin_addr.s_addr = pr->local_ip4->sin_addr.s_addr;
+ return (struct sockaddr *)pr->local_ip4;
+
+ case AF_INET6:
+ if (ip6 != NULL && pr->local_ip6 != NULL)
+ ip6->sin6_addr = pr->local_ip6->sin6_addr;
+ return (struct sockaddr *)pr->local_ip6;
}
- if (ip->sa_family == AF_INET)
- pr->local_ip4 = (struct sockaddr_storage *)-1;
- else
- pr->local_ip6 = (struct sockaddr_storage *)-1;
- return(0);
+
+ /* NOTREACHED */
+ return NULL;
}
/* Check if the IP is among ours, if it is return 1, else 0 */
Index: netinet/in_pcb.c
===================================================================
RCS file: /home/dcvs/src/sys/netinet/in_pcb.c,v
retrieving revision 1.41
diff -u -p -r1.41 in_pcb.c
--- netinet/in_pcb.c 29 Dec 2006 18:02:56 -0000 1.41
+++ netinet/in_pcb.c 17 Jan 2007 12:58:07 -0000
@@ -457,7 +457,7 @@ in_pcbladdr(struct inpcb *inp, struct so
struct in_ifaddr *ia;
struct ucred *cred = NULL;
struct sockaddr_in *sin = (struct sockaddr_in *)nam;
- struct sockaddr_in jsin;
+ struct sockaddr *jsin;
int jailed = 0;
if (nam->sa_len != sizeof *sin)
@@ -579,14 +579,13 @@ in_pcbladdr(struct inpcb *inp, struct so
* Don't do pcblookup call here; return interface in plocal_sin
* and exit to caller, that will do the lookup.
*/
- if (jailed) {
- jsin.sin_family = AF_INET;
- if (!prison_get_nonlocal(cred->cr_prison,
- sintosa(&jsin)) &&
- !prison_get_local(cred->cr_prison, sintosa(&jsin)))
- /* IPv6 only Jail */
- return (EADDRNOTAVAIL);
- *plocal_sin = &jsin;
+ if (ia == NULL && jailed) {
+ if ((jsin = prison_get_nonlocal(cred->cr_prison, AF_INET, NULL)) != NULL ||
+ (jsin = prison_get_local(cred->cr_prison, AF_INET, NULL)) != NULL)
+ *plocal_sin = satosin(jsin);
+ else
+ /* IPv6 only Jail */
+ return (EADDRNOTAVAIL);
} else {
*plocal_sin = &ia->ia_addr;
}
Attachment:
signature.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pgp00012.pgp
Type: application/octet-stream
Size: 252 bytes
Desc: "Description: OpenPGP digital signature"
URL: <http://lists.dragonflybsd.org/pipermail/bugs/attachments/20070117/d8413edb/attachment-0022.obj>
More information about the Bugs
mailing list