git: jail - add jail.defaults.allow_listen_override

Matthew Dillon dillon at crater.dragonflybsd.org
Sun Feb 23 23:26:56 PST 2020


commit 2ea2781e4d73ee661752b6cddbdbb799f8cbcc02
Author: Matthew Dillon <dillon at apollo.backplane.com>
Date:   Sun Feb 23 23:05:42 2020 -0800

    jail - add jail.defaults.allow_listen_override
    
    * Add jail.defaults.allow_listen_override (also per-jail settable).
      This feature is disabled by default.
    
      When enabled, this feature allows both wildcard and non-wildcard listen
      sockets in the jail to override wildcard listen sockets on the host.
      These sockets will be masked by the jail's IP list, meaning that a
      wildcard socket in the jail effectively covers just the jail's IP list.
    
      Non-wildcard listen sockets on the host are not overriden.
    
      Use of this feature allows the host to operate normally, without having
      to make its services jail-friendly.  Only those services which bind to
      specific IPs that might conflict with the jail IPs will need modification,
      and only if the jail needs to have that service as well.
    
    * In order to use the feature safely each jail should be given its
      own unique IPs for both localhost and its externally routable IP.
      For example:
    
      jail -u root / tr3990xJ 127.0.0.2,10.0.0.139 /bin/csh
    
      ifconfig can be used on the host to create multiple 127.0.0.X aliases
      on lo0 and to assign additional routable IPs to the machine for use
      in its jails.  For example:
    
      ifconfig lo0 inet 127.0.0.2  alias
      ifconfig lo0 inet 127.0.0.3  alias
      ifconfig lo0 inet6 ::2 alias
      ifconfig lo0 inet6 ::3 alias
      ifconfig em0 inet 10.0.0.139 netmask 255.255.0.0 alias
      ifconfig em0 inet 10.0.0.140 netmask 255.255.0.0 alias
      ...
    
    * Within a jail, use of localhost (127.0.0.1 or ::1) will automatically
      be converted to the jail's localhost IP (such as 127.0.0.2).  Also,
      accept(), getsockname(), and getpeername() will translate the jail's
      localhost IP back to 127.0.0.1 or ::1.  Most services within the
      jail can thus use localhost without being the wiser.
    
    * Listen address/port pairs within a jail can now be overloaded with the
      same address/port pairs on the host, or overloaded verses other jails
      without generating an error.  However, accessibility to these ports is
      governed by the 'jail.deafults.allow_listen_override' sysctl setting
      for the jail (or the jail-specific version of the same sysctl).
    
      Any jail-to-jail overloading of identical address/port pairs is allowed,
      but operationally undefined.  Only one jail will receive connections.
    
      It is best to supply each jail with its own unique local and routable
      IPs.
    
    * IPV6 is now fully supported using the same mechanisms.  You can supply
      a mix of IPV4 and IPV6 addresses in the jail command if desired.  The
      overloading feature works the same.

Summary of changes:
 sys/kern/kern_jail.c     |  73 ++++++++++-
 sys/kern/uipc_syscalls.c |  12 +-
 sys/net/if.c             |   3 +-
 sys/netinet/in_pcb.c     | 320 +++++++++++++++++++++++++++++++++++------------
 sys/netinet/in_pcb.h     |   2 +-
 sys/netinet6/in6_pcb.c   | 137 ++++++++++++--------
 sys/sys/jail.h           |   2 +
 usr.sbin/jail/jail.8     | 144 ++++++++++++---------
 8 files changed, 497 insertions(+), 196 deletions(-)

http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/2ea2781e4d73ee661752b6cddbdbb799f8cbcc02


-- 
DragonFly BSD source repository


More information about the Commits mailing list