git: jail - add jail.defaults.allow_listen_override
Matthew Dillon
dillon at crater.dragonflybsd.org
Sun Feb 23 23:26:56 PST 2020
commit 2ea2781e4d73ee661752b6cddbdbb799f8cbcc02
Author: Matthew Dillon <dillon at apollo.backplane.com>
Date: Sun Feb 23 23:05:42 2020 -0800
jail - add jail.defaults.allow_listen_override
* Add jail.defaults.allow_listen_override (also per-jail settable).
This feature is disabled by default.
When enabled, this feature allows both wildcard and non-wildcard listen
sockets in the jail to override wildcard listen sockets on the host.
These sockets will be masked by the jail's IP list, meaning that a
wildcard socket in the jail effectively covers just the jail's IP list.
Non-wildcard listen sockets on the host are not overriden.
Use of this feature allows the host to operate normally, without having
to make its services jail-friendly. Only those services which bind to
specific IPs that might conflict with the jail IPs will need modification,
and only if the jail needs to have that service as well.
* In order to use the feature safely each jail should be given its
own unique IPs for both localhost and its externally routable IP.
For example:
jail -u root / tr3990xJ 127.0.0.2,10.0.0.139 /bin/csh
ifconfig can be used on the host to create multiple 127.0.0.X aliases
on lo0 and to assign additional routable IPs to the machine for use
in its jails. For example:
ifconfig lo0 inet 127.0.0.2 alias
ifconfig lo0 inet 127.0.0.3 alias
ifconfig lo0 inet6 ::2 alias
ifconfig lo0 inet6 ::3 alias
ifconfig em0 inet 10.0.0.139 netmask 255.255.0.0 alias
ifconfig em0 inet 10.0.0.140 netmask 255.255.0.0 alias
...
* Within a jail, use of localhost (127.0.0.1 or ::1) will automatically
be converted to the jail's localhost IP (such as 127.0.0.2). Also,
accept(), getsockname(), and getpeername() will translate the jail's
localhost IP back to 127.0.0.1 or ::1. Most services within the
jail can thus use localhost without being the wiser.
* Listen address/port pairs within a jail can now be overloaded with the
same address/port pairs on the host, or overloaded verses other jails
without generating an error. However, accessibility to these ports is
governed by the 'jail.deafults.allow_listen_override' sysctl setting
for the jail (or the jail-specific version of the same sysctl).
Any jail-to-jail overloading of identical address/port pairs is allowed,
but operationally undefined. Only one jail will receive connections.
It is best to supply each jail with its own unique local and routable
IPs.
* IPV6 is now fully supported using the same mechanisms. You can supply
a mix of IPV4 and IPV6 addresses in the jail command if desired. The
overloading feature works the same.
Summary of changes:
sys/kern/kern_jail.c | 73 ++++++++++-
sys/kern/uipc_syscalls.c | 12 +-
sys/net/if.c | 3 +-
sys/netinet/in_pcb.c | 320 +++++++++++++++++++++++++++++++++++------------
sys/netinet/in_pcb.h | 2 +-
sys/netinet6/in6_pcb.c | 137 ++++++++++++--------
sys/sys/jail.h | 2 +
usr.sbin/jail/jail.8 | 144 ++++++++++++---------
8 files changed, 497 insertions(+), 196 deletions(-)
http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/2ea2781e4d73ee661752b6cddbdbb799f8cbcc02
--
DragonFly BSD source repository
More information about the Commits
mailing list