On Thu, Feb 20, 2003 at 10:05:52AM -0500, Robert Watson wrote: +> > I have prepared patch for jail functionality against FreeBSD +> > 5.0-CURRENT. It provides multi-level jailing and multiple ips for +> > jails. +> +> Sounds cool, although I haven't had a chance to read the patch yet. +> Question: how did you handle the problem (if at all) that INADDR_ANY +> doesn't perform a wildcard binding with multiple IPs in the same jail? +> It's not strictly required that it be handled, but it was always one of +> the semantic problems I bumped into when I experimented with more IPs. A +> single-IP jail "works" because it maps INADDR_ANY into the only IP +> available. I'll try to get a box up and running with these changes in the +> next few days and give them a spin.
Hmm, this problem is still there, but I think that we could resolve it
by changing all code where IP is compared to INADDR_ANY, to function
like this:
int
prison_inaddr_any(struct ucred *cred, u_int32_t ip)
{
register u_int i;
register struct prison *pr = cred->cr_prison;
if (!jailed(cred))
return (ip == INADDR_ANY);
for (i = 0; i < pr->pr_nips; ++i) {
if (pr->pr_ips[i] == ip)
return (1);
}
return (0);
}
And remove mapping to specified IP, INADDR_ANY should stay there.
--
Pawel Jakub Dawidek
UNIX Systems Administrator
http://garage.freebsd.pl
Am I Evil? Yes, I Am.
msg40065/pgp00000.pgp
Description: PGP signature
