Re: [patch] Multiple ips for jails

2006-11-14 Thread Joerg Sonnenberger 
On Tue, Nov 14, 2006 at 10:00:54AM +0100, Simon 'corecode' Schubert wrote:
 Joerg Sonnenberger wrote:
 At least the IPv6 case is incomplete as it doesn't deal with mapped ipv4
 addresses. I also don't think the behaviour for INADDR_ANY is correct.
 
 Could you elaborate on that?  How should mapped ipv4 addresses be handled?  
 I guess there would need to be a check for already used ipv4 addresses, and 
 vice versa.

If mapped IPv4 addresses are allowed, they should get exactly the same
handling as normal IPv4 addresses. Esp. mapped 127.0.0.1 needs to be
handled accordingly.

 What behaviour for INADDR_ANY would be correct?  (If you can use this term)

When a socket is allowed to bind to INADDR_ANY two things have to be
guarantied:
(a) Connections to it are effectively only allowed, when one of the jail
IPs can be used. E.g. if the jail is bound to 192.168.1.1 and 10.1.1.1,
but the machine has also 176.1.1.1 as IP, a connection to that must not
go to the jail.
(b) Connections *from* the jail must use one of the jail addresses as
source. E.g. when the jail is bound to 192.168.1.1 as before, a
connection to 10.1.1.2 must not use 10.1.1.1 as soure address.

This gets further complicated by the question whether or not binding to
broadcast and/or multicast addresses should be enabled by default.

Joerg

Re: [patch] Multiple ips for jails

2006-11-14 Thread Simon 'corecode' Schubert 

Joerg Sonnenberger wrote:

On Tue, Nov 14, 2006 at 10:00:54AM +0100, Simon 'corecode' Schubert wrote:

Joerg Sonnenberger wrote:

At least the IPv6 case is incomplete as it doesn't deal with mapped ipv4
addresses. I also don't think the behaviour for INADDR_ANY is correct.
Could you elaborate on that?  How should mapped ipv4 addresses be handled?  
I guess there would need to be a check for already used ipv4 addresses, and 
vice versa.


If mapped IPv4 addresses are allowed, they should get exactly the same
handling as normal IPv4 addresses. Esp. mapped 127.0.0.1 needs to be
handled accordingly.


yes, I agree.


What behaviour for INADDR_ANY would be correct?  (If you can use this term)


When a socket is allowed to bind to INADDR_ANY two things have to be
guarantied:
(a) Connections to it are effectively only allowed, when one of the jail
IPs can be used. E.g. if the jail is bound to 192.168.1.1 and 10.1.1.1,
but the machine has also 176.1.1.1 as IP, a connection to that must not
go to the jail.
(b) Connections *from* the jail must use one of the jail addresses as
source. E.g. when the jail is bound to 192.168.1.1 as before, a
connection to 10.1.1.2 must not use 10.1.1.1 as soure address.


as far as i can tell, the patch was designed to do exactly what you are 
describing.


This gets further complicated by the question whether or not binding to
broadcast and/or multicast addresses should be enabled by default.


I don't know how this is handled at the moment, but I am confident that this 
could even be handled when the code is committed.  As long as the old behaviour 
persists with just one IP, it is fine.

cheers
 simon

--
Serve - BSD +++  RENT this banner advert  +++ASCII Ribbon   /\
Work - Mac  +++  space for low €€€ NOW!1  +++  Campaign \ /
Party Enjoy Relax   |   http://dragonflybsd.org  Against  HTML   \
Dude 2c 2 the max   !   http://golden-apple.biz   Mail + News   / \



signature.asc
Description: OpenPGP digital signature

Re: [patch] Multiple ips for jails

2006-11-14 Thread Victor Balada Diaz 
On Tue, Nov 14, 2006 at 11:31:57AM +0100, Joerg Sonnenberger wrote:
 On Tue, Nov 14, 2006 at 10:00:54AM +0100, Simon 'corecode' Schubert wrote:
  Joerg Sonnenberger wrote:
  At least the IPv6 case is incomplete as it doesn't deal with mapped ipv4
  addresses. I also don't think the behaviour for INADDR_ANY is correct.
  
  Could you elaborate on that?  How should mapped ipv4 addresses be handled?  
  I guess there would need to be a check for already used ipv4 addresses, and 
  vice versa.
 
 If mapped IPv4 addresses are allowed, they should get exactly the same
 handling as normal IPv4 addresses. Esp. mapped 127.0.0.1 needs to be
 handled accordingly.

The mapped ipv4 addresses needs further investigation, i'll check
it ASAP.

 
  What behaviour for INADDR_ANY would be correct?  (If you can use this term)
 
 When a socket is allowed to bind to INADDR_ANY two things have to be
 guarantied:
 (a) Connections to it are effectively only allowed, when one of the jail
 IPs can be used. E.g. if the jail is bound to 192.168.1.1 and 10.1.1.1,
 but the machine has also 176.1.1.1 as IP, a connection to that must not
 go to the jail.

This is already guaranteed.

 (b) Connections *from* the jail must use one of the jail addresses as
 source. E.g. when the jail is bound to 192.168.1.1 as before, a
 connection to 10.1.1.2 must not use 10.1.1.1 as soure address.
 
 This gets further complicated by the question whether or not binding to
 broadcast and/or multicast addresses should be enabled by default.

Multicast is not supported in jails.

-- 
La prueba más fehaciente de que existe vida inteligente en otros
planetas, es que no han intentado contactar con nosotros.

Re: [patch] Multiple ips for jails

2006-11-13 Thread Victor Balada Diaz 
On Mon, Nov 13, 2006 at 03:20:31AM +0100, Tomaž Borštnar wrote:
 Victor Balada Diaz pravi:
 INADDR_ANY and in6addr_any binds to all the IPs in the jail.
 this is for servers, right?

Yes.

 INADDR_LOOPBACK and in6addr_loopback tries to bind to a
 loopback address, if the jail doesn't have any it tries to
 bind to any other address.
 
 so what does this mean for example for outgoing web or dns requests? I did 
 play with one of those older mijail patches on freebsd and the problem was 
 that applications had to specifically bind to some IP in order to 
 succesfully send outgoing traffic.

You shouldn't have a problem with that. Should work like our current
jails.

-- 
La prueba más fehaciente de que existe vida inteligente en otros
planetas, es que no han intentado contactar con nosotros.

Re: [patch] Multiple ips for jails

2006-11-12 Thread Tomaž Borštnar 

Victor Balada Diaz pravi:

Hi,
I'm working on adding IPv6 and multiple ip support to jails. 

How does it handle applications that do not bind to specific IP address?

Tomaž

Re: [patch] Multiple ips for jails

2006-11-12 Thread Victor Balada Diaz 
On Sun, Nov 12, 2006 at 11:21:38PM +0100, Tomaž Borštnar wrote:
 Victor Balada Diaz pravi:
 Hi,
 I'm working on adding IPv6 and multiple ip support to jails. 
 How does it handle applications that do not bind to specific IP address?

INADDR_ANY and in6addr_any binds to all the IPs in the jail.

INADDR_LOOPBACK and in6addr_loopback tries to bind to a
loopback address, if the jail doesn't have any it tries to
bind to any other address.

-- 
La prueba más fehaciente de que existe vida inteligente en otros
planetas, es que no han intentado contactar con nosotros.

Re: [patch] Multiple ips for jails

2006-11-12 Thread Tomaž Borštnar 

Victor Balada Diaz pravi:

INADDR_ANY and in6addr_any binds to all the IPs in the jail.

this is for servers, right?


INADDR_LOOPBACK and in6addr_loopback tries to bind to a
loopback address, if the jail doesn't have any it tries to
bind to any other address.


so what does this mean for example for outgoing web or dns requests? I did play with one of those older mijail patches 
on freebsd and the problem was that applications had to specifically bind to some IP in order to succesfully send 
outgoing traffic.



Tomaž