Hi Dmitry, I took a look at this, I have two practical issues:
1: [rehn@rehn-ws dev]$ java -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:9999,allow=6.6.6.6 -cp runs ForEver Listening for transport dt_socket at address: 9999 ERROR: transport error 202: peer not allowed to connect: Success JDWP exit error JVMTI_ERROR_NONE(0): could not connect, timeout or fatal error [transport.c:358] So connecting with an unallowed client terminates the VM. 2: [rehn@rehn-ws dev]$ java -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:9999,allow=6.BAD.6.6 -cp runs ForEver Listening for transport dt_socket at address: 9999 ERROR: transport error 202: unable to parse list of allowed peers: Success JDWP exit error JVMTI_ERROR_NONE(0): could not connect, timeout or fatal error [transport.c:358] Starting with an bad allow filter terminates the VM when connecting a client. Connecting with an unallowed ip/port should not terminate the VM and we should verify allow filter directly at startup. Thanks /Robbin On 02/28/2017 10:41 AM, Dmitry Samersoff wrote:
Everybody, Please review: http://cr.openjdk.java.net/~dsamersoff/JDK-8061228/webrev.10/ These changes introduce new parameter[1] of the socket transport - allow. Users can explicitly specify a list of hosts that allowed to connect to jdwp server and it's the second part of JDWP hardening[2]. No restrictions are applied by default now but I'll file a separate CR to restrict list of allowed peers to localhost by default. Also these changes implement versioning for jdwp transport and therefor simplify feature development of jdwp. 1. Example command line: -agentlib:jdwp=transport=dt_socket,server=y,suspend=n, address=*,allow="127.0.0.0/8;192.168.0.0/24" Possible values for allow parameter: * - accept connections from everywhere. N.N.N.N - accept connections from this IP address only N.N.N.N/nn - accept connections from particular ip subnet 2. JDK-8052136 JDWP hardening -Dmitry
