On 2018-10-18 16:14, Julian Elischer wrote:
On 17/10/18 9:17 am, Jamie Gritton wrote:
Author: jamie
Date: Wed Oct 17 16:17:57 2018
New Revision: 339411
URL: https://svnweb.freebsd.org/changeset/base/339411
Log:
MFC r339211:
Fix the test prohibiting jails from sharing IP addresses.
It's not supposed to be legal for two jails to contain the
same IP address,
unless both jails contain only that one address. This is the
behavior
documented in jail(8), and is there to prevent confusion when
multiple
jails are listening on IADDR_ANY.
VIMAGE jails (now the default for GENERIC kernels) test this
correctly,
but non-VIMAGE jails have been performing an incomplete test when
nested
jails are used.
I think VIMAGE Jails should be able to have the same address
optionally.. who says they are even in the same universe?
Indeed. This is just bad wording - vnet jails didn't have such a
restriction before this commit, and nothing has changed. When I said
they test this correctly, it was about how jails that are descendants of
vnet jails correctly check all other descendants of their vnet-enabled
ancestor (also correct before, and unchanged).
For vnet jails themselves, the altered code blocks aren't even executed
(because "ip4s > 0" and "ip6s > 0" apply only to non-vnet).
- Jamie
Modified:
stable/11/sys/kern/kern_jail.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/sys/kern/kern_jail.c
==============================================================================
--- stable/11/sys/kern/kern_jail.c Wed Oct 17 16:17:56 2018
(r339410)
+++ stable/11/sys/kern/kern_jail.c Wed Oct 17 16:17:57 2018
(r339411)
@@ -1411,11 +1411,12 @@ kern_jail_set(struct thread *td, struct uio
*optuio, i
* there is a duplicate on a jail with more than one
* IP stop checking and return error.
*/
- tppr = ppr;
#ifdef VIMAGE
- for (; tppr != &prison0; tppr = tppr->pr_parent)
+ for (tppr = ppr; tppr != &prison0; tppr = tppr->pr_parent)
if (tppr->pr_flags & PR_VNET)
break;
+#else
+ tppr = &prison0;
#endif
FOREACH_PRISON_DESCENDANT(tppr, tpr, descend) {
if (tpr == pr ||
@@ -1478,11 +1479,12 @@ kern_jail_set(struct thread *td, struct uio
*optuio, i
}
}
/* Check for conflicting IP addresses. */
- tppr = ppr;
#ifdef VIMAGE
- for (; tppr != &prison0; tppr = tppr->pr_parent)
+ for (tppr = ppr; tppr != &prison0; tppr = tppr->pr_parent)
if (tppr->pr_flags & PR_VNET)
break;
+#else
+ tppr = &prison0;
#endif
FOREACH_PRISON_DESCENDANT(tppr, tpr, descend) {
if (tpr == pr ||
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"
