Peter Wemm <[email protected]> wrote in <[email protected]>:
pe> Note how they're all on bge0 and the lo1|127.x is ignored. pe> pe> There's some other problems I haven't pinned down yet. Something has pe> changed radically with source address selection and some standard setups pe> from 7.x through 10.x (as of a few months ago) don't work anymore. I pe> haven't yet figured out how to do the per-jail lo1|127.x thing in the new pe> scheme even with an old rc.d/jail - anything attempting to bind to localhost pe> gets remapped to the public, fully exposed address. pe> pe> I'm still looking. Can you test the attached patch? -- Hiroki
Index: etc/rc.d/jail
===================================================================
--- etc/rc.d/jail (revision 256440)
+++ etc/rc.d/jail (working copy)
@@ -329,9 +329,9 @@
#
jail_handle_ips_option()
{
- local _x _type _i _iface
+ local _x _type _i _defif
_x=$1
- _iface=$2
+ _defif=$2
if [ -z "${_x}" ]; then
# No IP given. This can happen for the primary address
@@ -355,7 +355,8 @@
_type=""
_addr=""
_mask=""
- jail_extract_address $_i $_iface
+ _iface=""
+ jail_extract_address $_i $_defif
# make sure we got an address.
case $_addr in
@@ -366,10 +367,10 @@
# Append address to list of addresses for the jail command.
case $_type in
inet)
- echo " ip4.addr += \"${_addr}${_mask}\";"
+ echo " ip4.addr += \"${_iface}|${_addr}${_mask}\";"
;;
inet6)
- echo " ip6.addr += \"${_addr}${_mask}\";"
+ echo " ip6.addr += \"${_iface}|${_addr}${_mask}\";"
need_dad_wait=1
;;
esac
@@ -414,7 +415,7 @@
jail_start()
{
- local _j
+ local _j _jid _jn
if [ $# = 0 ]; then
return
@@ -426,7 +427,15 @@
command=$jail_program
rc_flags=$jail_flags
command_args="-f $jail_conf -c"
- $command $rc_flags $command_args "*"
+ jls -nq | while read IN; do
+ _jn=$(echo $IN | tr " " "\n" | grep name=)
+ _jid=$(echo $IN | tr " " "\n" | grep jid=)
+ if $command $rc_flags $command_args ${_jn#name=}; then
+ echo -n " ${_jn#name=}"
+ echo "${_jid#jid=}" \
+ > /var/run/jail_${_jn#name=}.id
+ fi
+ done
echo '.'
return
;;
@@ -446,7 +455,10 @@
if $command $rc_flags $command_args \
>> $_tmp 2>&1 </dev/null; then
echo -n " ${_hostname:-${_j}}"
+ _jid=$(jls -n -j $_j | tr " " "\n" | grep jid=)
+ echo "${_jid#jid=}" > /var/run/jail_${_j}.id
else
+ rm -f /var/run/jail_${_j}.id
echo " cannot start jail \"${_hostname:-${_j}}\": "
cat $_tmp
fi
@@ -457,7 +469,7 @@
jail_stop()
{
- local _j
+ local _j _jn
if [ $# = 0 ]; then
return
@@ -469,7 +481,14 @@
command=$jail_program
rc_flags=$jail_flags
command_args="-f $jail_conf -r"
- $command $rc_flags $command_args "*"
+ $jail_jls -nq | while read IN; do
+ _jn=$(echo $IN | tr " " "\n" | grep name=)
+ echo -n " ${_jn#name=}"
+ $command $rc_flags $command_args ${_jn#name=}
+ if ! $jail_jls -j ${_jn#name=} > /dev/null 2>&1; then
+ rm -f /var/run/jail_${_jn#name=}.id
+ fi
+ done
echo '.'
return
;;
@@ -477,9 +496,14 @@
for _j in $@; do
_j=$(echo $_j | tr /. _)
parse_options $_j || continue
+ if ! $jail_jls -j $_j > /dev/null 2>&1; then
+ continue
+ fi
eval command=\${jail_${_j}_program:-$jail_program}
- if $command -q -f $_conf -r $_j; then
- echo -n " ${_hostname:-${_j}}"
+ echo -n " ${_hostname:-${_j}}"
+ $command -q -f $_conf -r $_j
+ if ! $jail_jls -j $_j > /dev/null 2>&1; then
+ rm -f /var/run/jail_${_j}.id
fi
done
echo '.'
pgpIivz9ToavQ.pgp
Description: PGP signature
