git: 153a0e6b038c - stable/13 - netstat(1): teach netstat to attach to jails
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 02 Sep 2023 11:01:26 UTC
The branch stable/13 has been updated by dfr:
URL: https://cgit.FreeBSD.org/src/commit/?id=153a0e6b038ceb85d731ebb2ab269e9f783da28b
commit 153a0e6b038ceb85d731ebb2ab269e9f783da28b
Author: Doug Rabson <dfr@FreeBSD.org>
AuthorDate: 2023-08-14 08:01:28 +0000
Commit: Doug Rabson <dfr@FreeBSD.org>
CommitDate: 2023-09-02 08:08:49 +0000
netstat(1): teach netstat to attach to jails
Add -j <jail> flag to netstat(1) to allow access to network information
from a jail.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D41446
(cherry picked from commit 182e8ae26d7cad119bcfce7cc788c1f5cb06e226)
---
usr.bin/netstat/Makefile | 5 +++
usr.bin/netstat/main.c | 57 +++++++++++++++++++++++++++--------
usr.bin/netstat/netstat.1 | 77 +++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 126 insertions(+), 13 deletions(-)
diff --git a/usr.bin/netstat/Makefile b/usr.bin/netstat/Makefile
index 1b999831c160..7888344cbf51 100644
--- a/usr.bin/netstat/Makefile
+++ b/usr.bin/netstat/Makefile
@@ -62,4 +62,9 @@ LIBADD+= netgraph
CFLAGS+=-DNETGRAPH
.endif
+.if ${MK_JAIL} != "no" && !defined(RESCUE)
+CFLAGS+= -DJAIL
+LIBADD+= jail
+.endif
+
.include <bsd.prog.mk>
diff --git a/usr.bin/netstat/main.c b/usr.bin/netstat/main.c
index 5b05582ca990..a1727d7b7b58 100644
--- a/usr.bin/netstat/main.c
+++ b/usr.bin/netstat/main.c
@@ -44,6 +44,9 @@ static char sccsid[] = "@(#)main.c 8.4 (Berkeley) 3/1/94";
#include <sys/cdefs.h>
#include <sys/param.h>
#include <sys/file.h>
+#ifdef JAIL
+#include <sys/jail.h>
+#endif
#include <sys/protosw.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
@@ -58,6 +61,9 @@ static char sccsid[] = "@(#)main.c 8.4 (Berkeley) 3/1/94";
#include <ctype.h>
#include <err.h>
#include <errno.h>
+#ifdef JAIL
+#include <jail.h>
+#endif
#include <kvm.h>
#include <limits.h>
#include <netdb.h>
@@ -231,6 +237,9 @@ int interval; /* repeat interval for i/f stats */
char *interface; /* desired i/f for stats, or NULL for all i/fs */
int unit; /* unit number for above */
+#ifdef JAIL
+char *jail_name; /* desired jail to operate in */
+#endif
static int af; /* address family */
int live; /* true if we are examining a live system */
@@ -243,6 +252,9 @@ main(int argc, char *argv[])
int fib = -1;
char *endptr;
bool first = true;
+#ifdef JAIL
+ int jid;
+#endif
af = AF_UNSPEC;
@@ -250,7 +262,7 @@ main(int argc, char *argv[])
if (argc < 0)
exit(EXIT_FAILURE);
- while ((ch = getopt(argc, argv, "46AaBbCcdF:f:ghI:iLlM:mN:nOoPp:Qq:RrSTsuWw:xz"))
+ while ((ch = getopt(argc, argv, "46AaBbCcdF:f:ghI:ij:LlM:mN:nOoPp:Qq:RrSTsuWw:xz"))
!= -1)
switch(ch) {
case '4':
@@ -338,6 +350,15 @@ main(int argc, char *argv[])
case 'i':
iflag = 1;
break;
+ case 'j':
+#ifdef JAIL
+ if (optarg == NULL)
+ usage();
+ jail_name = optarg;
+#else
+ errx(1, "Jail support is not compiled in");
+#endif
+ break;
case 'L':
Lflag = 1;
break;
@@ -434,6 +455,16 @@ main(int argc, char *argv[])
}
#endif
+#ifdef JAIL
+ if (jail_name != NULL) {
+ jid = jail_getid(jail_name);
+ if (jid == -1)
+ errx(1, "Jail not found");
+ if (jail_attach(jid) != 0)
+ errx(1, "Cannot attach to jail");
+ }
+#endif
+
/*
* Discard setgid privileges if not the running kernel so that bad
* guys can't print interesting stuff from kernel memory.
@@ -888,24 +919,24 @@ static void
usage(void)
{
(void)xo_error("%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n",
-"usage: netstat [-46AaCcLnRSTWx] [-f protocol_family | -p protocol]\n"
+"usage: netstat [-j jail] [-46AaCcLnRSTWx] [-f protocol_family | -p protocol]\n"
" [-M core] [-N system]",
-" netstat -i | -I interface [-46abdhnW] [-f address_family]\n"
+" netstat [-j jail] -i | -I interface [-46abdhnW] [-f address_family]\n"
" [-M core] [-N system]",
-" netstat -w wait [-I interface] [-46d] [-M core] [-N system]\n"
+" netstat [-j jail] -w wait [-I interface] [-46d] [-M core] [-N system]\n"
" [-q howmany]",
-" netstat -s [-46sz] [-f protocol_family | -p protocol]\n"
+" netstat [-j jail] -s [-46sz] [-f protocol_family | -p protocol]\n"
" [-M core] [-N system]",
-" netstat -i | -I interface -s [-46s]\n"
+" netstat [-j jail] -i | -I interface -s [-46s]\n"
" [-f protocol_family | -p protocol] [-M core] [-N system]",
-" netstat -m [-M core] [-N system]",
-" netstat -B [-z] [-I interface]",
-" netstat -r [-46AnW] [-F fibnum] [-f address_family]\n"
+" netstat [-j jail] -m [-M core] [-N system]",
+" netstat [-j jail] -B [-z] [-I interface]",
+" netstat [-j jail] -r [-46AnW] [-F fibnum] [-f address_family]\n"
" [-M core] [-N system]",
-" netstat -rs [-s] [-M core] [-N system]",
-" netstat -g [-46W] [-f address_family] [-M core] [-N system]",
-" netstat -gs [-46s] [-f address_family] [-M core] [-N system]",
-" netstat -Q");
+" netstat [-j jail] -rs [-s] [-M core] [-N system]",
+" netstat [-j jail] -g [-46W] [-f address_family] [-M core] [-N system]",
+" netstat [-j jail] -gs [-46s] [-f address_family] [-M core] [-N system]",
+" netstat [-j jail] -Q");
xo_finish();
exit(1);
}
diff --git a/usr.bin/netstat/netstat.1 b/usr.bin/netstat/netstat.1
index 1ea45f608550..d347b31d68d9 100644
--- a/usr.bin/netstat/netstat.1
+++ b/usr.bin/netstat/netstat.1
@@ -37,18 +37,21 @@
.Bk -words
.Bl -tag -width "netstat"
.It Nm
+.Op Fl j Ar jail
.Op Fl -libxo
.Op Fl 46AaCLnPRSTWx
.Op Fl f Ar protocol_family | Fl p Ar protocol
.Op Fl M Ar core
.Op Fl N Ar system
.It Nm Fl i | I Ar interface
+.Op Fl j Ar jail
.Op Fl -libxo
.Op Fl 46abdhnW
.Op Fl f Ar address_family
.Op Fl M Ar core
.Op Fl N Ar system
.It Nm Fl w Ar wait
+.Op Fl j Ar jail
.Op Fl -libxo
.Op Fl I Ar interface
.Op Fl 46d
@@ -56,46 +59,55 @@
.Op Fl N Ar system
.Op Fl q Ar howmany
.It Nm Fl s
+.Op Fl j Ar jail
.Op Fl -libxo
.Op Fl 46sz
.Op Fl f Ar protocol_family | Fl p Ar protocol
.Op Fl M Ar core
.Op Fl N Ar system
.It Nm Fl i | I Ar interface Fl s
+.Op Fl j Ar jail
.Op Fl -libxo
.Op Fl 46s
.Op Fl f Ar protocol_family | Fl p Ar protocol
.Op Fl M Ar core
.Op Fl N Ar system
.It Nm Fl m
+.Op Fl j Ar jail
.Op Fl -libxo
.Op Fl M Ar core
.Op Fl N Ar system
.It Nm Fl B
+.Op Fl j Ar jail
.Op Fl -libxo
.Op Fl z
.Op Fl I Ar interface
.It Nm Fl r
+.Op Fl j Ar jail
.Op Fl -libxo
.Op Fl 46nW
.Op Fl F Ar fibnum
.Op Fl f Ar address_family
.It Nm Fl rs
+.Op Fl j Ar jail
.Op Fl -libxo
.Op Fl s
.Op Fl M Ar core
.Op Fl N Ar system
.It Nm Fl g
+.Op Fl j Ar jail
.Op Fl -libxo
.Op Fl 46W
.Op Fl f Ar address_family
.It Nm Fl gs
+.Op Fl j Ar jail
.Op Fl -libxo
.Op Fl 46s
.Op Fl f Ar address_family
.Op Fl M Ar core
.Op Fl N Ar system
.It Nm Fl Q
+.Op Fl j Ar jail
.Op Fl -libxo
.El
.Ek
@@ -114,6 +126,7 @@ depending on the options for the information presented.
.Op Fl f Ar protocol_family | Fl p Ar protocol
.Op Fl M Ar core
.Op Fl N Ar system
+.Op Fl j Ar jail
.Ek
.Xc
Display a list of active sockets
@@ -252,6 +265,8 @@ See
.Sx GENERAL OPTIONS .
.It Fl N
Use an alternative kernel image.
+.It Fl j Ar jail
+Run inside a jail.
See
.Sx GENERAL OPTIONS .
.El
@@ -263,6 +278,7 @@ See
.Op Fl f Ar address_family
.Op Fl M Ar core
.Op Fl N Ar system
+.Op Fl j Ar jail
.Ek
.Xc
Show the state of all network interfaces or a single
@@ -324,6 +340,10 @@ Filter by
.Ar protocol_family .
See
.Sx GENERAL OPTIONS .
+.It Fl j Ar jail
+Run inside a jail.
+See
+.Sx GENERAL OPTIONS .
.El
.It Xo
.Bk -words
@@ -334,6 +354,7 @@ See
.Op Fl M Ar core
.Op Fl N Ar system
.Op Fl q Ar howmany
+.Op Fl j Ar jail
.Ek
.Xc
At intervals of
@@ -382,6 +403,10 @@ See
Exit after
.Ar howmany
outputs.
+.It Fl j Ar jail
+Run inside a jail.
+See
+.Sx GENERAL OPTIONS .
.El
.It Xo
.Bk -words
@@ -391,6 +416,7 @@ outputs.
.Op Fl f Ar protocol_family | Fl p Ar protocol
.Op Fl M Ar core
.Op Fl N Ar system
+.Op Fl j Ar jail
.Ek
.Xc
Display system-wide statistics for each network protocol.
@@ -427,6 +453,10 @@ See
Use an alternative kernel image
See
.Sx GENERAL OPTIONS .
+.It Fl j Ar jail
+Run inside a jail.
+See
+.Sx GENERAL OPTIONS .
.El
.It Xo
.Bk -words
@@ -436,6 +466,7 @@ See
.Op Fl f Ar protocol_family | Fl p Ar protocol
.Op Fl M Ar core
.Op Fl N Ar system
+.Op Fl j Ar jail
.Ek
.Xc
Display per-interface statistics for each network protocol.
@@ -470,6 +501,10 @@ See
Use an alternative kernel image
See
.Sx GENERAL OPTIONS .
+.It Fl j Ar jail
+Run inside a jail.
+See
+.Sx GENERAL OPTIONS .
.El
.It Xo
.Bk -words
@@ -477,6 +512,7 @@ See
.Fl m
.Op Fl M Ar core
.Op Fl N Ar system
+.Op Fl j Ar jail
.Ek
.Xc
Show statistics recorded by the memory management routines
@@ -491,6 +527,10 @@ See
Use an alternative kernel image
See
.Sx GENERAL OPTIONS .
+.It Fl j Ar jail
+Run inside a jail.
+See
+.Sx GENERAL OPTIONS .
.El
.It Xo
.Bk -words
@@ -498,6 +538,7 @@ See
.Fl B
.Op Fl z
.Op Fl I Ar interface
+.Op Fl j Ar jail
.Ek
.Xc
Show statistics about
@@ -534,6 +575,10 @@ For more information about these flags, please refer to
.Bl -tag -width indent
.It Fl z
Reset statistic counters after displaying them.
+.It Fl j Ar jail
+Run inside a jail.
+See
+.Sx GENERAL OPTIONS .
.El
.It Xo
.Bk -words
@@ -544,6 +589,7 @@ Reset statistic counters after displaying them.
.Op Fl f Ar address_family
.Op Fl M Ar core
.Op Fl N Ar system
+.Op Fl j Ar jail
.Ek
.Xc
Display the contents of routing tables.
@@ -628,6 +674,10 @@ See
Use an alternative kernel image
See
.Sx GENERAL OPTIONS .
+.It Fl j Ar jail
+Run inside a jail.
+See
+.Sx GENERAL OPTIONS .
.El
.It Xo
.Bk -words
@@ -636,6 +686,7 @@ See
.Op Fl s
.Op Fl M Ar core
.Op Fl N Ar system
+.Op Fl j Ar jail
.Ek
.Xc
Display routing statistics.
@@ -652,6 +703,10 @@ See
Use an alternative kernel image
See
.Sx GENERAL OPTIONS .
+.It Fl j Ar jail
+Run inside a jail.
+See
+.Sx GENERAL OPTIONS .
.El
.It Xo
.Bk -words
@@ -661,6 +716,7 @@ See
.Op Fl f Ar address_family
.Op Fl M Ar core
.Op Fl N Ar system
+.Op Fl j Ar jail
.Ek
.Xc
Display the contents of the multicast virtual interface tables,
@@ -696,6 +752,10 @@ See
Use an alternative kernel image
See
.Sx GENERAL OPTIONS .
+.It Fl j Ar jail
+Run inside a jail.
+See
+.Sx GENERAL OPTIONS .
.El
.It Xo
.Bk -words
@@ -705,6 +765,7 @@ See
.Op Fl f Ar address_family
.Op Fl M Ar core
.Op Fl N Ar system
+.Op Fl j Ar jail
.Ek
.Xc
Show multicast routing statistics.
@@ -734,11 +795,16 @@ See
Use an alternative kernel image
See
.Sx GENERAL OPTIONS .
+.It Fl j Ar jail
+Run inside a jail.
+See
+.Sx GENERAL OPTIONS .
.El
.It Xo
.Bk -words
.Nm
.Fl Q
+.Op Fl j Ar jail
.Ek
.Xc
Show
@@ -749,6 +815,10 @@ The flags field shows available ISR handlers:
.It Li C Ta Dv NETISR_SNP_FLAGS_M2CPUID Ta "Able to map mbuf to cpu id"
.It Li D Ta Dv NETISR_SNP_FLAGS_DRAINEDCPU Ta "Has queue drain handler"
.It Li F Ta Dv NETISR_SNP_FLAGS_M2FLOW Ta "Able to map mbuf to flow id"
+.It Fl j Ar jail
+Run inside a jail.
+See
+.Sx GENERAL OPTIONS .
.El
.El
.Ss GENERAL OPTIONS
@@ -808,6 +878,13 @@ Wider output; expand address fields, etc, to avoid truncation.
Non-numeric values such as domain names may still be truncated; use the
.Fl n
option if necessary to avoid ambiguity.
+.It Fl j Ar jail
+Perform the actions inside the
+.Ar jail .
+This allows network state to be accessed even if the
+.Cm netstat
+binary is not available in the
+.Ar jail .
.El
.Sh EXAMPLES
Show packet traffic information (packets, bytes, errors, packet drops, etc) for