Multiple ip-numbers in jails (fixed INADDR_ANY behaviour).
Pawel Jakub Dawidek
nick at garage.freebsd.pl
Wed Apr 16 05:02:10 PDT 2003
On Wed, Apr 16, 2003 at 12:25:11PM +0100, Jan Grant wrote:
+> > Another thing are priorities.
+> > When port X is opened on main host and in jail as INADDR_ANY, current
+> > implementation of jail converts INADDR_ANY to jail's IP.
+> > When we're connecting to this port we will connect to jail's daemon,
+> > because "exactly match" is there.
+> > In my solution looking for opened port is in this order:
+> > 1. non-jailed, non-wild.
+> > 2. non-jailed, wild.
+> > 3. jailed, non-wild.
+> > 4. jailed, wild.
+>
+> Hang on, so you're saying that if my machine has (say) 4 IP addresses,
+> and the jail has two of them, and I've a process listening on INADDR_ANY
+> in a non-jail, and one listening on INADDR_ANY in a jail, then a
+> connection to one of the jailed IPs will wind up with the non-jail
+> process?
In current implelentation - yes, becuase there is no INADDR_ANY in jail,
becuase INADDR_ANY address is translated to jail's ip when bind(2)
is called. When connection arrives kernel choosing "exactly match" first
and "exactly match" is real ip number. If there is no "exactly match"
INADDR_ANY is taken. But check this out by yourself:
# /usr/sbin/sshd -p 666
# jail / temp <yourip> /usr/sbin/sshd -p 666
# ssh -p 666 <yourip>
# hostname
(sshd binds to INADDR_ANY by default)
--
Pawel Jakub Dawidek pawel at dawidek.net
UNIX Systems Programmer/Administrator http://garage.freebsd.pl
Am I Evil? Yes, I Am! http://cerber.sourceforge.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20030416/a0859cac/attachment.bin
More information about the freebsd-hackers
mailing list