- Add jail.defaults.allow_listen_override (also per-jail settable). This feature is disabled by default.
When enabled, this feature allows both wildcard and non-wildcard listen sockets in the jail to override wildcard listen sockets on the host. These sockets will be masked by the jail's IP list, meaning that a wildcard socket in the jail effectively covers just the jail's IP list.
Non-wildcard listen sockets on the host are not overriden.
Use of this feature allows the host to operate normally, without having to make its services jail-friendly. Only those services which bind to specific IPs that might conflict with the jail IPs will need modification, and only if the jail needs to have that service as well.
- In order to use the feature safely each jail should be given its own unique IPs for both localhost and its externally routable IP. For example:
jail -u root / tr3990xJ 127.0.0.2,10.0.0.139 /bin/csh
ifconfig can be used on the host to create multiple 127.0.0.X aliases on lo0 and to assign additional routable IPs to the machine for use in its jails. For example:
ifconfig lo0 inet 127.0.0.2 alias ifconfig lo0 inet 127.0.0.3 alias ifconfig lo0 inet6 ::2 alias ifconfig lo0 inet6 ::3 alias ifconfig em0 inet 10.0.0.139 netmask 255.255.0.0 alias ifconfig em0 inet 10.0.0.140 netmask 255.255.0.0 alias
- Within a jail, use of localhost (127.0.0.1 or ::1) will automatically be converted to the jail's localhost IP (such as 127.0.0.2). Also, accept(), getsockname(), and getpeername() will translate the jail's localhost IP back to 127.0.0.1 or ::1. Most services within the jail can thus use localhost without being the wiser.
- Listen address/port pairs within a jail can now be overloaded with the same address/port pairs on the host, or overloaded verses other jails without generating an error. However, accessibility to these ports is governed by the 'jail.deafults.allow_listen_override' sysctl setting for the jail (or the jail-specific version of the same sysctl).
Any jail-to-jail overloading of identical address/port pairs is allowed, but operationally undefined. Only one jail will receive connections.
It is best to supply each jail with its own unique local and routable IPs.
- IPV6 is now fully supported using the same mechanisms. You can supply a mix of IPV4 and IPV6 addresses in the jail command if desired. The overloading feature works the same.
2ea2781e4d jail - add jail.defaults.allow_listen_override
sys/kern/kern_jail.c | 73 ++++++++++-
sys/kern/uipc_syscalls.c | 12 +-
sys/net/if.c | 3 +-
sys/netinet/in_pcb.c | 320 +++++++++++++++++++++++++++++++++++------------
sys/netinet/in_pcb.h | 2 +-
sys/netinet6/in6_pcb.c | 137 ++++++++++++--------
sys/sys/jail.h | 2 +
usr.sbin/jail/jail.8 | 144 ++++++++++++---------
8 files changed, 497 insertions(+), 196 deletions(-)