git: 06c41801afac - main - svcj: correctly handle kernels without INET or INET6

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Lexi Winter <ivy_at_FreeBSD.org>
Date: Wed, 28 May 2025 01:16:43 UTC
The branch main has been updated by ivy:

URL: https://cgit.FreeBSD.org/src/commit/?id=06c41801afacbcfb2912a6716788a2c26e94ea00

commit 06c41801afacbcfb2912a6716788a2c26e94ea00
Author:     Lexi Winter <ivy@FreeBSD.org>
AuthorDate: 2025-05-27 07:31:18 +0000
Commit:     Lexi Winter <ivy@FreeBSD.org>
CommitDate: 2025-05-28 01:16:30 +0000

    svcj: correctly handle kernels without INET or INET6
    
    If either INET or INET6 is not enabled in the kernel, then the jail(8)
    options ip4=<new|inherit> resp. ip6=<new|inherit> are not available.
    Detect this case and don't try to provide those options, otherwise
    svcjs will not start.
    
    Do this automatically (without a warning) so that net_basic, which
    includes both netv4 and netv6, continues to work as expected.
    
    If _svcj_ipaddrs is explicitly configured with an address for an IP
    version not supported by the kernel, issue a warning but continue to
    start the service.  This can result in the service being started with
    fewer addresses than expected, but never more.
    
    Reviewed by:    netchild, des
    Approved by:    des (mentor)
    Differential Revision:  https://reviews.freebsd.org/D49976
---
 libexec/rc/rc.subr | 52 ++++++++++++++++++++++++++++++++++------------------
 1 file changed, 34 insertions(+), 18 deletions(-)

diff --git a/libexec/rc/rc.subr b/libexec/rc/rc.subr
index e2a30d9fc9bd..2eaf336b5220 100644
--- a/libexec/rc/rc.subr
+++ b/libexec/rc/rc.subr
@@ -1214,27 +1214,43 @@ run_rc_command()
 		fi
 	fi
 
-	_svcj_ip="inherit"
 	_svcj_ip4_addrs=""
 	_svcj_ip6_addrs=""
-
-	for addr in $_svcj_ipaddrs; do
-		case $addr in
-			*:*) _svcj_ip6_addrs="$addr,${_svcj_ip6_addrs}" ;;
-			*) _svcj_ip4_addrs="$addr,${_svcj_ip4_addrs}" ;;
-		esac
-	done
-
 	_svcj_cmd_options=""
 
-	if [ -n "$_svcj_ip4_addrs" ]; then
-		_svcj_cmd_options="ip4.addr=${_svcj_ip4_addrs%*,} ${_svcj_cmd_options}"
+	if [ -n "$_svcj_ipaddrs" ]; then
 		_svcj_ip="new"
+
+		for addr in $_svcj_ipaddrs; do
+			case $addr in
+				*:*) _svcj_ip6_addrs="$addr,${_svcj_ip6_addrs}" ;;
+				*) _svcj_ip4_addrs="$addr,${_svcj_ip4_addrs}" ;;
+			esac
+		done
+	else
+		_svcj_ip="inherit"
 	fi
 
-	if [ -n "$_svcj_ip6_addrs" ]; then
-		_svcj_cmd_options="ip6.addr=${_svcj_ip6_addrs%*,} ${_svcj_cmd_options}"
-		_svcj_ip="new"
+	if check_kern_features inet; then
+		_svcj_ip4="ip4=${_svcj_ip}"
+		if [ -n "$_svcj_ip4_addrs" ]; then
+			_svcj_cmd_options="ip4.addr=${_svcj_ip4_addrs%*,} ${_svcj_cmd_options}"
+		fi
+	else
+		if [ -n "$_svcj_ip4_addrs" ]; then
+			warn "$rc_service: ${name}_svcj_ipaddrs contains at least one IPv4 address, but IPv4 is not enabled in the kernel; IPv4 addresses will be ignored."
+		fi
+	fi
+
+	if check_kern_features inet6; then
+		_svcj_ip6="ip6=${_svcj_ip}"
+		if [ -n "$_svcj_ip6_addrs" ]; then
+			_svcj_cmd_options="ip6.addr=${_svcj_ip6_addrs%*,} ${_svcj_cmd_options}"
+		fi
+	else
+		if [ -n "$_svcj_ip6_addrs" ]; then
+			warn "$rc_service: ${name}_svcj_ipaddrs contains at least one IPv6 address, but IPv6 is not enabled in the kernel; IPv6 addresses will be ignored."
+		fi
 	fi
 
 	if [ -n "$_svcj_options" ]; then	# translate service jail options
@@ -1245,19 +1261,19 @@ run_rc_command()
 					_svcj_cmd_options="allow.mlock ${_svcj_cmd_options}"
 					;;
 				netv4)
-					_svcj_cmd_options="ip4=${_svcj_ip} allow.reserved_ports ${_svcj_cmd_options}"
+					_svcj_cmd_options="${_svcj_ip4} allow.reserved_ports ${_svcj_cmd_options}"
 					;;
 				netv6)
-					_svcj_cmd_options="ip6=${_svcj_ip} allow.reserved_ports ${_svcj_cmd_options}"
+					_svcj_cmd_options="${_svcj_ip6} allow.reserved_ports ${_svcj_cmd_options}"
 					;;
 				net_basic)
-					_svcj_cmd_options="ip4=${_svcj_ip} ip6=${_svcj_ip} allow.reserved_ports ${_svcj_cmd_options}"
+					_svcj_cmd_options="${_svcj_ip4} ${_svcj_ip6} allow.reserved_ports ${_svcj_cmd_options}"
 					;;
 				net_raw)
 					_svcj_cmd_options="allow.raw_sockets ${_svcj_cmd_options}"
 					;;
 				net_all)
-					_svcj_cmd_options="allow.socket_af allow.raw_sockets allow.reserved_ports ip4=${_svcj_ip} ip6=${_svcj_ip} ${_svcj_cmd_options}"
+					_svcj_cmd_options="allow.socket_af allow.raw_sockets allow.reserved_ports ${_svcj_ip4} ${_svcj_ip6} ${_svcj_cmd_options}"
 					;;
 				nfsd)
 					_svcj_cmd_options="allow.nfsd enforce_statfs=1 ${_svcj_cmd_options}"