IP packets from host system showing inside a jail?
Max Laier
max at love2party.net
Sat Mar 12 08:40:20 PST 2005
On Saturday 12 March 2005 15:03, H. S. wrote:
> Hey,
>
> I've noticed something odd.. I'm using FreeBSD 5.3-STABLE with PF, on a
> dual xeon 2.4 system. I have two jails running for web and mail servers.
> Today I was testing something and needed a tcpdump, so inside a jail I
> started tcpdump as root.
>
> To my amazement, IP packets from the host system (IRC connections that
> should NOT show on that jail) were appearing on the tcpdump INSIDE the
> jail!
>
> tcpdump then became irresponsive quickly after capturing those, ^C
> wouldn't kill it and ^Z didn't nothing either. I had to login from another
> terminal to the host system, and killall -KILL tcpdump.
>
> Is this a known bug? IP packets from the host system<->internet should not
> be visible inside the jail.
>
> If you need tcpdump/uname -a etc, I'll provide these when asked.
tcpdump reads "raw" data from the hardware useing the bpf socket. There is no
way (implemented) to filter bpf for jails. It'd be also a bit tricky to
realize as bpf sees "raw" i.e. ethernet packets while jails are a IP-level
construct, so in order to filter bpf for jails one would have to do a lot of
extra work. I don't think there is a "legal" application for bpf inside of a
jail that would justify the additional work.
The only way to avoid this, is to not give your jail(s) access to /dev/bpf -
why would you want to in the first place?
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20050312/d965d51c/attachment.bin
More information about the freebsd-hackers
mailing list