svn commit: r195998 - head/usr.sbin/jail

Jamie Gritton jamie at FreeBSD.org
Fri Jul 31 14:30:06 UTC 2009


Author: jamie
Date: Fri Jul 31 14:30:06 2009
New Revision: 195998
URL: http://svn.freebsd.org/changeset/base/195998

Log:
  Handle kernels that don't have IPv6 by not sending an "ip6.addr"
  parameter unless a (numeric) IPv6 address is given.  Even the default
  binaries built with -DINET6 will work with IPv6-less kernels.  With an
  eye to the future, similarly handle the possibility of an IPv4-less kernel.
  
  Approved by:	re (kib), bz (mentor)

Modified:
  head/usr.sbin/jail/jail.c

Modified: head/usr.sbin/jail/jail.c
==============================================================================
--- head/usr.sbin/jail/jail.c	Fri Jul 31 14:19:57 2009	(r195997)
+++ head/usr.sbin/jail/jail.c	Fri Jul 31 14:30:06 2009	(r195998)
@@ -231,10 +231,11 @@ main(int argc, char **argv)
 		set_param("host.hostname", argv[1]);
 		if (hflag)
 			add_ip_addrinfo(0, argv[1]);
+		if (argv[2][0] != '\0')
 #ifdef INET6
-		add_ip_addr46(argv[2]);
+			add_ip_addr46(argv[2]);
 #else
-		add_ip_addr(&ip4_addr, argv[2]);
+			add_ip_addr(&ip4_addr, argv[2]);
 #endif
 		cmdarg = 3;
 		/* Emulate the defaults from security.jail.* sysctls */
@@ -374,11 +375,6 @@ add_ip_addr46(char *value)
 {
 	char *p, *np;
 
-	if (!value[0]) {
-		add_ip_addr(&ip4_addr, value);
-		add_ip_addr(&ip6_addr, value);
-		return;
-	}
 	for (p = value;; p = np + 1)
 	{
 		np = strchr(p, ',');
@@ -396,10 +392,13 @@ add_ip_addrinfo(int ai_flags, char *valu
 {
 	struct addrinfo hints, *ai0, *ai;
 	struct in_addr addr4;
-	int error;
+	size_t size;
+	int error, ip4ok;
+	int mib[4];
 	char avalue4[INET_ADDRSTRLEN];
 #ifdef INET6
 	struct in6_addr addr6;
+	int ip6ok;
 	char avalue6[INET6_ADDRSTRLEN];
 #endif
 
@@ -415,11 +414,34 @@ add_ip_addrinfo(int ai_flags, char *valu
 	error = getaddrinfo(value, NULL, &hints, &ai0);
 	if (error != 0)
 		errx(1, "hostname %s: %s", value, gai_strerror(error));
+
+	/*
+	 * Silently ignore unsupported address families from DNS lookups.
+	 * But if this is a numeric address, let the kernel give the error.
+	 */
+	if (ai_flags & AI_NUMERICHOST)
+		ip4ok =
+#ifdef INET6
+		    ip6ok =
+#endif
+		    1;
+	else {
+		size = 4;
+		ip4ok = (sysctlnametomib("security.jail.param.ip4", mib,
+		    &size) == 0);
+#ifdef INET6
+		size = 4;
+		ip6ok = (sysctlnametomib("security.jail.param.ip6", mib,
+		    &size) == 0);
+#endif
+	}
 	
 	/* Convert the addresses to ASCII so set_param can convert them back. */
 	for (ai = ai0; ai; ai = ai->ai_next)
 		switch (ai->ai_family) {
 		case AF_INET:
+			if (!ip4ok)
+				break;
 			memcpy(&addr4, &((struct sockaddr_in *)
 			    (void *)ai->ai_addr)->sin_addr, sizeof(addr4));
 			if (inet_ntop(AF_INET, &addr4, avalue4,
@@ -429,6 +451,8 @@ add_ip_addrinfo(int ai_flags, char *valu
 			break;
 #ifdef INET6
 		case AF_INET6:
+			if (!ip6ok)
+				break;
 			memcpy(&addr6, &((struct sockaddr_in6 *)
 			    (void *)ai->ai_addr)->sin6_addr, sizeof(addr6));
 			if (inet_ntop(AF_INET6, &addr6, avalue6,


More information about the svn-src-head mailing list