svn commit: r339411 - stable/11/sys/kern
James Gritton
jamie at freebsd.org
Fri Oct 19 02:35:27 UTC 2018
On 2018-10-18 16:14, Julian Elischer wrote:
> On 17/10/18 9:17 am, Jamie Gritton wrote:
>> Author: jamie
>> Date: Wed Oct 17 16:17:57 2018
>> New Revision: 339411
>> URL: https://svnweb.freebsd.org/changeset/base/339411
>>
>> Log:
>> MFC r339211:
>> Fix the test prohibiting jails from sharing IP addresses.
>> It's not supposed to be legal for two jails to contain the
>> same IP address,
>> unless both jails contain only that one address. This is the
>> behavior
>> documented in jail(8), and is there to prevent confusion when
>> multiple
>> jails are listening on IADDR_ANY.
>> VIMAGE jails (now the default for GENERIC kernels) test this
>> correctly,
>> but non-VIMAGE jails have been performing an incomplete test when
>> nested
>> jails are used.
> I think VIMAGE Jails should be able to have the same address
> optionally.. who says they are even in the same universe?
Indeed. This is just bad wording - vnet jails didn't have such a
restriction before this commit, and nothing has changed. When I said
they test this correctly, it was about how jails that are descendants of
vnet jails correctly check all other descendants of their vnet-enabled
ancestor (also correct before, and unchanged).
For vnet jails themselves, the altered code blocks aren't even executed
(because "ip4s > 0" and "ip6s > 0" apply only to non-vnet).
- Jamie
>>
>> Modified:
>> stable/11/sys/kern/kern_jail.c
>> Directory Properties:
>> stable/11/ (props changed)
>>
>> Modified: stable/11/sys/kern/kern_jail.c
>> ==============================================================================
>> --- stable/11/sys/kern/kern_jail.c Wed Oct 17 16:17:56 2018 (r339410)
>> +++ stable/11/sys/kern/kern_jail.c Wed Oct 17 16:17:57 2018 (r339411)
>> @@ -1411,11 +1411,12 @@ kern_jail_set(struct thread *td, struct uio
>> *optuio, i
>> * there is a duplicate on a jail with more than one
>> * IP stop checking and return error.
>> */
>> - tppr = ppr;
>> #ifdef VIMAGE
>> - for (; tppr != &prison0; tppr = tppr->pr_parent)
>> + for (tppr = ppr; tppr != &prison0; tppr = tppr->pr_parent)
>> if (tppr->pr_flags & PR_VNET)
>> break;
>> +#else
>> + tppr = &prison0;
>> #endif
>> FOREACH_PRISON_DESCENDANT(tppr, tpr, descend) {
>> if (tpr == pr ||
>> @@ -1478,11 +1479,12 @@ kern_jail_set(struct thread *td, struct uio
>> *optuio, i
>> }
>> }
>> /* Check for conflicting IP addresses. */
>> - tppr = ppr;
>> #ifdef VIMAGE
>> - for (; tppr != &prison0; tppr = tppr->pr_parent)
>> + for (tppr = ppr; tppr != &prison0; tppr = tppr->pr_parent)
>> if (tppr->pr_flags & PR_VNET)
>> break;
>> +#else
>> + tppr = &prison0;
>> #endif
>> FOREACH_PRISON_DESCENDANT(tppr, tpr, descend) {
>> if (tpr == pr ||
>>
>>
More information about the svn-src-stable-11
mailing list