Allow explicitly assigned IPv4 loopback address to be used in jails

If a jail has an explicitly assigned loopback address then allow it to be
used instead of remapping requests for the loopback adddress to the first
IPv4 address assigned to the jail.

This fixes issues where applications attempt to detect their bound port
where they requested a loopback address, which was available, but instead
the kernel remapped it to the jails first address.

A example of this is binding nginx to 127.0.0.1 and then running "service
nginx upgrade" which before this change would cause nginx to fail.

Also:
* Correct the description of prison_check_ip4_locked to match the code.

MFC after:	2 weeks
Relnotes:	Yes
Sponsored by:	Multiplay
This commit is contained in:
Steven Hartland 2017-03-31 00:41:54 +00:00
parent 39b7ca4533
commit 6ebc1b7b7d
2 changed files with 14 additions and 9 deletions

View File

@ -51,6 +51,11 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 12.x IS SLOW:
****************************** SPECIAL WARNING: ******************************
20170331:
Binds and sends to the IPv4 loopback address (127.0.0.1) will now
use any explicitly assigned loopback address available in the jail
instead of using the first assigned IPv4 address of the jail.
20170329:
The ctl.ko module no longer implements the iSCSI target frontend:
cfiscsi.ko does instead.

View File

@ -306,11 +306,6 @@ prison_local_ip4(struct ucred *cred, struct in_addr *ia)
}
ia0.s_addr = ntohl(ia->s_addr);
if (ia0.s_addr == INADDR_LOOPBACK) {
ia->s_addr = pr->pr_ip4[0].s_addr;
mtx_unlock(&pr->pr_mtx);
return (0);
}
if (ia0.s_addr == INADDR_ANY) {
/*
@ -323,6 +318,11 @@ prison_local_ip4(struct ucred *cred, struct in_addr *ia)
}
error = prison_check_ip4_locked(pr, ia);
if (error == EADDRNOTAVAIL && ia0.s_addr == INADDR_LOOPBACK) {
ia->s_addr = pr->pr_ip4[0].s_addr;
error = 0;
}
mtx_unlock(&pr->pr_mtx);
return (error);
}
@ -354,7 +354,8 @@ prison_remote_ip4(struct ucred *cred, struct in_addr *ia)
return (EAFNOSUPPORT);
}
if (ntohl(ia->s_addr) == INADDR_LOOPBACK) {
if (ntohl(ia->s_addr) == INADDR_LOOPBACK &&
prison_check_ip4_locked(pr, ia) == EADDRNOTAVAIL) {
ia->s_addr = pr->pr_ip4[0].s_addr;
mtx_unlock(&pr->pr_mtx);
return (0);
@ -370,9 +371,8 @@ prison_remote_ip4(struct ucred *cred, struct in_addr *ia)
/*
* Check if given address belongs to the jail referenced by cred/prison.
*
* Returns 0 if jail doesn't restrict IPv4 or if address belongs to jail,
* EADDRNOTAVAIL if the address doesn't belong, or EAFNOSUPPORT if the jail
* doesn't allow IPv4. Address passed in in NBO.
* Returns 0 if address belongs to jail,
* EADDRNOTAVAIL if the address doesn't belong to the jail.
*/
int
prison_check_ip4_locked(const struct prison *pr, const struct in_addr *ia)