From akr@m17n.org  Wed Aug  9 12:21:28 2000
Return-Path: <akr@m17n.org>
Received: from ripsport.aist.go.jp (ripsport.aist.go.jp [150.29.251.10])
	by hub.freebsd.org (Postfix) with ESMTP id 39BC837C29C
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  9 Aug 2000 12:21:23 -0700 (PDT)
	(envelope-from akr@m17n.org)
Received: from rpsmtp1.aist.go.jp (rpsmtp1.aist.go.jp [150.29.254.30])
	by ripsport.aist.go.jp (8.9.3/3.7W) with ESMTP id EAA19183
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 10 Aug 2000 04:21:17 +0900 (JST)
Received: from eccu1-1.etl.go.jp (localhost [127.0.0.1])
	by rpsmtp1.aist.go.jp (8.9.3/3.7W) with ESMTP id EAA08292
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 10 Aug 2000 04:21:17 +0900 (JST)
Received: from flux.etl.go.jp (dhcpea054 [150.29.203.244])
	by eccu1-1.etl.go.jp (8.9.3/3.7W-ETL-MASTER) with ESMTP id EAA18032
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 10 Aug 2000 04:21:16 +0900 (JST)
Received: by flux.etl.go.jp (Postfix, from userid 23483)
	id 54089404; Thu, 10 Aug 2000 04:21:38 +0900 (JST)
Message-Id: <20000809192138.54089404@flux.etl.go.jp>
Date: Thu, 10 Aug 2000 04:21:38 +0900 (JST)
From: akr@m17n.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: process in jail(8) with 127.0.0.2 cannot connect servers on 127.0.0.1. 
X-Send-Pr-Version: 3.2

>Number:         20508
>Category:       kern
>Synopsis:       process in jail(8) with 127.0.0.2 cannot connect servers on 127.0.0.1
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    phk
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 09 12:30:00 PDT 2000
>Closed-Date:    Sat Sep 16 13:00:09 PDT 2000
>Last-Modified:  Sat Sep 16 13:02:30 PDT 2000
>Originator:     Tanaka Akira
>Release:        FreeBSD 4.0-RELEASE i386
>Organization:
m17n
>Environment:

FreeBSD flux 4.0-RELEASE FreeBSD 4.0-RELEASE #0: Fri Jul  7 00:53:54 JST 2000     akr@flux:/usr/src/sys/compile/AKR  i386

>Description:

When jail is created with 127.0.0.2 and jailed process try to connect
127.0.0.1:79 (finger daemon), it cannot connect.

This problem is reproduced for all daemons that is explicitly bind to
127.0.0.1 and not reproduced for daemons that accepts connection for all
interfaces.

>How-To-Repeat:

Insert following lines in /etc/rc.conf.

  ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff" 
  inetd_flags="-wW -a 127.0.0.1"

Check lo0 configuration.

# ifconfig lo0
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 
        inet6 ::1 prefixlen 128 
        inet 127.0.0.1 netmask 0xff000000 
        inet 127.0.0.2 netmask 0xffffffff 

Check inetd.  inetd listens 127.0.0.1:79.

inetd listens 127.0.0.1:79 and telnet to it works well
even if source IP address is specified as 127.0.0.2.

# netstat -n -a |grep 79
tcp4       0      0  127.0.0.1.79           *.*                    LISTEN
# grep finger /etc/inetd.conf
finger  stream  tcp     nowait/3/10 nobody /usr/libexec/fingerd fingerd -s
finger  stream  tcp6    nowait/3/10 nobody /usr/libexec/fingerd fingerd -s
# ps auxww|grep inetd
root      372  0.0  0.5  1020  660  p0  S+    4:11AM   0:00.00 grep inetd
root      160  0.0  0.5  1012  676  ??  Ss    4:05AM   0:00.02 inetd -wW -a 127.0.0.1
# grep \^finger /etc/services
finger           79/tcp
finger           79/udp

Without jail, telnet to it works well even if source IP address is
specified as 127.0.0.2.

# telnet -s 127.0.0.2 127.0.0.1 79
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
root
Login: root                             Name: Charlie Root
Directory: /root                        Shell: /bin/csh
Last login Tue Aug  8 14:59 (JST) on ttyv1
No Mail.
No Plan.
Connection closed by foreign host.

Setup jail to run telnet.

# cd /var/tmp
# mkdir jail
# cd jail
# mkdir -p usr/lib usr/libexec 
# cp /usr/libexec/ld-elf.so.1 usr/libexec
# ldd /usr/bin/telnet 
/usr/bin/telnet:
        libncurses.so.5 => /usr/lib/libncurses.so.5 (0x2807a000)
        libcrypto.so.1 => /usr/lib/libcrypto.so.1 (0x280b9000)
        libkrb.so.3 => /usr/lib/libkrb.so.3 (0x28156000)
        libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x2816f000)
        libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x28184000)
        libmp.so.3 => /usr/lib/libmp.so.3 (0x28186000)
        libipsec.so.0 => /usr/lib/libipsec.so.0 (0x28190000)
        libc.so.4 => /usr/lib/libc.so.4 (0x2819a000)
# cp /usr/lib/libncurses.so.5 /usr/lib/libcrypto.so.1 /usr/lib/libkrb.so.3 /usr/lib/libcrypt.so.2 /usr/lib/libcom_err.so.2 /usr/lib/libmp.so.3 /usr/lib/libipsec.so.0 /usr/lib/libc.so.4 usr/lib
# cp /usr/bin/telnet .

Run telnet and it fails.

# jail /var/tmp/jail xxx 127.0.0.2 /telnet 127.0.0.1 79
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host

I think it shouldn't be failed.

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->phk 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Thu Aug 10 03:15:49 PDT 2000 
Responsible-Changed-Why:  
Over to the maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20508 
State-Changed-From-To: open->closed 
State-Changed-By: phk 
State-Changed-When: Sat Sep 16 13:00:09 PDT 2000 
State-Changed-Why:  
First, thanks for the comprehensive PR, it is unfortunately 
seldom that PR's have this high level of information on how 
to reproduce the problem. 

Second, no it is not a bug. 

The jail interface has to emulate the loopback aspect of 127.0.0.1 
to make things work in general. 

When you telnet to 127.0.0.1 inside the jail, you cannot contact 
the inetd outside the jail, you should be contacting the inetd 
inside your own jail.  If you try to start an inetd inside the 
jail, you will see this work as expected. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20508 
>Unformatted:
