From frank@pinky.sax.de  Thu Jul 28 09:37:02 2005
Return-Path: <frank@pinky.sax.de>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C537716A41F
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 28 Jul 2005 09:37:02 +0000 (GMT)
	(envelope-from frank@pinky.sax.de)
Received: from pinky.frank-behrens.de (pinky.frank-behrens.de [82.139.199.24])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DD5EB43D46
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 28 Jul 2005 09:37:01 +0000 (GMT)
	(envelope-from frank@pinky.sax.de)
Received: from moon.behrens (localhost [127.0.0.1])
	by pinky.frank-behrens.de (8.13.4/8.13.4) with ESMTP id j6S9atWT005937
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 28 Jul 2005 11:36:55 +0200 (CEST)
	(envelope-from frank@moon.behrens)
Received: (from frank@localhost)
	by moon.behrens (8.13.4/8.13.4/Submit) id j6S9atAO005936;
	Thu, 28 Jul 2005 11:36:55 +0200 (CEST)
	(envelope-from frank)
Message-Id: <200507280936.j6S9atAO005936@moon.behrens>
Date: Thu, 28 Jul 2005 11:36:55 +0200 (CEST)
From: Frank Behrens <frank@pinky.sax.de>
To: FreeBSD-gnats-submit@freebsd.org
Subject: jail: wildcard ip (INADDR_ANY) should not bind inside a jail [patch]
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         84215
>Category:       kern
>Synopsis:       [jail] [patch] wildcard ip (INADDR_ANY) should not bind inside a jail
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bz
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 28 09:40:14 GMT 2005
>Closed-Date:    Wed Jan 07 16:28:35 UTC 2009
>Last-Modified:  Wed Jan  7 16:30:00 UTC 2009
>Originator:     Frank Behrens
>Release:        FreeBSD 6.0-BETA1 i386, also applicable for FreeBSD 5.x
>Organization:
>Environment:
>Description:
If a process listens on a socket and this socket is not bound to a
specific address it listens on all interface addresses present in the system.
This includes also addresses assigned to a jail(8). This behaviour
complicates the jail setup, because in most environments the processes
in the jail should be separated from the main system and wildcard binding
is no longer possible - nearly all server configurations (sendmail, webserver,
named, smbd, ..) must be changed.

This change request proposes a change in kernels connection handling. If
there is a jail, the assigned ip address should not considered as valid
address for INADDR_ANY. With this change an easy jail setup is possible
without further modifications of base configuration!

>How-To-Repeat:
Start a process in main system and let it bind to INADDR_ANY. The created
server socket is accessible from any jail, which is not desired.
>Fix:
The patch implements the desired behaviour. It has been developed and tested
on FreeBSD-5.3/5.4. The attached patch is for RELENG_6, where it has been
tested for some weeks.

It introduces a new sysctl, with it it is possible to switch of
the wildcard binding to jail addresses.

Impact:
1. The default setting does not change the system behaviour, that means there
is no change for FreeBSD users visible.
2. The default setting inserts a processing of one additional conditional
statement only. So I see no danger of performance problems.
3. There is no change in client connections. The throughput
of established connections is not changed.
4. If the wildcard binding is switched off, an additional test for new
incoming connections is performed. The maximum rate of accepted connections
could be decreased theoretically, but for maximum performance you should
not bind to a wildcard address anyway.


--- kernjail6_050721.patch begins here ---
--- ./sys/kern/kern_jail.c.orig	Thu Jul 21 15:39:14 2005
+++ ./sys/kern/kern_jail.c	Thu Jul 21 15:49:31 2005
@@ -552,6 +552,35 @@
 	return (found);
 }
 
+/*
+ * Checks if the IP address belongs to a jail.
+ * IN: ip address in network order
+ * Returns TRUE if there is such a jail, otherwise FALSE.
+ */
+int
+prison_isprison_ip(u_int32_t ip) {
+
+       struct prison *pr;
+       int found;
+       u_int32_t iph;
+
+       /* an atomic compare only, or do we need a lock? */
+       if (prisoncount == 0)
+               return (FALSE);
+
+       iph = ntohl(ip); /* in prison we have host order */
+       found = FALSE;
+       mtx_lock(&allprison_mtx);
+       LIST_FOREACH(pr, &allprison, pr_list) {
+               if (pr->pr_ip == iph) {
+                       found = TRUE;
+                       break;
+               }
+       }
+       mtx_unlock(&allprison_mtx);
+       return (found);
+}
+
 static int
 sysctl_jail_list(SYSCTL_HANDLER_ARGS)
 {
--- ./sys/netinet/in_pcb.c.orig	Wed Jun  1 13:43:39 2005
+++ ./sys/netinet/in_pcb.c	Thu Jul 21 15:39:14 2005
@@ -107,6 +107,8 @@
 int	ipport_tcpallocs;
 int	ipport_tcplastcount;
 
+int	ip_bindwildcardtojails = 1;
+
 #define RANGECHK(var, min, max) \
 	if ((var) < (min)) { (var) = (min); } \
 	else if ((var) > (max)) { (var) = (max); }
@@ -156,6 +158,9 @@
 SYSCTL_INT(_net_inet_ip_portrange, OID_AUTO, randomtime, CTLFLAG_RW,
 	   &ipport_randomtime, 0, "Minimum time to keep sequental port "
 	   "allocation before switching to a random one");
+SYSCTL_INT(_net_inet_ip, OID_AUTO, bindwildcardtojails,
+	   CTLFLAG_RW|CTLFLAG_SECURE1, &ip_bindwildcardtojails, 
+	   1, "bind wildcard address to jails");
 
 /*
  * in_pcb.c: manage the Protocol Control Blocks.
@@ -1065,6 +1070,10 @@
 				if (inp->inp_laddr.s_addr == laddr.s_addr)
 					return (inp);
 				else if (inp->inp_laddr.s_addr == INADDR_ANY) {
+					/* wildcard address does not match a prison address */
+					if (!ip_bindwildcardtojails &&
+					    prison_isprison_ip(laddr.s_addr))
+						continue;
 #if defined(INET6)
 					if (INP_CHECK_SOCKAF(inp->inp_socket,
 							     AF_INET6))
--- ./sys/sys/jail.h.orig	Thu Jun  9 20:49:19 2005
+++ ./sys/sys/jail.h	Thu Jul 21 15:39:14 2005
@@ -111,6 +111,7 @@
 int prison_if(struct ucred *cred, struct sockaddr *sa);
 int prison_ip(struct ucred *cred, int flag, u_int32_t *ip);
 void prison_remote_ip(struct ucred *cred, int flags, u_int32_t *ip);
+int prison_isprison_ip(u_int32_t ip);
 
 #endif /* _KERNEL */
 #endif /* !_SYS_JAIL_H_ */
--- ./usr.sbin/jail/jail.8.orig	Tue Jun 14 14:26:35 2005
+++ ./usr.sbin/jail/jail.8	Thu Jul 21 15:39:14 2005
@@ -516,6 +516,10 @@
 privileged, and may manipulate system file flags subject to the usual
 constraints on
 .Va kern.securelevel .
+.It Va net.inet.ip.bindwildcardtojails
+If set to 0 then daemons listening on all IPs
+.Pq Dv INADDR_ANY
+will not bind on any address assigned to a jail.
 .El
 .Pp
 There are currently two MIB related variables that have per-jail settings.
@@ -573,13 +577,7 @@
 .Xr ps 1
 as opposed to
 .Xr procfs 5 .
-Similarly, it might be a good idea to add an
-address alias flag such that daemons listening on all IPs
-.Pq Dv INADDR_ANY
-will not bind on that address, which would facilitate building a safe
-host environment such that host daemons do not impose on services offered
-from within jails.
-Currently, the simplest answer is to minimize services
-offered on the host, possibly limiting it to services offered from
-.Xr inetd 8
-which is easily configurable.
+Jail does not handle 
+.Pq Dv IPv6
+addresses.
+
--- kernjail6_050721.patch ends here ---


>Release-Note:
>Audit-Trail:

From: Cheng-Lung Sung <clsung@FreeBSD.org>
To: bug-followup@FreeBSD.org, frank@pinky.sax.de
Cc: rwatson@FreeBSD.org
Subject: Re: kern/84215: [jail] [patch] wildcard ip (INADDR_ANY) should not bind inside a jail
Date: Tue, 18 Apr 2006 10:51:10 +0800

 --tThc/1wpZn/ma/RB
 Content-Type: text/plain; charset=big5
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Hi,
     I've tested it, and found sshd doesn't work on this patch
     Do you have any idea of it?
 
     Here is my experiment on the patch.
 
     Host:
 w/o specify ListenAddress, sshd will bind to all ip (include jails)
 w/  specify ListenAddress, sshd will bind to only specified ip
 
     Jail:
 doesn't matter if ListenAddress specified.
 
     Normally, I tested with 'w/o specify ListenAddress', then
     ssh to Jail will indeed ssh to Host.
 
     When I turn net.inet.ip.bindwildcardtojails off (1 -> 0)
     ssh to Jail should in need ssh to Jail, but failed.
 --=20
 Cheng-Lung Sung - clsung@
 
 --tThc/1wpZn/ma/RB
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.3 (FreeBSD)
 
 iD8DBQFERFQd+AeJ85Vui8ERAkDCAJwP5E3jiC7uiDxWZLRAkmQTMDTEdQCdEFjn
 EJpDiRJ9SiYgcipEG01GLso=
 =bQdN
 -----END PGP SIGNATURE-----
 
 --tThc/1wpZn/ma/RB--
State-Changed-From-To: open->feedback 
State-Changed-By: linimon 
State-Changed-When: Tue Jun 19 00:59:10 UTC 2007 
State-Changed-Why:  
Note that feedback (about ssh not working with this patch) was requested 
some time ago. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=84215 

From: "Frank Behrens" <frank@pinky.sax.de>
To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org,
        FreeBSD-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: kern/84215: [jail] [patch] wildcard ip (INADDR_ANY) should not bind inside a jail
Date: Tue, 19 Jun 2007 08:51:11 +0200

 Mark Linimon <linimon@FreeBSD.org> wrote on 19 Jun 2007 1:00:
 > State-Changed-From-To: open->feedback
 > Note that feedback (about ssh not working with this patch) was requested
 > some time ago.
 
 Sorry, I must have overlooked that. My answer is:
 The patch should work, I can not confirm the problem. Meanwhile I'm using this patch for 
 years and I use FreeBSD 6.2-STABLE-200705211513.
 
 A short test shows with net.inet.ip.bindwildcardtojails=0:
 > ifconfig lo1 alias 192.168.200.11
 > jail / testssh 192.168.200.11 /bin/csh
 
 otherhost>nc -vvv 192.168.0.10 22
 router.behrens [192.168.0.10] 22 (?) open
 SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110
 
 otherhost>nc -vvv 192.168.200.11 22
 192.168.200.11: inverse host lookup failed: h_errno 11004: NO_DATA
 (UNKNOWN) [192.168.200.11] 22 (?): connection refused
 
 Now I start inside the jail the sshd daemon:
 frank@testssh:/# /usr/sbin/sshd
 frank@testssh:/# sockstat -4
 USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
 root     sshd       25774 3  tcp4   192.168.200.11:22     *:*
 
 and the connection to jail is possible
 otherhost>nc -vvv 192.168.200.11 22
 192.168.200.11: inverse host lookup failed: h_errno 11004: NO_DATA
 (UNKNOWN) [192.168.200.11] 22 (?) open
 SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110
 
 The short examples with nc show the same behavior as real ssh connections. 
 
 Frank Behrens
 
State-Changed-From-To: feedback->open 
State-Changed-By: linimon 
State-Changed-When: Fri Jan 25 22:02:08 UTC 2008 
State-Changed-Why:  
Feedback received. 


Responsible-Changed-From-To: freebsd-bugs->freebsd-jail 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Fri Jan 25 22:02:08 UTC 2008 
Responsible-Changed-Why:  
Reassign to appropriate mailing list. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=84215 
Responsible-Changed-From-To: freebsd-jail->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Sat Nov 29 16:54:30 UTC 2008 
Responsible-Changed-Why:  
Take. It seems that the proposed solution is not suitable for 
general FreeBSD but might no longer be needed with updated jails. 
Try to get feedback. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=84215 
State-Changed-From-To: open->feedback 
State-Changed-By: bz 
State-Changed-When: Tue Jan 6 18:46:53 UTC 2009 
State-Changed-Why:  
Submitter asked if this can be closed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=84215 

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org, frank@pinky.sax.de
Cc:  
Subject: Re: kern/84215: [jail] [patch] wildcard ip (INADDR_ANY) should not
 bind inside a jail
Date: Tue, 6 Jan 2009 18:45:33 +0000 (UTC)

 Hi,
 
 I think you previously stated that this PR is no longer needed with
 the new multi-/no-IPv4/v6 jails?  Can it be closed or are there
 bits still missing that you need from it?
 
 /bz
 
 -- 
 Bjoern A. Zeeb                      The greatest risk is not taking one.
State-Changed-From-To: feedback->closed 
State-Changed-By: bz 
State-Changed-When: Wed Jan 7 16:28:06 UTC 2009 
State-Changed-Why:  
Submitter confirms that this can be closed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=84215 

From: Frank Behrens <frank@pinky.sax.de>
To: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/84215: [jail] [patch] wildcard ip (INADDR_ANY) should not
 bind inside a jail
Date: Wed, 07 Jan 2009 17:25:00 +0100

 Bjoern A. Zeeb schrieb:
 > I think you previously stated that this PR is no longer needed with
 > the new multi-/no-IPv4/v6 jails? Can it be closed or are there
 > bits still missing that you need from it?
 You are right: The PR should be closed.
 Thanks for your work on new jail IPv4/IPv6 jails. They are working well.
 
 Frank
 
>Unformatted:
