Re: [Bug 169751] [jail] reading routing information does not work in jails

[paige]

I’ve had similar issues with JAIL_ATTATCH when fibs > 0, specifically when using @dfr’s ociljail with podman— while net.fibs had a greater 0 value, it would fail with code 22. I traced the source of the error all the way down into osd_jail_call:  osd: method 4 failed for slot 6 type 1 (error=22) jail: module attachment preparation failed (error=22) osd: calling method 5 for type 1 After looking back at the code in kern.jail.c, in do_jail_attach:  error = osd_jail_call(pr, PR_METHOD_ATTACH, td); if (error) { if (bootverbose) printf("jail: module attachment preparation failed (error=%d)\n", error); prison_deref(pr, drflags); return (error); } This was particularly difficult to isolate:  https://gist.github.com/paigeadelethompson/0fc590bb4ad1b682d6e227dca7097cbf I’m not even sure if that’s the full patch but I used an LLM to do it and it really had a tough time simply adding bootverbose messages without stomping on the rest of the code. TLDR all of that could probably stand to be revisited there’s a lot of branches, there’s sure to be a better way to debug this somewhere, but in any case I isolated my fib related jail problems to osd_jail_call and I didn’t really understand the purpose of it well enough to make heads or tails of why it was failing. This also didn’t help me determine that the cause, I just figured out it was net.fibs because I remembered it was something I had to enable in boot.conf to get working, but that was specifically where it was failing (osd_jail_call) and I had to add logging.  Sent from my iPhone On Mar 3, 2025, at 2:34 AM, bugzilla-nore...@freebsd.org wrote: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=169751 cr...@rlwinm.de changed:           What    |Removed                     |Added ----------------------------------------------------------------------------                 CC|                            |cr...@rlwinm.de --- Comment #4 from cr...@rlwinm.de --- Processes attached to a vnet enabled jail can even write their jail's routing tables according to their privileges. This needs proper documentation of the intended behaviour with AF_ROUTE and netlink. For anyone writing tools that jail_attach() jail_set(JAIL_ATTACH) themselves (e.g. adding a -j <jname> option to an existing networking command) it would also be relevant what happens when create the socket before attaching. Would you be prevented from attaching to the jail? Would you smuggle in the capability to read (or worse modify) the parent/host networking? If the jail is assigned a FIB is it possible to query that FIB and make it the processes default FIB before or after attaching to the jail? -- You are receiving this mail because: You are the assignee for the bug.