Harald Schmalzbauer schrieb am 03.07.2010 10:05 (localtime): ...
One have to seperatly define ip4 and ip6 addresses. The can be with or without mask, single oder comma seperated list, doesn't matter, thanks to the jail_handle_ips_option() coder, it just works :)
I forgot to change that in defults/rc.conf. Please find attached the corrected version. -Harry
--- src/etc/defaults/rc.conf 2010-06-28 19:22:08.000000000 +0200
+++ src/etc/defaults/rc.conf 2010-07-03 10:08:31.000000000 +0200
@@ -642,8 +642,13 @@
jail_enable="NO" # Set to NO to disable starting of any jails
jail_list="" # Space separated list of names of jails
jail_set_hostname_allow="YES" # Allow root user in a jail to change its
hostname
-jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail
jail_sysvipc_allow="NO" # Allow SystemV IPC use from within a jail
+jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail
+jail_raw_sockets_allow="NO" # Prison root can create raw sockets
+jail_chflags_allow="NO" # Processes in jail can alter system file flags
+jail_mount_allow="NO" # Processes in jail can mount/unmount jail-friendly file
systems
+jail_quotas_allow="NO" # The prison root may administer quotas on the jail's
filesystem(s)
+socket_af_allow="NO" # Sockets within a jail are normally restricted to IPv4,
IPv6, local (UNIX), and route.
#
# To use rc's built-in jail infrastructure create entries for
@@ -658,8 +663,8 @@
#jail_example_hostname="default.domain.com" # Jail's hostname
#jail_example_interface="" # Jail's interface variable to
create IP aliases on
#jail_example_fib="0" # Routing table for setfib(1)
-#jail_example_ip="192.0.2.10,2001:db8::17" # Jail's primary IPv4 and IPv6
address
-#jail_example_ip_multi0="2001:db8::10" # and another IPv6 address
+#jail_example_ip4="192.0.2.10/24,10.1.2.3" # Jail's IPv4
address(es)
+#jail_example_ip6="2001:db8::10,fec0::0:1:2:3" # Jail's IPv6
address(es)
#jail_example_exec_start="/bin/sh /etc/rc" # command to execute in
jail for starting
#jail_example_exec_afterstart0="/bin/sh command" # command to execute
after the one for
# starting the jail.
More than one can be
@@ -672,6 +677,14 @@
#jail_example_procfs_enable="NO" # mount procfs in jail
#jail_example_mount_enable="NO" # mount/umount jail's fs
#jail_example_fstab="" # fstab(5) for mount/umount
+#jail_example_allow_set_hostname="NO" # This jail can set hostname
+#jail_example_allow_sysvipc="NO" # This jail can use SystemV IPC
+#jail_example_allow_raw_sockets="NO" # This jail can create raw
sockets (ping)
+#jail_example_allow_chflags="NO" # This jail can alter it's
filesystem flags
+#jail_example_allow_mount="NO" # This jail can mount jail
friendly filesystems
+#jail_example_allow_quotas="NO" # This jail can modify
quotas on it's filesystems
+#jail_example_allow_socket_af="NO" # This jail can use other
protocol stacks than IP4, IP6 and local
+
#jail_example_flags="-l -U root" # flags for jail(8)
##############################################################
--- src/etc/rc.d/jail 2010-06-28 19:22:11.000000000 +0200
+++ src/etc/rc.d/jail 2010-07-03 10:02:34.000000000 +0200
@@ -21,6 +21,8 @@
start_cmd="jail_start"
stop_cmd="jail_stop"
+jail_restrictions="set_hostname sysvipc raw_sockets chflags mount quotas
socket_af"
+
# init_variables _j
# Initialize the various jail variables for jail _j.
#
@@ -38,7 +40,8 @@
_fdescdir="${_devdir}/fd"
_procdir="${_rootdir}/proc"
eval _hostname=\"\$jail_${_j}_hostname\"
- eval _ip=\"\$jail_${_j}_ip\"
+ eval _ip4=\"\$jail_${_j}_ip4\"
+ eval _ip6=\"\$jail_${_j}_ip6\"
eval _interface=\"\${jail_${_j}_interface:-${jail_interface}}\"
eval _exec=\"\$jail_${_j}_exec\"
@@ -122,8 +125,9 @@
debug "$_j procfs enable: $_procfs"
debug "$_j mount enable: $_mount"
debug "$_j hostname: $_hostname"
- debug "$_j ip: $_ip"
- jail_show_addresses ${_j}
+ debug "$_j ip4: $_ip4"
+ debug "$_j ip6: $_ip6"
+# jail_show_addresses ${_j}
debug "$_j interface: $_interface"
debug "$_j fib: $_fib"
debug "$_j root: $_rootdir"
@@ -347,27 +351,27 @@
# Debug print the input for the given _multi aliases
# for a jail for init_variables().
#
-jail_show_addresses()
-{
- local _j _type alias
- _j="$1"
- alias=0
-
- if [ -z "${_j}" ]; then
- warn "jail_show_addresses: you must specify a jail"
- return
- fi
-
- while : ; do
- eval _addr=\"\$jail_${_j}_ip_multi${alias}\"
- if [ -n "${_addr}" ]; then
- debug "${_j} ip_multi${alias}: $_addr"
- alias=$((${alias} + 1))
- else
- break
- fi
- done
-}
+#jail_show_addresses()
+#{
+# local _j _type alias
+# _j="$1"
+# alias=0
+#
+# if [ -z "${_j}" ]; then
+# warn "jail_show_addresses: you must specify a jail"
+# return
+# fi
+#
+# while : ; do
+# eval _addr=\"\$jail_${_j}_ip_multi${alias}\"
+# if [ -n "${_addr}" ]; then
+# debug "${_j} ip_multi${alias}: $_addr"
+# alias=$((${alias} + 1))
+# else
+# break
+# fi
+# done
+#}
# jail_extract_address argument
# The second argument is the string from one of the _ip
@@ -481,20 +485,26 @@
*) ;;
esac
- # Append address to list of addresses for the jail command.
- case "${_addrl}" in
- "") _addrl="${_addr}" ;;
- *) _addrl="${_addrl},${_addr}" ;;
- esac
-
# Configure interface alias if requested by a given interface
# and if we could correctly parse everything.
case "${_iface}" in
"") continue ;;
esac
case "${_type}" in
- inet) ;;
- inet6) ;;
+ inet) {
+ # Append address to list of addresses for the jail
command.
+ case "${_addrl4}" in
+ "") _addrl4="${_addr}" ;;
+ *) _addrl4="${_addrl4},${_addr}" ;;
+ esac
+ };;
+ inet6) {
+ # Append address to list of addresses for the jail
command.
+ case "${_addrl6}" in
+ "") _addrl6="${_addr}" ;;
+ *) _addrl6="${_addrl6},${_addr}" ;;
+ esac
+ };;
*) warn "Could not determine address family. Not going" \
"to ${_action} address '${_addr}' for ${_jail}."
continue
@@ -531,18 +541,18 @@
esac
# Handle addresses.
- jail_handle_ips_option ${_action} "${_ip}"
+ jail_handle_ips_option ${_action} "${_ip4},${_ip6}"
# Handle jail_xxx_ip_multi<N>
- alias=0
- while : ; do
- eval _x=\"\$jail_${_jail}_ip_multi${alias}\"
- case "${_x}" in
- "") break ;;
- *) jail_handle_ips_option ${_action} "${_x}"
- alias=$((${alias} + 1))
- ;;
- esac
- done
+# alias=0
+# while : ; do
+# eval _x=\"\$jail_${_jail}_ip4_multi${alias}\"
+# case "${_x}" in
+# "") break ;;
+# *) jail_handle_ips_option ${_action} "${_x}"
+# alias=$((${alias} + 1))
+# ;;
+# esac
+# done
}
jail_start()
@@ -566,7 +576,8 @@
echo -n " [${_hostname} already running
(/var/run/jail_${_jail}.id exists)]"
continue;
fi
- _addrl=""
+ _addrl4=""
+ _addrl6=""
jail_ips "add"
if [ -n "${_fib}" ]; then
_setfib="setfib -F '${_fib}'"
@@ -625,6 +636,15 @@
fi
fi
fi
+ _j_allow_parms=""
+ for relax in ${jail_restrictions}; do
+ eval
_param_allow=\"\${jail_${_jail}_allow_${relax}:-\${jail_allow_$relax}}\"
+ [ -z "${_param_allow}" ] && _param_allow="NO"
+ checkyesno _param_allow && \
+
_j_allow_parms="${_j_allow_parms}allow.${relax}=1 "
+ debug "$_jail _allow_${relax}: $_param_allow"
+ done
+ debug "$_jail selectiv relaxation: $_j_allow_parms"
_tmp_jail=${_tmp_dir}/jail.$$
i=0
@@ -634,9 +654,10 @@
${out}
i=$((i + 1))
done
-
- eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \
- \"${_addrl}\" ${_exec_start} > ${_tmp_jail} 2>&1
+
+ eval ${_setfib} jail ${_flags} -i -c name=${_jail}\
+ path=${_rootdir} host.hostname=${_hostname} \
+ ip4.addr=${_addrl4} ip6.addr=${_addrl6}
${_j_allow_parms} command=${_exec_start} > ${_tmp_jail} 2>&1
if [ "$?" -eq 0 ] ; then
_jail_id=$(head -1 ${_tmp_jail})
signature.asc
Description: OpenPGP digital signature
