Bug 20508
| Summary: | process in jail(8) with 127.0.0.2 cannot connect servers on 127.0.0.1 | ||
|---|---|---|---|
| Product: | Base System | Reporter: | akr <akr> |
| Component: | kern | Assignee: | Poul-Henning Kamp <phk> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | 4.0-RELEASE | ||
| Hardware: | Any | ||
| OS: | Any | ||
Responsible Changed From-To: freebsd-bugs->phk Over to the maintainer. State Changed From-To: open->closed First, thanks for the comprehensive PR, it is unfortunately seldom that PR's have this high level of information on how to reproduce the problem. Second, no it is not a bug. The jail interface has to emulate the loopback aspect of 127.0.0.1 to make things work in general. When you telnet to 127.0.0.1 inside the jail, you cannot contact the inetd outside the jail, you should be contacting the inetd inside your own jail. If you try to start an inetd inside the jail, you will see this work as expected. |
When jail is created with 127.0.0.2 and jailed process try to connect 127.0.0.1:79 (finger daemon), it cannot connect. This problem is reproduced for all daemons that is explicitly bind to 127.0.0.1 and not reproduced for daemons that accepts connection for all interfaces. How-To-Repeat: Insert following lines in /etc/rc.conf. ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff" inetd_flags="-wW -a 127.0.0.1" Check lo0 configuration. # ifconfig lo0 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 inet 127.0.0.2 netmask 0xffffffff Check inetd. inetd listens 127.0.0.1:79. inetd listens 127.0.0.1:79 and telnet to it works well even if source IP address is specified as 127.0.0.2. # netstat -n -a |grep 79 tcp4 0 0 127.0.0.1.79 *.* LISTEN # grep finger /etc/inetd.conf finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s finger stream tcp6 nowait/3/10 nobody /usr/libexec/fingerd fingerd -s # ps auxww|grep inetd root 372 0.0 0.5 1020 660 p0 S+ 4:11AM 0:00.00 grep inetd root 160 0.0 0.5 1012 676 ?? Ss 4:05AM 0:00.02 inetd -wW -a 127.0.0.1 # grep \^finger /etc/services finger 79/tcp finger 79/udp Without jail, telnet to it works well even if source IP address is specified as 127.0.0.2. # telnet -s 127.0.0.2 127.0.0.1 79 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. root Login: root Name: Charlie Root Directory: /root Shell: /bin/csh Last login Tue Aug 8 14:59 (JST) on ttyv1 No Mail. No Plan. Connection closed by foreign host. Setup jail to run telnet. # cd /var/tmp # mkdir jail # cd jail # mkdir -p usr/lib usr/libexec # cp /usr/libexec/ld-elf.so.1 usr/libexec # ldd /usr/bin/telnet /usr/bin/telnet: libncurses.so.5 => /usr/lib/libncurses.so.5 (0x2807a000) libcrypto.so.1 => /usr/lib/libcrypto.so.1 (0x280b9000) libkrb.so.3 => /usr/lib/libkrb.so.3 (0x28156000) libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x2816f000) libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x28184000) libmp.so.3 => /usr/lib/libmp.so.3 (0x28186000) libipsec.so.0 => /usr/lib/libipsec.so.0 (0x28190000) libc.so.4 => /usr/lib/libc.so.4 (0x2819a000) # cp /usr/lib/libncurses.so.5 /usr/lib/libcrypto.so.1 /usr/lib/libkrb.so.3 /usr/lib/libcrypt.so.2 /usr/lib/libcom_err.so.2 /usr/lib/libmp.so.3 /usr/lib/libipsec.so.0 /usr/lib/libc.so.4 usr/lib # cp /usr/bin/telnet . Run telnet and it fails. # jail /var/tmp/jail xxx 127.0.0.2 /telnet 127.0.0.1 79 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused telnet: Unable to connect to remote host I think it shouldn't be failed.