From akr@m17n.org Wed Aug 9 12:21:28 2000 Return-Path: Received: from ripsport.aist.go.jp (ripsport.aist.go.jp [150.29.251.10]) by hub.freebsd.org (Postfix) with ESMTP id 39BC837C29C for ; Wed, 9 Aug 2000 12:21:23 -0700 (PDT) (envelope-from akr@m17n.org) Received: from rpsmtp1.aist.go.jp (rpsmtp1.aist.go.jp [150.29.254.30]) by ripsport.aist.go.jp (8.9.3/3.7W) with ESMTP id EAA19183 for ; Thu, 10 Aug 2000 04:21:17 +0900 (JST) Received: from eccu1-1.etl.go.jp (localhost [127.0.0.1]) by rpsmtp1.aist.go.jp (8.9.3/3.7W) with ESMTP id EAA08292 for ; Thu, 10 Aug 2000 04:21:17 +0900 (JST) Received: from flux.etl.go.jp (dhcpea054 [150.29.203.244]) by eccu1-1.etl.go.jp (8.9.3/3.7W-ETL-MASTER) with ESMTP id EAA18032 for ; Thu, 10 Aug 2000 04:21:16 +0900 (JST) Received: by flux.etl.go.jp (Postfix, from userid 23483) id 54089404; Thu, 10 Aug 2000 04:21:38 +0900 (JST) Message-Id: <20000809192138.54089404@flux.etl.go.jp> Date: Thu, 10 Aug 2000 04:21:38 +0900 (JST) From: akr@m17n.org To: FreeBSD-gnats-submit@freebsd.org Subject: process in jail(8) with 127.0.0.2 cannot connect servers on 127.0.0.1. X-Send-Pr-Version: 3.2 >Number: 20508 >Category: kern >Synopsis: process in jail(8) with 127.0.0.2 cannot connect servers on 127.0.0.1 >Confidential: no >Severity: serious >Priority: medium >Responsible: phk >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Aug 09 12:30:00 PDT 2000 >Closed-Date: Sat Sep 16 13:00:09 PDT 2000 >Last-Modified: Sat Sep 16 13:02:30 PDT 2000 >Originator: Tanaka Akira >Release: FreeBSD 4.0-RELEASE i386 >Organization: m17n >Environment: FreeBSD flux 4.0-RELEASE FreeBSD 4.0-RELEASE #0: Fri Jul 7 00:53:54 JST 2000 akr@flux:/usr/src/sys/compile/AKR i386 >Description: When jail is created with 127.0.0.2 and jailed process try to connect 127.0.0.1:79 (finger daemon), it cannot connect. This problem is reproduced for all daemons that is explicitly bind to 127.0.0.1 and not reproduced for daemons that accepts connection for all interfaces. >How-To-Repeat: Insert following lines in /etc/rc.conf. ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff" inetd_flags="-wW -a 127.0.0.1" Check lo0 configuration. # ifconfig lo0 lo0: flags=8049 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 inet 127.0.0.2 netmask 0xffffffff Check inetd. inetd listens 127.0.0.1:79. inetd listens 127.0.0.1:79 and telnet to it works well even if source IP address is specified as 127.0.0.2. # netstat -n -a |grep 79 tcp4 0 0 127.0.0.1.79 *.* LISTEN # grep finger /etc/inetd.conf finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s finger stream tcp6 nowait/3/10 nobody /usr/libexec/fingerd fingerd -s # ps auxww|grep inetd root 372 0.0 0.5 1020 660 p0 S+ 4:11AM 0:00.00 grep inetd root 160 0.0 0.5 1012 676 ?? Ss 4:05AM 0:00.02 inetd -wW -a 127.0.0.1 # grep \^finger /etc/services finger 79/tcp finger 79/udp Without jail, telnet to it works well even if source IP address is specified as 127.0.0.2. # telnet -s 127.0.0.2 127.0.0.1 79 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. root Login: root Name: Charlie Root Directory: /root Shell: /bin/csh Last login Tue Aug 8 14:59 (JST) on ttyv1 No Mail. No Plan. Connection closed by foreign host. Setup jail to run telnet. # cd /var/tmp # mkdir jail # cd jail # mkdir -p usr/lib usr/libexec # cp /usr/libexec/ld-elf.so.1 usr/libexec # ldd /usr/bin/telnet /usr/bin/telnet: libncurses.so.5 => /usr/lib/libncurses.so.5 (0x2807a000) libcrypto.so.1 => /usr/lib/libcrypto.so.1 (0x280b9000) libkrb.so.3 => /usr/lib/libkrb.so.3 (0x28156000) libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x2816f000) libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x28184000) libmp.so.3 => /usr/lib/libmp.so.3 (0x28186000) libipsec.so.0 => /usr/lib/libipsec.so.0 (0x28190000) libc.so.4 => /usr/lib/libc.so.4 (0x2819a000) # cp /usr/lib/libncurses.so.5 /usr/lib/libcrypto.so.1 /usr/lib/libkrb.so.3 /usr/lib/libcrypt.so.2 /usr/lib/libcom_err.so.2 /usr/lib/libmp.so.3 /usr/lib/libipsec.so.0 /usr/lib/libc.so.4 usr/lib # cp /usr/bin/telnet . Run telnet and it fails. # jail /var/tmp/jail xxx 127.0.0.2 /telnet 127.0.0.1 79 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused telnet: Unable to connect to remote host I think it shouldn't be failed. >Fix: >Release-Note: >Audit-Trail: Responsible-Changed-From-To: freebsd-bugs->phk Responsible-Changed-By: sheldonh Responsible-Changed-When: Thu Aug 10 03:15:49 PDT 2000 Responsible-Changed-Why: Over to the maintainer. http://www.freebsd.org/cgi/query-pr.cgi?pr=20508 State-Changed-From-To: open->closed State-Changed-By: phk State-Changed-When: Sat Sep 16 13:00:09 PDT 2000 State-Changed-Why: First, thanks for the comprehensive PR, it is unfortunately seldom that PR's have this high level of information on how to reproduce the problem. Second, no it is not a bug. The jail interface has to emulate the loopback aspect of 127.0.0.1 to make things work in general. When you telnet to 127.0.0.1 inside the jail, you cannot contact the inetd outside the jail, you should be contacting the inetd inside your own jail. If you try to start an inetd inside the jail, you will see this work as expected. http://www.freebsd.org/cgi/query-pr.cgi?pr=20508 >Unformatted: