About this list Date view Thread view Subject view Author view Attachment view

From: Nick Craig-Wood (ncw_at_axis.demon.co.uk)
Date: Sat 16 Feb 2002 - 11:16:56 GMT


On Fri, Feb 15, 2002 at 05:17:09PM -0500, Jacques Gelinas wrote:
> On Fri, 15 Feb 2002 10:58:55 -0500, Sam Vilain wrote
> > Jacques Gelinas <jack_at_solucorp.qc.ca> wrote:
> >
> > > This is true. One solution would be to have one private loopback per
> > > vserver. (127.0.0.N) and translate dynamically from 127.0.0.1 to the
> > > vserver one.
> > [...]
> > > The current ipv4root of the vserver is mapping a bind(0.0.0.0), to a
> > > bind(ip-of-the-vserver). After this little modification in the kernel,
> > > the rest of the kernel simply work as usual.
> >
> > Just a thought, perhaps changing any call to bind(127.0.0.0/8) to
> > bind(ip_root) would be a nice quick hack;
> >
> > +++ net/ipv4/af_inet.c.orig Fri Feb 15 10:31:16 2002
> > @@ -489,7 +489,7 @@
> > s_addr = addr->sin_addr.s_addr;
> > if (current->ipv4root != 0){
> > // printk ("ipv4root0 %08lx %08x\n",current->ipv4root,s_addr);
> > - if (s_addr == 0 || (s_addr>>24 & 0xFF) == 127 ){
> > + if (s_addr == 0){
> > s_addr = current->ipv4root;
> > }else if (s_addr != current->ipv4root){
> > return -EADDRNOTAVAIL;
> >
> > Is this breaking network sanity too much? :-)
>
> Maybe.
>
> If you bind on 127.0.0.1, you do this to tell apart private connection
> public connection. Now just by binding to 127.0.0.1, you end up opening
> to the world. While not such a big issue, if an application relies/expects this
> behavior, their security model is screwed.

Indeed.

I propose a slight modification to the 127.0.0.N idea proposed earlier
 - if the ipv4root is a.b.c.d then use 127.b.c.d as the localhost
address - this makes the code easier (one less thing to keep track
of).

                if (s_addr == 0){
                        s_addr = current->ipv4root;
                }else if ((s_addr>>24 & 0xFF) == 127 ){
                        s_addr = (current->ipv4root & 0x00FFFFFF) | 0x7F000000;
                }else if (s_addr != current->ipv4root){
                        return -EADDRNOTAVAIL;

Note that the localhost is usually defined as 127.0.0.1/8 (ie a
network and you can ping 127.0.0.2 and get a reply) so you might need
to re-ifconfig it as 127.0.0.1/32 and ifconfig seperate 127.b.c.d/32's
for each vserver to stop the vservers being able to speak to each
others 127.x.y.z addresses - I'm not sure I haven't tried it.

-- 
Nick Craig-Wood


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 06 Nov 2002 - 07:03:39 GMT by hypermail 2.1.3