[vserver] RE: Performance, memory, etc

About this list Date view Thread view Subject view Author view Attachment view

From: Jacques Gelinas (jack_at_solucorp.qc.ca)
Date: Fri Feb 15 2002 - 17:17:09 EST


On Fri, 15 Feb 2002 10:58:55 -0500, Sam Vilain wrote
> Jacques Gelinas <jack_at_solucorp.qc.ca> wrote:
>
> > This is true. One solution would be to have one private loopback per
> > vserver. (127.0.0.N) and translate dynamically from 127.0.0.1 to the
> > vserver one.
> [...]
> > The current ipv4root of the vserver is mapping a bind(0.0.0.0), to a
> > bind(ip-of-the-vserver). After this little modification in the kernel,
> > the rest of the kernel simply work as usual.
>
> Just a thought, perhaps changing any call to bind(127.0.0.0/8) to
> bind(ip_root) would be a nice quick hack;
>
> --- net/ipv4/af_inet.c Fri Feb 15 10:33:10 2002
> +++ net/ipv4/af_inet.c.orig Fri Feb 15 10:31:16 2002
> @@ -489,7 +489,7 @@
> s_addr = addr->sin_addr.s_addr;
> if (current->ipv4root != 0){
> // printk ("ipv4root0 %08lx %08x\n",current->ipv4root,s_addr);
> - if (s_addr == 0 || (s_addr>>24 & 0xFF) == 127 ){
> + if (s_addr == 0){
> s_addr = current->ipv4root;
> }else if (s_addr != current->ipv4root){
> return -EADDRNOTAVAIL;
>
> Is this breaking network sanity too much? :-)

Maybe.

If you bind on 127.0.0.1, you do this to tell apart private connection
public connection. Now just by binding to 127.0.0.1, you end up opening
to the world. While not such a big issue, if an application relies/expects this
behavior, their security model is screwed.

---------------------------------------------------------
Jacques Gelinas <jack_at_solucorp.qc.ca>
vserver: run general purpose virtual servers on one box, full speed!
http://www.solucorp.qc.ca/miscprj/s_context.hc


About this list Date view Thread view Subject view Author view Attachment view

This archive was generated by hypermail 2.1.4 : Mon Aug 19 2002 - 12:01:01 EDT