Executing rc.d on rdomain != 0

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Executing rc.d on rdomain != 0

YASUOKA Masahiko-3
Hi!

I think rc.d should specify the routing domain explicitly when it
executes the daemon program even if the daemon's rtable is configured
0 since the executed routing domain may not be 0.

Exmaple:

  (run sshd on rtable 100)
  $ doas ifconfig lo100 rdomain 100 127.0.0.1/8
  $ doas ln -s sshd /etc/rc.d/sshd100
  $ doas rcctl enable sshd100
  $ doas rcctl set sshd100 rtable 100
  $ doas rcctl start sshd100

  (ssh login from rdomain 100)
  $ route -T100 exec ssh 127.0.0.1

  (logged in, default routing domain becomes 100)
  $ doas rcctl get ntpd rtable
  0
  $ doas rcctl restart ntpd
  ntpd(ok)
  ntpd(ok)

  $ doas /etc/rc.d/ntpd check
  ntpd(failed)
  $ ps ax -o 'pid comm rtable' | grep ntpd
  26036 ntpd                100
   2924 ntpd                100
  78901 ntpd                100
  $

"check" fails because /var/run/rc.d/ntpd rtable is 0, but it is
actually running on 100.

ok?

Execute the daemon program on the configured routing table always even
if its rtable is configured 0 and rc.d is executed on a routing domain
other than 0.

Index: etc/rc.d/rc.subr
===================================================================
RCS file: /cvs/src/etc/rc.d/rc.subr,v
retrieving revision 1.130
diff -u -p -r1.130 rc.subr
--- etc/rc.d/rc.subr 20 Jan 2019 04:52:07 -0000 1.130
+++ etc/rc.d/rc.subr 20 Feb 2019 03:57:37 -0000
@@ -320,5 +320,4 @@ unset _rcflags _rcrtable _rcuser _rctime
 # make sure pexp matches the process (i.e. doesn't include the quotes)
 pexp="$(eval echo ${daemon}${daemon_flags:+ ${daemon_flags}})"
 rcexec="su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c"
-[ "${daemon_rtable}" -eq 0 ] ||
- rcexec="route -T ${daemon_rtable} exec ${rcexec}"
+rcexec="route -T ${daemon_rtable} exec ${rcexec}"

Reply | Threaded
Open this post in threaded view
|

Re: Executing rc.d on rdomain != 0

Theo de Raadt-2
I think that's really gross.

route domains are a concept usable by some people, not everyone should
need to see this.

> I think rc.d should specify the routing domain explicitly when it
> executes the daemon program even if the daemon's rtable is configured
> 0 since the executed routing domain may not be 0.
>
> Exmaple:
>
>   (run sshd on rtable 100)
>   $ doas ifconfig lo100 rdomain 100 127.0.0.1/8
>   $ doas ln -s sshd /etc/rc.d/sshd100
>   $ doas rcctl enable sshd100
>   $ doas rcctl set sshd100 rtable 100
>   $ doas rcctl start sshd100
>
>   (ssh login from rdomain 100)
>   $ route -T100 exec ssh 127.0.0.1
>
>   (logged in, default routing domain becomes 100)
>   $ doas rcctl get ntpd rtable
>   0
>   $ doas rcctl restart ntpd
>   ntpd(ok)
>   ntpd(ok)
>
>   $ doas /etc/rc.d/ntpd check
>   ntpd(failed)
>   $ ps ax -o 'pid comm rtable' | grep ntpd
>   26036 ntpd                100
>    2924 ntpd                100
>   78901 ntpd                100
>   $
>
> "check" fails because /var/run/rc.d/ntpd rtable is 0, but it is
> actually running on 100.
>
> ok?
>
> Execute the daemon program on the configured routing table always even
> if its rtable is configured 0 and rc.d is executed on a routing domain
> other than 0.
>
> Index: etc/rc.d/rc.subr
> ===================================================================
> RCS file: /cvs/src/etc/rc.d/rc.subr,v
> retrieving revision 1.130
> diff -u -p -r1.130 rc.subr
> --- etc/rc.d/rc.subr 20 Jan 2019 04:52:07 -0000 1.130
> +++ etc/rc.d/rc.subr 20 Feb 2019 03:57:37 -0000
> @@ -320,5 +320,4 @@ unset _rcflags _rcrtable _rcuser _rctime
>  # make sure pexp matches the process (i.e. doesn't include the quotes)
>  pexp="$(eval echo ${daemon}${daemon_flags:+ ${daemon_flags}})"
>  rcexec="su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c"
> -[ "${daemon_rtable}" -eq 0 ] ||
> - rcexec="route -T ${daemon_rtable} exec ${rcexec}"
> +rcexec="route -T ${daemon_rtable} exec ${rcexec}"
>

Reply | Threaded
Open this post in threaded view
|

Re: Executing rc.d on rdomain != 0

YASUOKA Masahiko-3
On Tue, 19 Feb 2019 22:33:53 -0700
"Theo de Raadt" <[hidden email]> wrote:
> I think that's really gross.
>
> route domains are a concept usable by some people, not everyone should
> need to see this.

Ah, may be yes.  I am using sshd on routing domain other than 0, but
actually I'll add "RDomain 0" to sshd_config for keeping rdomain 0 for
shells logged in, to avoid this kind of confusion.


>> I think rc.d should specify the routing domain explicitly when it
>> executes the daemon program even if the daemon's rtable is configured
>> 0 since the executed routing domain may not be 0.
>>
>> Exmaple:
>>
>>   (run sshd on rtable 100)
>>   $ doas ifconfig lo100 rdomain 100 127.0.0.1/8
>>   $ doas ln -s sshd /etc/rc.d/sshd100
>>   $ doas rcctl enable sshd100
>>   $ doas rcctl set sshd100 rtable 100
>>   $ doas rcctl start sshd100
>>
>>   (ssh login from rdomain 100)
>>   $ route -T100 exec ssh 127.0.0.1
>>
>>   (logged in, default routing domain becomes 100)
>>   $ doas rcctl get ntpd rtable
>>   0
>>   $ doas rcctl restart ntpd
>>   ntpd(ok)
>>   ntpd(ok)
>>
>>   $ doas /etc/rc.d/ntpd check
>>   ntpd(failed)
>>   $ ps ax -o 'pid comm rtable' | grep ntpd
>>   26036 ntpd                100
>>    2924 ntpd                100
>>   78901 ntpd                100
>>   $
>>
>> "check" fails because /var/run/rc.d/ntpd rtable is 0, but it is
>> actually running on 100.
>>
>> ok?
>>
>> Execute the daemon program on the configured routing table always even
>> if its rtable is configured 0 and rc.d is executed on a routing domain
>> other than 0.
>>
>> Index: etc/rc.d/rc.subr
>> ===================================================================
>> RCS file: /cvs/src/etc/rc.d/rc.subr,v
>> retrieving revision 1.130
>> diff -u -p -r1.130 rc.subr
>> --- etc/rc.d/rc.subr 20 Jan 2019 04:52:07 -0000 1.130
>> +++ etc/rc.d/rc.subr 20 Feb 2019 03:57:37 -0000
>> @@ -320,5 +320,4 @@ unset _rcflags _rcrtable _rcuser _rctime
>>  # make sure pexp matches the process (i.e. doesn't include the quotes)
>>  pexp="$(eval echo ${daemon}${daemon_flags:+ ${daemon_flags}})"
>>  rcexec="su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c"
>> -[ "${daemon_rtable}" -eq 0 ] ||
>> - rcexec="route -T ${daemon_rtable} exec ${rcexec}"
>> +rcexec="route -T ${daemon_rtable} exec ${rcexec}"
>>