5 files changed, 119 insertions, 64 deletions

diff --git a/usr.sbin/jail/Makefile b/usr.sbin/jail/Makefile
index 3e9e5f7cce7e..00d7ff50b523 100644
--- a/usr.sbin/jail/Makefile
+++ b/usr.sbin/jail/Makefile
@@ -15,6 +15,9 @@ CFLAGS+=-I. -I${.CURDIR}
 .if ${MK_INET6_SUPPORT} != "no"
 CFLAGS+= -DINET6
 .endif
+.if ${MK_INET_SUPPORT} != "no"
+CFLAGS+= -DINET
+.endif
 
 CLEANFILES= y.output
 
diff --git a/usr.sbin/jail/command.c b/usr.sbin/jail/command.c
index b8f7d7272e93..eaaab155bc59 100644
--- a/usr.sbin/jail/command.c
+++ b/usr.sbin/jail/command.c
@@ -247,12 +247,15 @@ run_command(struct cfjail *j)
 	const struct cfstring *comstring, *s;
 	login_cap_t *lcap;
 	char **argv;
-	char *cs, *addr, *comcs, *devpath;
+	char *cs, *comcs, *devpath;
 	const char *jidstr, *conslog, *path, *ruleset, *term, *username;
 	enum intparam comparam;
 	size_t comlen;
 	pid_t pid;
 	int argc, bg, clean, consfd, down, fib, i, injail, sjuser, timeout;
+#if defined(INET) || defined(INET6)
+	char *addr;
+#endif
 
 	static char *cleanenv;
 
@@ -295,6 +298,7 @@ run_command(struct cfjail *j)
 	comstring = j->comstring;
 	bg = 0;
 	switch (comparam) {
+#ifdef INET
 	case IP__IP4_IFADDR:
 		argv = alloca(8 * sizeof(char *));
 		*(const char **)&argv[0] = _PATH_IFCONFIG;
@@ -326,6 +330,7 @@ run_command(struct cfjail *j)
 		*(const char **)&argv[argc] = down ? "-alias" : "alias";
 		argv[argc + 1] = NULL;
 		break;
+#endif
 
 #ifdef INET6
 	case IP__IP6_IFADDR:
diff --git a/usr.sbin/jail/config.c b/usr.sbin/jail/config.c
index f32500fdeac7..941a446232ae 100644
--- a/usr.sbin/jail/config.c
+++ b/usr.sbin/jail/config.c
@@ -40,6 +40,7 @@ __FBSDID("$FreeBSD$");
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <unistd.h>
 
 #include "jailp.h"
 
@@ -74,15 +75,19 @@ static const struct ipspec intparams[] = {
 							PF_INTERNAL | PF_BOOL},
     [IP_EXEC_SYSTEM_USER] =	{"exec.system_user",	PF_INTERNAL},
     [IP_EXEC_TIMEOUT] =		{"exec.timeout",	PF_INTERNAL | PF_INT},
+#if defined(INET) || defined(INET6)
     [IP_INTERFACE] =		{"interface",		PF_INTERNAL},
     [IP_IP_HOSTNAME] =		{"ip_hostname",		PF_INTERNAL | PF_BOOL},
+#endif
     [IP_MOUNT] =		{"mount",		PF_INTERNAL},
     [IP_MOUNT_DEVFS] =		{"mount.devfs",		PF_INTERNAL | PF_BOOL},
     [IP_MOUNT_DEVFS_RULESET]=	{"mount.devfs.ruleset",	PF_INTERNAL},
     [IP_MOUNT_FSTAB] =		{"mount.fstab",		PF_INTERNAL},
     [IP_STOP_TIMEOUT] =		{"stop.timeout",	PF_INTERNAL | PF_INT},
     [IP_VNET_INTERFACE] =	{"vnet.interface",	PF_INTERNAL},
+#ifdef INET
     [IP__IP4_IFADDR] =		{"ip4.addr",		PF_INTERNAL | PF_CONV},
+#endif
 #ifdef INET6
     [IP__IP6_IFADDR] =		{"ip6.addr",		PF_INTERNAL | PF_CONV},
 #endif
@@ -96,7 +101,9 @@ static const struct ipspec intparams[] = {
     [KP_ALLOW_SYSVIPC] =	{"allow.sysvipc",	0},
     [KP_ENFORCE_STATFS] =	{"enforce_statfs",	0},
     [KP_HOST_HOSTNAME] =	{"host.hostname",	0},
+#ifdef INET
     [KP_IP4_ADDR] =		{"ip4.addr",		0},
+#endif
 #ifdef INET6
     [KP_IP6_ADDR] =		{"ip6.addr",		0},
 #endif
@@ -427,21 +434,27 @@ string_param(const struct cfparam *p)
 int
 check_intparams(struct cfjail *j)
 {
-	struct in_addr addr4;
-	struct addrinfo hints;
-	struct addrinfo *ai0, *ai;
 	struct cfparam *p;
 	struct cfstring *s;
 	FILE *f;
-	const char *hostname, *val;
+	const char *val;
 	char *cs, *ep, *ln;
-	size_t size, lnlen;
-	int error, gicode, ip4ok, defif, prefix;
-	int mib[4];
+	size_t lnlen;
+	int error;
+#if defined(INET) || defined(INET6)
+	struct addrinfo hints;
+	struct addrinfo *ai0, *ai;
+	const char *hostname;
+	int gicode, defif, prefix;
+#endif
+#ifdef INET
+	struct in_addr addr4;
+	int ip4ok;
 	char avalue4[INET_ADDRSTRLEN];
+#endif
 #ifdef INET6
 	struct in6_addr addr6;
-	int ip6ok, isip6;
+	int ip6ok;
 	char avalue6[INET6_ADDRSTRLEN];
 #endif
 
@@ -471,6 +484,7 @@ check_intparams(struct cfjail *j)
 		}
 	}
 
+#if defined(INET) || defined(INET6)
 	/*
 	 * The ip_hostname parameter looks up the hostname, and adds parameters
 	 * for any IP addresses it finds.
@@ -484,27 +498,32 @@ check_intparams(struct cfjail *j)
 		 * Silently ignore unsupported address families from
 		 * DNS lookups.
 		 */
-		size = 4;
-		ip4ok = sysctlnametomib("security.jail.param.ip4", mib, &size)
-		    == 0;
-#ifdef INET6
-		size = 4;
-		ip6ok = sysctlnametomib("security.jail.param.ip6", mib, &size)
-		    == 0;
+#ifdef INET
+		ip4ok = feature_present("inet");
 #endif
-		if (ip4ok
 #ifdef INET6
-		    || ip6ok
+		ip6ok = feature_present("inet6");
+#endif
+		if (
+#if defined(INET) && defined(INET6)
+		    ip4ok || ip6ok
+#elif defined(INET)
+		    ip4ok
+#elif defined(INET6)
+		    ip6ok
 #endif
-			    ) {
+			 ) {
 			/* Look up the hostname (or get the address) */
 			memset(&hints, 0, sizeof(hints));
 			hints.ai_socktype = SOCK_STREAM;
 			hints.ai_family =
-#ifdef INET6
-			    ip6ok ? (ip4ok ? PF_UNSPEC : PF_INET6) :
-#endif
+#if defined(INET) && defined(INET6)
+			    ip4ok ? (ip6ok ? PF_UNSPEC : PF_INET) :  PF_INET6;
+#elif defined(INET)
 			    PF_INET;
+#elif defined(INET6)
+			    PF_INET6;
+#endif
 			gicode = getaddrinfo(hostname, NULL, &hints, &ai0);
 			if (gicode != 0) {
 				jail_warnx(j, "host.hostname %s: %s", hostname,
@@ -518,6 +537,7 @@ check_intparams(struct cfjail *j)
 				 */
 				for (ai = ai0; ai; ai = ai->ai_next)
 					switch (ai->ai_family) {
+#ifdef INET
 					case AF_INET:
 						memcpy(&addr4,
 						    &((struct sockaddr_in *)
@@ -530,6 +550,7 @@ check_intparams(struct cfjail *j)
 						add_param(j, NULL, KP_IP4_ADDR,
 						    avalue4);
 						break;
+#endif
 #ifdef INET6
 					case AF_INET6:
 						memcpy(&addr6,
@@ -555,43 +576,46 @@ check_intparams(struct cfjail *j)
 	 * and a netmask/suffix for that address.
 	 */
 	defif = string_param(j->intparams[IP_INTERFACE]) != NULL;
-#ifdef INET6
-	for (isip6 = 0; isip6 <= 1; isip6++)
-#else
-#define isip6 0
-	do
-#endif
-	{
-		if (j->intparams[KP_IP4_ADDR + isip6] == NULL)
-			continue;
-		TAILQ_FOREACH(s, &j->intparams[KP_IP4_ADDR + isip6]->val, tq) {
+#ifdef INET
+	if (j->intparams[KP_IP4_ADDR] != NULL) {
+		TAILQ_FOREACH(s, &j->intparams[KP_IP4_ADDR]->val, tq) {
 			cs = strchr(s->s, '|');
 			if (cs || defif)
-				add_param(j, NULL, IP__IP4_IFADDR + isip6,
-				    s->s);
+				add_param(j, NULL, IP__IP4_IFADDR, s->s);
 			if (cs) {
 				strcpy(s->s, cs + 1);
 				s->len -= cs + 1 - s->s;
 			}
 			if ((cs = strchr(s->s, '/'))) {
 				prefix = strtol(cs + 1, &ep, 10);
-				if (
-#ifdef INET6
-				    !isip6 &&
-#endif
-				    *ep == '.'
+				if (*ep == '.'
 				    ? inet_pton(AF_INET, cs + 1, &addr4) != 1
-				    : *ep || prefix < 0 || prefix > (
-#ifdef INET6
-				      isip6 ? 128 :
-#endif
-				      32)) {
+				    : *ep || prefix < 0 || prefix > 32) {
 					jail_warnx(j,
-#ifdef INET6
-					    isip6
-					    ? "ip6.addr: bad prefixlen \"%s\"" :
+					    "ip4.addr: bad netmask \"%s\"", cs);
+					error = -1;	
+				}
+				*cs = '\0';
+				s->len = cs - s->s + 1;
+			}
+		}
+	}
 #endif
-					    "ip4.addr: bad netmask \"%s\"",
+#ifdef INET6
+	if (j->intparams[KP_IP6_ADDR] != NULL) {
+		TAILQ_FOREACH(s, &j->intparams[KP_IP6_ADDR]->val, tq) {
+			cs = strchr(s->s, '|');
+			if (cs || defif)
+				add_param(j, NULL, IP__IP6_IFADDR, s->s);
+			if (cs) {
+				strcpy(s->s, cs + 1);
+				s->len -= cs + 1 - s->s;
+			}
+			if ((cs = strchr(s->s, '/'))) {
+				prefix = strtol(cs + 1, &ep, 10);
+				if (*ep || prefix < 0 || prefix > 128) {
+					jail_warnx(j,
+					    "ip6.addr: bad prefixlen \"%s\"",
 					    cs);
 					error = -1;	
 				}
@@ -600,8 +624,7 @@ check_intparams(struct cfjail *j)
 			}
 		}
 	}
-#ifndef INET6
-	while (0);
+#endif
 #endif
 
 	/*
diff --git a/usr.sbin/jail/jail.c b/usr.sbin/jail/jail.c
index 9706b8d2efc0..0f5091e5e5a7 100644
--- a/usr.sbin/jail/jail.c
+++ b/usr.sbin/jail/jail.c
@@ -80,7 +80,9 @@ static struct permspec perm_sysctl[] = {
 
 static const enum intparam startcommands[] = {
     0,
+#ifdef INET
     IP__IP4_IFADDR,
+#endif
 #ifdef INET6
     IP__IP6_IFADDR,
 #endif
@@ -109,25 +111,30 @@ static const enum intparam stopcommands[] = {
 #ifdef INET6
     IP__IP6_IFADDR,
 #endif
+#ifdef INET
     IP__IP4_IFADDR,
+#endif
     0
 };
 
 int
 main(int argc, char **argv)
 {
-#ifdef INET6
-	struct in6_addr addr6;
-#endif
 	struct stat st;
 	FILE *jfp;
 	struct cfjail *j;
-	char *cs, *ncs, *JidFile;
+	char *JidFile;
 	size_t sysvallen;
 	unsigned op, pi;
 	int ch, docf, error, i, oldcl, sysval;
 	int dflag, iflag, Rflag;
 	char enforce_statfs[4];
+#if defined(INET) || defined(INET6)
+	char *cs, *ncs;
+#endif
+#if defined(INET) && defined(INET6)
+	struct in6_addr addr6;
+#endif
 
 	op = 0;
 	dflag = iflag = Rflag = 0;
@@ -147,7 +154,9 @@ main(int argc, char **argv)
 			cfname = optarg;
 			break;
 		case 'h':
+#if defined(INET) || defined(INET6)
 			add_param(NULL, NULL, IP_IP_HOSTNAME, NULL);
+#endif
 			docf = 0;
 			break;
 		case 'i':
@@ -219,21 +228,27 @@ main(int argc, char **argv)
 		oldcl = 1;
 		add_param(NULL, NULL, KP_PATH, argv[0]);
 		add_param(NULL, NULL, KP_HOST_HOSTNAME, argv[1]);
+#if defined(INET) || defined(INET6)
 		if (argv[2][0] != '\0') {
 			for (cs = argv[2];; cs = ncs + 1) {
 				ncs = strchr(cs, ',');
 				if (ncs)
 					*ncs = '\0';
 				add_param(NULL, NULL,
-#ifdef INET6
+#if defined(INET) && defined(INET6)
 				    inet_pton(AF_INET6, cs, &addr6) == 1
-				    ? KP_IP6_ADDR :
+				    ? KP_IP6_ADDR : KP_IP4_ADDR,
+#elif defined(INET)
+				    KP_IP4_ADDR,
+#elif defined(INET6)
+				    KP_IP6_ADDR,
 #endif
-				    KP_IP4_ADDR, cs);
+				    cs);
 				if (!ncs)
 					break;
 			}
 		}
+#endif
 		for (i = 3; i < argc; i++)
 			add_param(NULL, NULL, IP_COMMAND, argv[i]);
 		/* Emulate the defaults from security.jail.* sysctls. */
@@ -866,15 +881,18 @@ print_jail(FILE *fp, struct cfjail *j, int oldcl)
 		putc('\t', fp);
 		print_param(fp, j->intparams[KP_HOST_HOSTNAME], ',', 0);
 		putc('\t', fp);
+#ifdef INET
 		print_param(fp, j->intparams[KP_IP4_ADDR], ',', 0);
 #ifdef INET6
-		if (j->intparams[KP_IP6_ADDR] &&
-		    !TAILQ_EMPTY(&j->intparams[KP_IP6_ADDR]->val)) {
-			if (j->intparams[KP_IP4_ADDR] &&
-			    !TAILQ_EMPTY(&j->intparams[KP_IP4_ADDR]->val))
-				putc(',', fp);
-			print_param(fp, j->intparams[KP_IP6_ADDR], ',', 0);
-		}
+		if (j->intparams[KP_IP4_ADDR] &&
+		    !TAILQ_EMPTY(&j->intparams[KP_IP4_ADDR]->val) &&
+		    j->intparams[KP_IP6_ADDR] &&
+		    !TAILQ_EMPTY(&j->intparams[KP_IP6_ADDR]->val))
+		    putc(',', fp);
+#endif
+#endif
+#ifdef INET6
+		print_param(fp, j->intparams[KP_IP6_ADDR], ',', 0);
 #endif
 		putc('\t', fp);
 		print_param(fp, j->intparams[IP_COMMAND], ' ', 0);
diff --git a/usr.sbin/jail/jailp.h b/usr.sbin/jail/jailp.h
index 0f9665551ba3..68ad7a352e1f 100644
--- a/usr.sbin/jail/jailp.h
+++ b/usr.sbin/jail/jailp.h
@@ -87,15 +87,19 @@ enum intparam {
 	IP_EXEC_SYSTEM_JAIL_USER,/* Get jail_user from system passwd file */
 	IP_EXEC_SYSTEM_USER,	/* Run non-jailed commands as this user */
 	IP_EXEC_TIMEOUT,	/* Time to wait for a command to complete */
+#if defined(INET) || defined(INET6)
 	IP_INTERFACE,		/* Add IP addresses to this interface */
 	IP_IP_HOSTNAME,		/* Get jail IP address(es) from hostname */
+#endif
 	IP_MOUNT,		/* Mount points in fstab(5) form */
 	IP_MOUNT_DEVFS,		/* Mount /dev under prison root */
 	IP_MOUNT_DEVFS_RULESET,	/* Ruleset for the devfs mount */
 	IP_MOUNT_FSTAB,		/* A standard fstab(5) file */
 	IP_STOP_TIMEOUT,	/* Time to wait after sending SIGTERM */
 	IP_VNET_INTERFACE,	/* Assign interface(s) to vnet jail */
+#ifdef INET
 	IP__IP4_IFADDR,		/* Copy of ip4.addr with interface/netmask */
+#endif
 #ifdef INET6
 	IP__IP6_IFADDR,		/* Copy of ip6.addr with interface/prefixlen */
 #endif
@@ -109,7 +113,9 @@ enum intparam {
 	KP_ALLOW_SYSVIPC,
 	KP_ENFORCE_STATFS,
 	KP_HOST_HOSTNAME,
+#ifdef INET
 	KP_IP4_ADDR,
+#endif
 #ifdef INET6
 	KP_IP6_ADDR,
 #endif