[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-jail
Subject: Re: IPv6 multicast sent to jail
From: Jamie Gritton <jamie () FreeBSD ! org>
Date: 2012-08-25 20:45:47
Message-ID: 5039397B.7050205 () FreeBSD ! org
[Download RAW message or body]
On 08/25/12 14:15, Curtis Villamizar wrote:
> In message<503402FE.9080103@FreeBSD.org>
> Jamie Gritton writes:
>
>> On 08/19/12 11:35, Curtis Villamizar wrote:
>>> I'm trying to run isc-dhcpd using dhcpd -6 in a jail. No luck.
>>>
>>> The following code is run in the jail and doesn't fail.
>>>
>>> if (inet_pton(AF_INET6, All_DHCP_Relay_Agents_and_Servers,
>>> &mreq.ipv6mr_multiaddr)<= 0) {
>>> log_fatal("inet_pton: unable to convert '%s'",
>>> All_DHCP_Relay_Agents_and_Servers);
>>> }
>>> mreq.ipv6mr_interface = if_nametoindex(info->name);
>>> if (setsockopt(sock, IPPROTO_IPV6, IPV6_JOIN_GROUP,
>>> &mreq, sizeof(mreq))< 0) {
>>> log_fatal("setsockopt: IPV6_JOIN_GROUP: %m");
>>> }
>>>
>>> where All_DHCP_Relay_Agents_and_Servers is defined as "FF02::1:2".
>>>
>>> Later dhcpd binds to *.517 which can be seen in netstat -an.
>>>
>>> Packets to ff02::1:2.517 are seen on the jailer (as opposed to the
>>> jailee) using tcpdump, but no packets are received by the jailee.
>>>
>>> When the same command from the jailer using a chroot to the jailee
>>> directory, the multicast packets are received.
>>>
>>> Is there a solution to this other than changing the jail from an
>>> implied "ip6=new" with a specific address to "ip6=inherit". What I'd
>>> really like is a yet to be invented "ip6=new+multicast".
>>>
>>> Using "ip6=inherit" would be OK, adding very little exposure (mostly
>>> DoS attack exposure). It would be nice if "ip6=inherit" were
>>> supported in the rc.d/jail framework.
>>>
>>> Before I go changing anything I'm asking whether allowing the
>>> multicast join and then not passing multicast to the jail is
>>> considered a bug and how it should behave (the join should have failed
>>> or the packets should have arrived). If the best workaround for now
>>> is "ip6=inherit" would adding jail_<jailname>_ip[46] variables to the
>>> rc files be viewed as a good solution (with a comment in
>>> /etc/defaults/rc.conf indicating that the interaction between setting
>>> addressing using _ip and _ip_multi and setting _ip4 or _ip6 (setting
>>> an address for each family forces "ip[46]=net" for that AF.
>>>
>>> Curtis
>>
>> Offhand, it does sound like a bug. I imagine the solution would be to
>> reject the join - at least the easy solution to be done first until
>> something more complicated can be done to make jails play nice with
>> multicast.
>>
>> - Jamie
>
>
> Jamie,
>
> Certainly not the preferred solution. Best would be a
> jail.allow-ipv6multicast sysctl variable with rejecting the join if 0
> and accepting the join and passing in multicast if 1. Same for v4,
> though not of immediate concern since DHCPv4 doesn't need it.
>
> If you (or someone) would like to point me in the right direction, I
> would be willing to put some time into learning the relevant code and
> proposing a fix. No promises, but I can put some time into it. Off
> list if you prefer.
>
> Curtis
It'll have to be someone besides me - I don't know enough about
multicast myself to be able to do more than keep it out of jails.
- Jamie
_______________________________________________
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic