From owner-freebsd-jail@FreeBSD.ORG Wed Sep 5 19:14:41 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6CD93106564A; Wed, 5 Sep 2012 19:14:41 +0000 (UTC) (envelope-from curtis@occnc.com) Received: from gateway2.orleans.occnc.com (gateway2.orleans.occnc.com [IPv6:2001:470:1f07:1545::1:145]) by mx1.freebsd.org (Postfix) with ESMTP id 0B4378FC14; Wed, 5 Sep 2012 19:14:40 +0000 (UTC) Received: from harbor2.ipv6.occnc.com (harbor2.ipv6.occnc.com [IPv6:2001:470:1f07:1545::1:404]) (authenticated bits=0) by gateway2.orleans.occnc.com (8.14.5/8.14.5) with ESMTP id q85JEdGR058616; Wed, 5 Sep 2012 15:14:39 -0400 (EDT) (envelope-from curtis@occnc.com) Message-Id: <201209051914.q85JEdGR058616@gateway2.orleans.occnc.com> To: "Bjoern A. Zeeb" From: Curtis Villamizar In-reply-to: Your message of "Mon, 03 Sep 2012 12:21:03 -0000." Date: Wed, 05 Sep 2012 15:14:39 -0400 Cc: freebsd-jail@FreeBSD.org, Jamie Gritton , curtis@occnc.com Subject: Re: IPv6 multicast sent to jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: curtis@occnc.com List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 19:14:41 -0000 In message "Bjoern A. Zeeb" writes: > On Sat, 25 Aug 2012, Jamie Gritton wrote: > > ... > >>>> Curtis > >>> > >>> Offhand, it does sound like a bug. I imagine the solution would be to > >>> reject the join - at least the easy solution to be done first until > >>> something more complicated can be done to make jails play nice with > >>> multicast. > >>> > >>> - Jamie > >> > >> > >> Jamie, > >> > >> Certainly not the preferred solution. Best would be a > >> jail.allow-ipv6multicast sysctl variable with rejecting the join if 0 > >> and accepting the join and passing in multicast if 1. Same for v4, > >> though not of immediate concern since DHCPv4 doesn't need it. > >> > >> If you (or someone) would like to point me in the right direction, I > >> would be willing to put some time into learning the relevant code and > >> proposing a fix. No promises, but I can put some time into it. Off > >> list if you prefer. > >> > >> Curtis > > > > It'll have to be someone besides me - I don't know enough about > > multicast myself to be able to do more than keep it out of jails. > > sysctl souns bad to me; I think it should actually be grouped by > ip4.* and ip6.*. What dod we currently do for raw sockets? Can we > have a third level easily, as in ip4.raw.*, ip6.mc.*, ... which of > course would kill the classic "allow" thing for raw sockets myabe? > > /bz For raw sockets the sysctl variable is: security.jail.allow_raw_sockets One sysctl variable for both inet and inet6 AF. Perhaps a reasonable name would be: security.jail.ip4.allow_multicast security.jail.ip6.allow_multicast Just to be clear, I was hoping to get some help if I were to make an attempt to allow ipv6 multicast through, though I suspect that the code would be very similar for ipv4. Curtis > -- > Bjoern A. Zeeb You have to have visions! > Stop bit received. Insert coin for new address family.