From owner-freebsd-jail@FreeBSD.ORG Wed Sep 5 22:51:16 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1BF8D106566B; Wed, 5 Sep 2012 22:51:16 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id C36C38FC0A; Wed, 5 Sep 2012 22:51:15 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 8364025D387C; Wed, 5 Sep 2012 22:51:14 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id A24FCBE84BD; Wed, 5 Sep 2012 22:51:13 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id jrvmqCTmzbg4; Wed, 5 Sep 2012 22:51:11 +0000 (UTC) Received: from nv.sbone.de (nv.sbone.de [IPv6:fde9:577b:c1a9:31::2013:138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id B421CBE84BA; Wed, 5 Sep 2012 22:51:11 +0000 (UTC) Date: Wed, 5 Sep 2012 22:51:10 +0000 (UTC) From: "Bjoern A. Zeeb" To: Curtis Villamizar In-Reply-To: <201209051914.q85JEdGR058616@gateway2.orleans.occnc.com> Message-ID: References: <201209051914.q85JEdGR058616@gateway2.orleans.occnc.com> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@FreeBSD.org, Jamie Gritton Subject: Re: IPv6 multicast sent to jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 22:51:16 -0000 On Wed, 5 Sep 2012, Curtis Villamizar wrote: > > In message > "Bjoern A. Zeeb" writes: > >> On Sat, 25 Aug 2012, Jamie Gritton wrote: >> >> ... >>>>>> Curtis >>>>> >>>>> Offhand, it does sound like a bug. I imagine the solution would be to >>>>> reject the join - at least the easy solution to be done first until >>>>> something more complicated can be done to make jails play nice with >>>>> multicast. >>>>> >>>>> - Jamie >>>> >>>> >>>> Jamie, >>>> >>>> Certainly not the preferred solution. Best would be a >>>> jail.allow-ipv6multicast sysctl variable with rejecting the join if 0 >>>> and accepting the join and passing in multicast if 1. Same for v4, >>>> though not of immediate concern since DHCPv4 doesn't need it. >>>> >>>> If you (or someone) would like to point me in the right direction, I >>>> would be willing to put some time into learning the relevant code and >>>> proposing a fix. No promises, but I can put some time into it. Off >>>> list if you prefer. >>>> >>>> Curtis >>> >>> It'll have to be someone besides me - I don't know enough about >>> multicast myself to be able to do more than keep it out of jails. >> >> sysctl souns bad to me; I think it should actually be grouped by >> ip4.* and ip6.*. What dod we currently do for raw sockets? Can we >> have a third level easily, as in ip4.raw.*, ip6.mc.*, ... which of >> course would kill the classic "allow" thing for raw sockets myabe? >> >> /bz > > For raw sockets the sysctl variable is: > > security.jail.allow_raw_sockets > > One sysctl variable for both inet and inet6 AF. Perhaps a reasonable > name would be: > > security.jail.ip4.allow_multicast > security.jail.ip6.allow_multicast > > Just to be clear, I was hoping to get some help if I were to make an > attempt to allow ipv6 multicast through, though I suspect that the > code would be very similar for ipv4. The sysctls are mostly not relevant anymore but yes, if we can get these options we can look at the code. Defaults to off. I might be able to help on the v6 trailing end. Jamie could you prepare the jail options changes for us? -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family.