Date: Mon, 20 Aug 2012 19:24:06 +0800 From: "Mars G. Miro" <spry@anarchy.in.the.ph> To: curtis@occnc.com Cc: freebsd-jail@freebsd.org Subject: Re: IPv6 multicast sent to jail Message-ID: <50321E56.3080906@anarchy.in.the.ph> In-Reply-To: <201208191735.q7JHZDti072004@gateway2.orleans.occnc.com> References: <201208191735.q7JHZDti072004@gateway2.orleans.occnc.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08/20/12 01:35, Curtis Villamizar wrote: > I'm trying to run isc-dhcpd using dhcpd -6 in a jail. No luck. > > The following code is run in the jail and doesn't fail. > > if (inet_pton(AF_INET6, All_DHCP_Relay_Agents_and_Servers, > &mreq.ipv6mr_multiaddr)<= 0) { > log_fatal("inet_pton: unable to convert '%s'", > All_DHCP_Relay_Agents_and_Servers); > } > mreq.ipv6mr_interface = if_nametoindex(info->name); > if (setsockopt(sock, IPPROTO_IPV6, IPV6_JOIN_GROUP, > &mreq, sizeof(mreq))< 0) { > log_fatal("setsockopt: IPV6_JOIN_GROUP: %m"); > } > > where All_DHCP_Relay_Agents_and_Servers is defined as "FF02::1:2". > > Later dhcpd binds to *.517 which can be seen in netstat -an. > > Packets to ff02::1:2.517 are seen on the jailer (as opposed to the > jailee) using tcpdump, but no packets are received by the jailee. > > When the same command from the jailer using a chroot to the jailee > directory, the multicast packets are received. > Probably because there is no bpf in a default jail ? Try making bpf visible in the jail via devfs. > Is there a solution to this other than changing the jail from an > implied "ip6=new" with a specific address to "ip6=inherit". What I'd > really like is a yet to be invented "ip6=new+multicast". > > Using "ip6=inherit" would be OK, adding very little exposure (mostly > DoS attack exposure). It would be nice if "ip6=inherit" were > supported in the rc.d/jail framework. > > Before I go changing anything I'm asking whether allowing the > multicast join and then not passing multicast to the jail is > considered a bug and how it should behave (the join should have failed > or the packets should have arrived). If the best workaround for now > is "ip6=inherit" would adding jail_<jailname>_ip[46] variables to the > rc files be viewed as a good solution (with a comment in > /etc/defaults/rc.conf indicating that the interaction between setting > addressing using _ip and _ip_multi and setting _ip4 or _ip6 (setting > an address for each family forces "ip[46]=net" for that AF. > > Curtis > > > btw- not subscribed to freebsd-jail so please leave me on the Cc. > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" -- When I was crossing the border into Canada, they asked if I had any firearms with me. I said, "Well, what do you need?" -- Steven Wright
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50321E56.3080906>