From owner-freebsd-jail@FreeBSD.ORG Sun Aug 19 17:35:15 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8AD36106564A for ; Sun, 19 Aug 2012 17:35:15 +0000 (UTC) (envelope-from curtis@occnc.com) Received: from gateway2.orleans.occnc.com (gateway2.orleans.occnc.com [IPv6:2001:470:1f07:1545::1:145]) by mx1.freebsd.org (Postfix) with ESMTP id 20C948FC08 for ; Sun, 19 Aug 2012 17:35:14 +0000 (UTC) Received: from harbor2.ipv6.occnc.com (harbor2.ipv6.occnc.com [IPv6:2001:470:1f07:1545::1:404]) (authenticated bits=0) by gateway2.orleans.occnc.com (8.14.5/8.14.5) with ESMTP id q7JHZDti072004; Sun, 19 Aug 2012 13:35:13 -0400 (EDT) (envelope-from curtis@occnc.com) Message-Id: <201208191735.q7JHZDti072004@gateway2.orleans.occnc.com> To: freebsd-jail@freebsd.org From: Curtis Villamizar Date: Sun, 19 Aug 2012 13:35:13 -0400 Cc: curtis@occnc.com Subject: IPv6 multicast sent to jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: curtis@occnc.com List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Aug 2012 17:35:15 -0000 I'm trying to run isc-dhcpd using dhcpd -6 in a jail. No luck. The following code is run in the jail and doesn't fail. if (inet_pton(AF_INET6, All_DHCP_Relay_Agents_and_Servers, &mreq.ipv6mr_multiaddr) <= 0) { log_fatal("inet_pton: unable to convert '%s'", All_DHCP_Relay_Agents_and_Servers); } mreq.ipv6mr_interface = if_nametoindex(info->name); if (setsockopt(sock, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) < 0) { log_fatal("setsockopt: IPV6_JOIN_GROUP: %m"); } where All_DHCP_Relay_Agents_and_Servers is defined as "FF02::1:2". Later dhcpd binds to *.517 which can be seen in netstat -an. Packets to ff02::1:2.517 are seen on the jailer (as opposed to the jailee) using tcpdump, but no packets are received by the jailee. When the same command from the jailer using a chroot to the jailee directory, the multicast packets are received. Is there a solution to this other than changing the jail from an implied "ip6=new" with a specific address to "ip6=inherit". What I'd really like is a yet to be invented "ip6=new+multicast". Using "ip6=inherit" would be OK, adding very little exposure (mostly DoS attack exposure). It would be nice if "ip6=inherit" were supported in the rc.d/jail framework. Before I go changing anything I'm asking whether allowing the multicast join and then not passing multicast to the jail is considered a bug and how it should behave (the join should have failed or the packets should have arrived). If the best workaround for now is "ip6=inherit" would adding jail__ip[46] variables to the rc files be viewed as a good solution (with a comment in /etc/defaults/rc.conf indicating that the interaction between setting addressing using _ip and _ip_multi and setting _ip4 or _ip6 (setting an address for each family forces "ip[46]=net" for that AF. Curtis btw- not subscribed to freebsd-jail so please leave me on the Cc.