Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 19 Aug 2012 13:35:13 -0400
From:      Curtis Villamizar <curtis@occnc.com>
To:        freebsd-jail@freebsd.org
Cc:        curtis@occnc.com
Subject:   IPv6 multicast sent to jail
Message-ID:  <201208191735.q7JHZDti072004@gateway2.orleans.occnc.com>
next in thread | raw e-mail | index | archive | help 

I'm trying to run isc-dhcpd using dhcpd -6 in a jail.  No luck.

The following code is run in the jail and doesn't fail.

        if (inet_pton(AF_INET6, All_DHCP_Relay_Agents_and_Servers,
                      &mreq.ipv6mr_multiaddr) <= 0) {
                log_fatal("inet_pton: unable to convert '%s'",
                          All_DHCP_Relay_Agents_and_Servers);
        }
        mreq.ipv6mr_interface = if_nametoindex(info->name);
        if (setsockopt(sock, IPPROTO_IPV6, IPV6_JOIN_GROUP,
                       &mreq, sizeof(mreq)) < 0) {
                log_fatal("setsockopt: IPV6_JOIN_GROUP: %m");
        }

where All_DHCP_Relay_Agents_and_Servers is defined as "FF02::1:2".

Later dhcpd binds to *.517 which can be seen in netstat -an.

Packets to ff02::1:2.517 are seen on the jailer (as opposed to the
jailee) using tcpdump, but no packets are received by the jailee.

When the same command from the jailer using a chroot to the jailee
directory, the multicast packets are received.

Is there a solution to this other than changing the jail from an
implied "ip6=new" with a specific address to "ip6=inherit".  What I'd
really like is a yet to be invented "ip6=new+multicast".

Using "ip6=inherit" would be OK, adding very little exposure (mostly
DoS attack exposure).  It would be nice if "ip6=inherit" were
supported in the rc.d/jail framework.

Before I go changing anything I'm asking whether allowing the
multicast join and then not passing multicast to the jail is
considered a bug and how it should behave (the join should have failed
or the packets should have arrived).  If the best workaround for now
is "ip6=inherit" would adding jail_<jailname>_ip[46] variables to the
rc files be viewed as a good solution (with a comment in
/etc/defaults/rc.conf indicating that the interaction between setting
addressing using _ip and _ip_multi and setting _ip4 or _ip6 (setting
an address for each family forces "ip[46]=net" for that AF.

Curtis


btw- not subscribed to freebsd-jail so please leave me on the Cc.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201208191735.q7JHZDti072004>