From owner-freebsd-jail@FreeBSD.ORG Sun Aug 19 17:35:15 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8AD36106564A for ; Sun, 19 Aug 2012 17:35:15 +0000 (UTC) (envelope-from curtis@occnc.com) Received: from gateway2.orleans.occnc.com (gateway2.orleans.occnc.com [IPv6:2001:470:1f07:1545::1:145]) by mx1.freebsd.org (Postfix) with ESMTP id 20C948FC08 for ; Sun, 19 Aug 2012 17:35:14 +0000 (UTC) Received: from harbor2.ipv6.occnc.com (harbor2.ipv6.occnc.com [IPv6:2001:470:1f07:1545::1:404]) (authenticated bits=0) by gateway2.orleans.occnc.com (8.14.5/8.14.5) with ESMTP id q7JHZDti072004; Sun, 19 Aug 2012 13:35:13 -0400 (EDT) (envelope-from curtis@occnc.com) Message-Id: <201208191735.q7JHZDti072004@gateway2.orleans.occnc.com> To: freebsd-jail@freebsd.org From: Curtis Villamizar Date: Sun, 19 Aug 2012 13:35:13 -0400 Cc: curtis@occnc.com Subject: IPv6 multicast sent to jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: curtis@occnc.com List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Aug 2012 17:35:15 -0000 I'm trying to run isc-dhcpd using dhcpd -6 in a jail. No luck. The following code is run in the jail and doesn't fail. if (inet_pton(AF_INET6, All_DHCP_Relay_Agents_and_Servers, &mreq.ipv6mr_multiaddr) <= 0) { log_fatal("inet_pton: unable to convert '%s'", All_DHCP_Relay_Agents_and_Servers); } mreq.ipv6mr_interface = if_nametoindex(info->name); if (setsockopt(sock, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) < 0) { log_fatal("setsockopt: IPV6_JOIN_GROUP: %m"); } where All_DHCP_Relay_Agents_and_Servers is defined as "FF02::1:2". Later dhcpd binds to *.517 which can be seen in netstat -an. Packets to ff02::1:2.517 are seen on the jailer (as opposed to the jailee) using tcpdump, but no packets are received by the jailee. When the same command from the jailer using a chroot to the jailee directory, the multicast packets are received. Is there a solution to this other than changing the jail from an implied "ip6=new" with a specific address to "ip6=inherit". What I'd really like is a yet to be invented "ip6=new+multicast". Using "ip6=inherit" would be OK, adding very little exposure (mostly DoS attack exposure). It would be nice if "ip6=inherit" were supported in the rc.d/jail framework. Before I go changing anything I'm asking whether allowing the multicast join and then not passing multicast to the jail is considered a bug and how it should behave (the join should have failed or the packets should have arrived). If the best workaround for now is "ip6=inherit" would adding jail__ip[46] variables to the rc files be viewed as a good solution (with a comment in /etc/defaults/rc.conf indicating that the interaction between setting addressing using _ip and _ip_multi and setting _ip4 or _ip6 (setting an address for each family forces "ip[46]=net" for that AF. Curtis btw- not subscribed to freebsd-jail so please leave me on the Cc. From owner-freebsd-jail@FreeBSD.ORG Mon Aug 20 11:07:50 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2AE810656A9 for ; Mon, 20 Aug 2012 11:07:50 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id ABB6B8FC17 for ; Mon, 20 Aug 2012 11:07:50 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q7KB7oWg047820 for ; Mon, 20 Aug 2012 11:07:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q7KB7nmd047807 for freebsd-jail@FreeBSD.org; Mon, 20 Aug 2012 11:07:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 20 Aug 2012 11:07:49 GMT Message-Id: <201208201107.q7KB7nmd047807@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2012 11:07:50 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o docs/156853 jail [patch] Update docs: jail(8) security issues with worl o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin o conf/149050 jail [jail] rcorder ``nojail'' too coarse for Jail+VNET s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 14 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Aug 20 11:24:12 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C1BD7106567B for ; Mon, 20 Aug 2012 11:24:12 +0000 (UTC) (envelope-from spry@anarchy.in.the.ph) Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id 8FF898FC1B for ; Mon, 20 Aug 2012 11:24:12 +0000 (UTC) Received: by pbbrp2 with SMTP id rp2so7185979pbb.13 for ; Mon, 20 Aug 2012 04:24:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding :x-gm-message-state; bh=qG9Wqa79tzf8y0pkC5Ngj7BhJm4hwYEe2ImjhH6bOjE=; b=kCqy5NL0/qNI4L2pzvRKauifwhFQPvbQSg/MP71rMzUojiDJVbh/0SzFY+5AD3uobj VpHsEoEFByBPNEBOeL2tpJ12oeSy4CD9/KCzr8HoRsJ/uX2CyuGBQECYeBmshTqXsuxr kZyJomBWP46erq1gNtV7LtPFvIpzSzsg52ALhNjN1cXMwrFQYgIEg1eFPbS4pvhzHtOL 4mBeDxuHcpNmbIqEXBQKg013Gto5IXGiMojrEQlWUI92S1DhWpNfpG75LuvlRkczOvG0 1Mvm9MYDOiln/z9AF8z0fcBuQ+UVZCdPxJI581V8RFDMiUOyPgwpvKYpG/y1MHMnHw+o /a/g== Received: by 10.68.230.232 with SMTP id tb8mr33705345pbc.19.1345461851996; Mon, 20 Aug 2012 04:24:11 -0700 (PDT) Received: from blackbox.spry.lan ([2001:470:83c9:1:feed:da:deed:beef]) by mx.google.com with ESMTPS id wn1sm10918148pbc.57.2012.08.20.04.24.08 (version=SSLv3 cipher=OTHER); Mon, 20 Aug 2012 04:24:11 -0700 (PDT) Message-ID: <50321E56.3080906@anarchy.in.the.ph> Date: Mon, 20 Aug 2012 19:24:06 +0800 From: "Mars G. Miro" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:10.0) Gecko/20120209 Thunderbird/10.0 MIME-Version: 1.0 To: curtis@occnc.com References: <201208191735.q7JHZDti072004@gateway2.orleans.occnc.com> In-Reply-To: <201208191735.q7JHZDti072004@gateway2.orleans.occnc.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQkxmZsgvnirCDSssLyU6/sIdRyUtwOd9NND2geT/mALIML5MhNuIdAOAb9gjf6oSSDyslIB Cc: freebsd-jail@freebsd.org Subject: Re: IPv6 multicast sent to jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2012 11:24:13 -0000 On 08/20/12 01:35, Curtis Villamizar wrote: > I'm trying to run isc-dhcpd using dhcpd -6 in a jail. No luck. > > The following code is run in the jail and doesn't fail. > > if (inet_pton(AF_INET6, All_DHCP_Relay_Agents_and_Servers, > &mreq.ipv6mr_multiaddr)<= 0) { > log_fatal("inet_pton: unable to convert '%s'", > All_DHCP_Relay_Agents_and_Servers); > } > mreq.ipv6mr_interface = if_nametoindex(info->name); > if (setsockopt(sock, IPPROTO_IPV6, IPV6_JOIN_GROUP, > &mreq, sizeof(mreq))< 0) { > log_fatal("setsockopt: IPV6_JOIN_GROUP: %m"); > } > > where All_DHCP_Relay_Agents_and_Servers is defined as "FF02::1:2". > > Later dhcpd binds to *.517 which can be seen in netstat -an. > > Packets to ff02::1:2.517 are seen on the jailer (as opposed to the > jailee) using tcpdump, but no packets are received by the jailee. > > When the same command from the jailer using a chroot to the jailee > directory, the multicast packets are received. > Probably because there is no bpf in a default jail ? Try making bpf visible in the jail via devfs. > Is there a solution to this other than changing the jail from an > implied "ip6=new" with a specific address to "ip6=inherit". What I'd > really like is a yet to be invented "ip6=new+multicast". > > Using "ip6=inherit" would be OK, adding very little exposure (mostly > DoS attack exposure). It would be nice if "ip6=inherit" were > supported in the rc.d/jail framework. > > Before I go changing anything I'm asking whether allowing the > multicast join and then not passing multicast to the jail is > considered a bug and how it should behave (the join should have failed > or the packets should have arrived). If the best workaround for now > is "ip6=inherit" would adding jail__ip[46] variables to the > rc files be viewed as a good solution (with a comment in > /etc/defaults/rc.conf indicating that the interaction between setting > addressing using _ip and _ip_multi and setting _ip4 or _ip6 (setting > an address for each family forces "ip[46]=net" for that AF. > > Curtis > > > btw- not subscribed to freebsd-jail so please leave me on the Cc. > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" -- When I was crossing the border into Canada, they asked if I had any firearms with me. I said, "Well, what do you need?" -- Steven Wright From owner-freebsd-jail@FreeBSD.ORG Tue Aug 21 22:20:08 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 80BD71065672 for ; Tue, 21 Aug 2012 22:20:08 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (server.gritton.org [199.192.164.234]) by mx1.freebsd.org (Postfix) with ESMTP id 359558FC14 for ; Tue, 21 Aug 2012 22:20:07 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id q7LLq3pk010139; Tue, 21 Aug 2012 15:52:03 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <503402FE.9080103@FreeBSD.org> Date: Tue, 21 Aug 2012 15:51:58 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0) Gecko/20120126 Thunderbird/9.0 MIME-Version: 1.0 To: curtis@occnc.com References: <201208191735.q7JHZDti072004@gateway2.orleans.occnc.com> In-Reply-To: <201208191735.q7JHZDti072004@gateway2.orleans.occnc.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org Subject: Re: IPv6 multicast sent to jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Aug 2012 22:20:08 -0000 On 08/19/12 11:35, Curtis Villamizar wrote: > I'm trying to run isc-dhcpd using dhcpd -6 in a jail. No luck. > > The following code is run in the jail and doesn't fail. > > if (inet_pton(AF_INET6, All_DHCP_Relay_Agents_and_Servers, > &mreq.ipv6mr_multiaddr)<= 0) { > log_fatal("inet_pton: unable to convert '%s'", > All_DHCP_Relay_Agents_and_Servers); > } > mreq.ipv6mr_interface = if_nametoindex(info->name); > if (setsockopt(sock, IPPROTO_IPV6, IPV6_JOIN_GROUP, > &mreq, sizeof(mreq))< 0) { > log_fatal("setsockopt: IPV6_JOIN_GROUP: %m"); > } > > where All_DHCP_Relay_Agents_and_Servers is defined as "FF02::1:2". > > Later dhcpd binds to *.517 which can be seen in netstat -an. > > Packets to ff02::1:2.517 are seen on the jailer (as opposed to the > jailee) using tcpdump, but no packets are received by the jailee. > > When the same command from the jailer using a chroot to the jailee > directory, the multicast packets are received. > > Is there a solution to this other than changing the jail from an > implied "ip6=new" with a specific address to "ip6=inherit". What I'd > really like is a yet to be invented "ip6=new+multicast". > > Using "ip6=inherit" would be OK, adding very little exposure (mostly > DoS attack exposure). It would be nice if "ip6=inherit" were > supported in the rc.d/jail framework. > > Before I go changing anything I'm asking whether allowing the > multicast join and then not passing multicast to the jail is > considered a bug and how it should behave (the join should have failed > or the packets should have arrived). If the best workaround for now > is "ip6=inherit" would adding jail__ip[46] variables to the > rc files be viewed as a good solution (with a comment in > /etc/defaults/rc.conf indicating that the interaction between setting > addressing using _ip and _ip_multi and setting _ip4 or _ip6 (setting > an address for each family forces "ip[46]=net" for that AF. > > Curtis Offhand, it does sound like a bug. I imagine the solution would be to reject the join - at least the easy solution to be done first until something more complicated can be done to make jails play nice with multicast. - Jamie From owner-freebsd-jail@FreeBSD.ORG Thu Aug 23 01:47:24 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3AD77106564A for ; Thu, 23 Aug 2012 01:47:24 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (server.gritton.org [199.192.164.234]) by mx1.freebsd.org (Postfix) with ESMTP id 1177C8FC12 for ; Thu, 23 Aug 2012 01:47:23 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id q7N1lGRf030149; Wed, 22 Aug 2012 19:47:17 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <50358B9F.5010008@FreeBSD.org> Date: Wed, 22 Aug 2012 19:47:11 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0) Gecko/20120126 Thunderbird/9.0 MIME-Version: 1.0 To: Oleg Ginzburg References: <201208211849.q7LInOA1000229@red.freebsd.org> In-Reply-To: <201208211849.q7LInOA1000229@red.freebsd.org> Content-Type: multipart/mixed; boundary="------------050700040001020402000100" Cc: FreeBSD-Jail Subject: Re: misc/170832: jail v2 loses a binding of ip which sets after ips with /"network prefix" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Aug 2012 01:47:24 -0000 This is a multi-part message in MIME format. --------------050700040001020402000100 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 08/21/12 12:49, Oleg Ginzburg wrote: >> Number: 170832 >> Category: misc >> Synopsis: jail v2 loses a binding of ip which sets after ips with /"network prefix" >> Confidential: no >> Severity: non-critical >> Priority: low >> Responsible: freebsd-bugs >> State: open >> Quarter: >> Keywords: >> Date-Required: >> Class: sw-bug >> Submitter-Id: current-users >> Arrival-Date: Tue Aug 21 18:50:10 UTC 2012 >> Closed-Date: >> Last-Modified: >> Originator: Oleg Ginzburg >> Release: 9.1-PRERELEASE, 10-CURRENT >> Organization: >> Environment: > FreeBSD cbuilder64.my.domain 10.0-CURRENT FreeBSD 10.0-CURRENT #4 r239330: Thu Aug 16 22:08:12 MSK 2012 root@cbuilder64.my.domain:/usr/obj/usr/src/sys/GENERIC amd64 >> Description: > when the jail is created by config file with multiple ips, jail loses all ip assignment which sets after ips with /"network prefix" > Nevertheless, all IP are established on the interface with the correct mask >> How-To-Repeat: > Have jail config with multiple ips with prefix in the list. Config sample (we mean that in /usr/jails/jail1 we have a complete freebsd base environment): > > % cat jail1.conf > jail1 { > exec.start = "/bin/sh /etc/rc"; > exec.stop = "/bin/sh /etc/rc.shutdown"; > exec.clean; > #mount.devfs; > host.hostname = "jail1.my.domain"; > path = "/usr/jails/jail1"; > allow.raw_sockets; > allow.socket_af; > allow.chflags; > allow.sysvipc; > ip4.addr = 10.0.0.1,10.0.0.2,172.17.0.0/16,10.0.0.3; > interface="em0"; > mount.devfs; > devfs_ruleset="4"; > } > > // Before jail creation, interfaces em0 have: > % ifconfig em0 | grep "inet " > inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255 > > // Jail start: > % jail -f jail1.conf -c jail1 > jail1: created > .. > > //done. Check for IPs on interface. 172.17.0.0 have correct mask: > ifconfig em0 | grep "inet " > inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255 > inet 10.0.0.1 netmask 0xffffffff broadcast 10.0.0.1 > inet 10.0.0.2 netmask 0xffffffff broadcast 10.0.0.2 > inet 172.17.0.0 netmask 0xffff0000 broadcast 172.17.255.255 > inet 10.0.0.3 netmask 0xffffffff broadcast 10.0.0.3 > > //Check for IP in jls: > % jls -v > JID Hostname Path > Name State > CPUSetID > IP Address(es) > 1 jail1.my.domain /usr/jails/jail1 > jail1 ACTIVE > 2 > 10.0.0.1 > 10.0.0.2 > 172.17.0.0 > > We have 10.0.0.1/32,10.0.0.2/32 and 172.17.0.0/16 but loose 10.0.0.3 I confused myself on the difference between null-terminated and length-defined strings, and stuck a '\0' were it didn't belong. I've committed the fix to HEAD, and I'll have it in 9.1 next week. I'm also including it here for easy consumption :-). - Jamie --------------050700040001020402000100 Content-Type: text/plain; name="jail.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="jail.diff" Index: usr.sbin/jail/config.c =================================================================== --- usr.sbin/jail/config.c (revision 239600) +++ usr.sbin/jail/config.c (revision 239601) @@ -597,8 +597,7 @@ "ip4.addr: bad netmask \"%s\"", cs); error = -1; } - *cs = '\0'; - s->len = cs - s->s + 1; + s->len = cs - s->s; } } } @@ -621,8 +620,7 @@ cs); error = -1; } - *cs = '\0'; - s->len = cs - s->s + 1; + s->len = cs - s->s; } } } @@ -714,7 +712,7 @@ value = alloca(vallen); cs = value; TAILQ_FOREACH_SAFE(s, &p->val, tq, ts) { - strcpy(cs, s->s); + memcpy(cs, s->s, s->len); if (ts != NULL) { cs += s->len + 1; cs[-1] = ','; --------------050700040001020402000100-- From owner-freebsd-jail@FreeBSD.ORG Sat Aug 25 20:15:34 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 04FF21065670; Sat, 25 Aug 2012 20:15:34 +0000 (UTC) (envelope-from curtis@occnc.com) Received: from gateway2.orleans.occnc.com (gateway2.orleans.occnc.com [IPv6:2001:470:1f07:1545::1:145]) by mx1.freebsd.org (Postfix) with ESMTP id 969F48FC08; Sat, 25 Aug 2012 20:15:33 +0000 (UTC) Received: from harbor2.ipv6.occnc.com (harbor2.ipv6.occnc.com [IPv6:2001:470:1f07:1545::1:404]) (authenticated bits=0) by gateway2.orleans.occnc.com (8.14.5/8.14.5) with ESMTP id q7PKFVVi009920; Sat, 25 Aug 2012 16:15:31 -0400 (EDT) (envelope-from curtis@occnc.com) Message-Id: <201208252015.q7PKFVVi009920@gateway2.orleans.occnc.com> To: Jamie Gritton From: Curtis Villamizar In-reply-to: Your message of "Tue, 21 Aug 2012 15:51:58 MDT." <503402FE.9080103@FreeBSD.org> Date: Sat, 25 Aug 2012 16:15:31 -0400 Cc: freebsd-jail@FreeBSD.org, curtis@occnc.com Subject: Re: IPv6 multicast sent to jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: curtis@occnc.com List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Aug 2012 20:15:34 -0000 In message <503402FE.9080103@FreeBSD.org> Jamie Gritton writes: > On 08/19/12 11:35, Curtis Villamizar wrote: > > I'm trying to run isc-dhcpd using dhcpd -6 in a jail. No luck. > > > > The following code is run in the jail and doesn't fail. > > > > if (inet_pton(AF_INET6, All_DHCP_Relay_Agents_and_Servers, > > &mreq.ipv6mr_multiaddr)<= 0) { > > log_fatal("inet_pton: unable to convert '%s'", > > All_DHCP_Relay_Agents_and_Servers); > > } > > mreq.ipv6mr_interface = if_nametoindex(info->name); > > if (setsockopt(sock, IPPROTO_IPV6, IPV6_JOIN_GROUP, > > &mreq, sizeof(mreq))< 0) { > > log_fatal("setsockopt: IPV6_JOIN_GROUP: %m"); > > } > > > > where All_DHCP_Relay_Agents_and_Servers is defined as "FF02::1:2". > > > > Later dhcpd binds to *.517 which can be seen in netstat -an. > > > > Packets to ff02::1:2.517 are seen on the jailer (as opposed to the > > jailee) using tcpdump, but no packets are received by the jailee. > > > > When the same command from the jailer using a chroot to the jailee > > directory, the multicast packets are received. > > > > Is there a solution to this other than changing the jail from an > > implied "ip6=new" with a specific address to "ip6=inherit". What I'd > > really like is a yet to be invented "ip6=new+multicast". > > > > Using "ip6=inherit" would be OK, adding very little exposure (mostly > > DoS attack exposure). It would be nice if "ip6=inherit" were > > supported in the rc.d/jail framework. > > > > Before I go changing anything I'm asking whether allowing the > > multicast join and then not passing multicast to the jail is > > considered a bug and how it should behave (the join should have failed > > or the packets should have arrived). If the best workaround for now > > is "ip6=inherit" would adding jail__ip[46] variables to the > > rc files be viewed as a good solution (with a comment in > > /etc/defaults/rc.conf indicating that the interaction between setting > > addressing using _ip and _ip_multi and setting _ip4 or _ip6 (setting > > an address for each family forces "ip[46]=net" for that AF. > > > > Curtis > > Offhand, it does sound like a bug. I imagine the solution would be to > reject the join - at least the easy solution to be done first until > something more complicated can be done to make jails play nice with > multicast. > > - Jamie Jamie, Certainly not the preferred solution. Best would be a jail.allow-ipv6multicast sysctl variable with rejecting the join if 0 and accepting the join and passing in multicast if 1. Same for v4, though not of immediate concern since DHCPv4 doesn't need it. If you (or someone) would like to point me in the right direction, I would be willing to put some time into learning the relevant code and proposing a fix. No promises, but I can put some time into it. Off list if you prefer. Curtis From owner-freebsd-jail@FreeBSD.ORG Sat Aug 25 20:45:58 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6005A1065677 for ; Sat, 25 Aug 2012 20:45:58 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (server.gritton.org [199.192.164.234]) by mx1.freebsd.org (Postfix) with ESMTP id 3AF718FC19 for ; Sat, 25 Aug 2012 20:45:57 +0000 (UTC) Received: from glorfindel.gritton.org (c-174-52-130-208.hsd1.ut.comcast.net [174.52.130.208]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id q7PKjnAN087126; Sat, 25 Aug 2012 14:45:50 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <5039397B.7050205@FreeBSD.org> Date: Sat, 25 Aug 2012 14:45:47 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.24) Gecko/20120129 Thunderbird/3.1.16 MIME-Version: 1.0 To: curtis@occnc.com References: <201208252015.q7PKFVVi009920@gateway2.orleans.occnc.com> In-Reply-To: <201208252015.q7PKFVVi009920@gateway2.orleans.occnc.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org Subject: Re: IPv6 multicast sent to jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Aug 2012 20:45:58 -0000 On 08/25/12 14:15, Curtis Villamizar wrote: > In message<503402FE.9080103@FreeBSD.org> > Jamie Gritton writes: > >> On 08/19/12 11:35, Curtis Villamizar wrote: >>> I'm trying to run isc-dhcpd using dhcpd -6 in a jail. No luck. >>> >>> The following code is run in the jail and doesn't fail. >>> >>> if (inet_pton(AF_INET6, All_DHCP_Relay_Agents_and_Servers, >>> &mreq.ipv6mr_multiaddr)<= 0) { >>> log_fatal("inet_pton: unable to convert '%s'", >>> All_DHCP_Relay_Agents_and_Servers); >>> } >>> mreq.ipv6mr_interface = if_nametoindex(info->name); >>> if (setsockopt(sock, IPPROTO_IPV6, IPV6_JOIN_GROUP, >>> &mreq, sizeof(mreq))< 0) { >>> log_fatal("setsockopt: IPV6_JOIN_GROUP: %m"); >>> } >>> >>> where All_DHCP_Relay_Agents_and_Servers is defined as "FF02::1:2". >>> >>> Later dhcpd binds to *.517 which can be seen in netstat -an. >>> >>> Packets to ff02::1:2.517 are seen on the jailer (as opposed to the >>> jailee) using tcpdump, but no packets are received by the jailee. >>> >>> When the same command from the jailer using a chroot to the jailee >>> directory, the multicast packets are received. >>> >>> Is there a solution to this other than changing the jail from an >>> implied "ip6=new" with a specific address to "ip6=inherit". What I'd >>> really like is a yet to be invented "ip6=new+multicast". >>> >>> Using "ip6=inherit" would be OK, adding very little exposure (mostly >>> DoS attack exposure). It would be nice if "ip6=inherit" were >>> supported in the rc.d/jail framework. >>> >>> Before I go changing anything I'm asking whether allowing the >>> multicast join and then not passing multicast to the jail is >>> considered a bug and how it should behave (the join should have failed >>> or the packets should have arrived). If the best workaround for now >>> is "ip6=inherit" would adding jail__ip[46] variables to the >>> rc files be viewed as a good solution (with a comment in >>> /etc/defaults/rc.conf indicating that the interaction between setting >>> addressing using _ip and _ip_multi and setting _ip4 or _ip6 (setting >>> an address for each family forces "ip[46]=net" for that AF. >>> >>> Curtis >> >> Offhand, it does sound like a bug. I imagine the solution would be to >> reject the join - at least the easy solution to be done first until >> something more complicated can be done to make jails play nice with >> multicast. >> >> - Jamie > > > Jamie, > > Certainly not the preferred solution. Best would be a > jail.allow-ipv6multicast sysctl variable with rejecting the join if 0 > and accepting the join and passing in multicast if 1. Same for v4, > though not of immediate concern since DHCPv4 doesn't need it. > > If you (or someone) would like to point me in the right direction, I > would be willing to put some time into learning the relevant code and > proposing a fix. No promises, but I can put some time into it. Off > list if you prefer. > > Curtis It'll have to be someone besides me - I don't know enough about multicast myself to be able to do more than keep it out of jails. - Jamie From owner-freebsd-jail@FreeBSD.ORG Sat Aug 25 22:10:05 2012 Return-Path: Delivered-To: freebsd-jail@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0DBDA106564A for ; Sat, 25 Aug 2012 22:10:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CBD468FC16 for ; Sat, 25 Aug 2012 22:10:04 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q7PMA4Bm076853 for ; Sat, 25 Aug 2012 22:10:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q7PMA4xh076852; Sat, 25 Aug 2012 22:10:04 GMT (envelope-from gnats) Date: Sat, 25 Aug 2012 22:10:04 GMT Message-Id: <201208252210.q7PMA4xh076852@freefall.freebsd.org> To: freebsd-jail@FreeBSD.org From: "Johannes Totz" Cc: Subject: Re: conf/142972: [jail] [patch] Support JAILv2 and vnet in rc.d/jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Johannes Totz List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Aug 2012 22:10:05 -0000 The following reply was made to PR conf/142972; it has been noted by GNATS. From: "Johannes Totz" To: , Cc: Subject: Re: conf/142972: [jail] [patch] Support JAILv2 and vnet in rc.d/jail Date: Sat, 25 Aug 2012 22:55:30 +0100 Has there been any conclusion to this yet? How this is supposed to be handled "properly"? Just looking through jails and vnet on stable/9@r237006...