Date: Mon, 17 Mar 2003 18:55:44 +1100 From: Peter Jeremy <peterjeremy@optushome.com.au> To: "."@babolo.ru Cc: Mooneer Salem <mooneer@translator.cx>, freebsd-hackers@FreeBSD.ORG Subject: Re: jail support for ping, traceroute, etc.. crude hack Message-ID: <20030317075544.GA1032@cirb503493.alcatel.com.au> In-Reply-To: <1047884787.866448.882.nullmailer@cicuta.babolo.ru> References: <20030317005641.GA8288@puck.nether.net> <1047884787.866448.882.nullmailer@cicuta.babolo.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Mar 17, 2003 at 10:06:27AM +0300, "."@babolo.ru wrote: >It is time to invent "ping socket" and "traceroute socket" >in addition to tcp, udp, divert so on? Whilst this might seem nice, actually implementing so that it is both useful and safe is not easy. For a "ping socket", this is reasonably easy if all you want is the ability to send "ICMP ECHO REQUEST" packets and receive any "ICMP ECHO REPLY" packets associated with previous request packets. It's not totally trivial because the kernel has to keep the state for outgoing packets to ensure that only the correct incoming packets are forwarded. (This is a security issue - you don't want somone finding out hosts someone outside that jail is pinging). Remember to allow for multiple responses to a single request and for long delays. You might also want to implement resource restrictions to prevent someone flooding the system with request packets. A "traceroute socket" is harder: There's no "ICMP TRACEROUTE" packet. Instead, traceroute(8) sends outgoing IP packets with varying TTL sizes and monitors incoming ICMP looking for check for "HOST UNREACHABLE - TIME EXCEEDED IN TRANSIT" packets. Again, the kernel would need to validate the incoming packets against outgoing packets. In both cases, you also need to work out how to handle other random ICMP packets that be received as a result of the outgoing packets. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030317075544.GA1032>