From owner-freebsd-hackers Sun Mar 16 23:56:31 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1CD9937B401 for ; Sun, 16 Mar 2003 23:56:30 -0800 (PST) Received: from cirb503493.alcatel.com.au (c18609.belrs1.nsw.optusnet.com.au [210.49.80.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 57E7743F85 for ; Sun, 16 Mar 2003 23:56:26 -0800 (PST) (envelope-from peterjeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1]) by cirb503493.alcatel.com.au (8.12.8/8.12.8) with ESMTP id h2H7tlM2001179; Mon, 17 Mar 2003 18:55:47 +1100 (EST) (envelope-from jeremyp@cirb503493.alcatel.com.au) Received: (from jeremyp@localhost) by cirb503493.alcatel.com.au (8.12.8/8.12.8/Submit) id h2H7ti0l001178; Mon, 17 Mar 2003 18:55:44 +1100 (EST) Date: Mon, 17 Mar 2003 18:55:44 +1100 From: Peter Jeremy To: "."@babolo.ru Cc: Mooneer Salem , freebsd-hackers@FreeBSD.ORG Subject: Re: jail support for ping, traceroute, etc.. crude hack Message-ID: <20030317075544.GA1032@cirb503493.alcatel.com.au> References: <20030317005641.GA8288@puck.nether.net> <1047884787.866448.882.nullmailer@cicuta.babolo.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1047884787.866448.882.nullmailer@cicuta.babolo.ru> User-Agent: Mutt/1.4i Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Mar 17, 2003 at 10:06:27AM +0300, "."@babolo.ru wrote: >It is time to invent "ping socket" and "traceroute socket" >in addition to tcp, udp, divert so on? Whilst this might seem nice, actually implementing so that it is both useful and safe is not easy. For a "ping socket", this is reasonably easy if all you want is the ability to send "ICMP ECHO REQUEST" packets and receive any "ICMP ECHO REPLY" packets associated with previous request packets. It's not totally trivial because the kernel has to keep the state for outgoing packets to ensure that only the correct incoming packets are forwarded. (This is a security issue - you don't want somone finding out hosts someone outside that jail is pinging). Remember to allow for multiple responses to a single request and for long delays. You might also want to implement resource restrictions to prevent someone flooding the system with request packets. A "traceroute socket" is harder: There's no "ICMP TRACEROUTE" packet. Instead, traceroute(8) sends outgoing IP packets with varying TTL sizes and monitors incoming ICMP looking for check for "HOST UNREACHABLE - TIME EXCEEDED IN TRANSIT" packets. Again, the kernel would need to validate the incoming packets against outgoing packets. In both cases, you also need to work out how to handle other random ICMP packets that be received as a result of the outgoing packets. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message