From owner-freebsd-hackers Mon Mar 17 2:54:57 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0AE5A37B404 for ; Mon, 17 Mar 2003 02:54:56 -0800 (PST) Received: from ints.mail.pike.ru (ints.mail.pike.ru [195.9.45.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 96B0943F3F for ; Mon, 17 Mar 2003 02:54:54 -0800 (PST) (envelope-from babolo@cicuta.babolo.ru) Received: (qmail 52823 invoked from network); 17 Mar 2003 11:10:30 -0000 Received: from babolo.ru (HELO cicuta.babolo.ru) (194.58.226.160) by ints.mail.pike.ru with SMTP; 17 Mar 2003 11:10:30 -0000 Received: (nullmailer pid 1109 invoked by uid 136); Mon, 17 Mar 2003 10:57:17 -0000 Subject: Re: jail support for ping, traceroute, etc.. crude hack X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1 In-Reply-To: <20030317075544.GA1032@cirb503493.alcatel.com.au> To: Peter Jeremy Date: Mon, 17 Mar 2003 13:57:17 +0300 (MSK) From: "."@babolo.ru Cc: mooneer@translator.cx, freebsd-hackers@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Message-Id: <1047898637.590705.1108.nullmailer@cicuta.babolo.ru> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > On Mon, Mar 17, 2003 at 10:06:27AM +0300, "."@babolo.ru wrote: > >It is time to invent "ping socket" and "traceroute socket" > >in addition to tcp, udp, divert so on? > > Whilst this might seem nice, actually implementing so that it is > both useful and safe is not easy. > > For a "ping socket", this is reasonably easy if all you want is the > ability to send "ICMP ECHO REQUEST" packets and receive any "ICMP ECHO > REPLY" packets associated with previous request packets. It's not > totally trivial because the kernel has to keep the state for outgoing > packets to ensure that only the correct incoming packets are > forwarded. (This is a security issue - you don't want somone finding > out hosts someone outside that jail is pinging). Remember to allow > for multiple responses to a single request and for long delays. You > might also want to implement resource restrictions to prevent someone > flooding the system with request packets. Not so easy to do but easy understandable for me. > A "traceroute socket" is harder: There's no "ICMP TRACEROUTE" packet. > Instead, traceroute(8) sends outgoing IP packets with varying TTL > sizes and monitors incoming ICMP looking for check for "HOST > UNREACHABLE - TIME EXCEEDED IN TRANSIT" packets. Again, the kernel > would need to validate the incoming packets against outgoing packets. "traceroute socket" is just a curiosity. It seems to me better use UDP socket with some controls and "ping socket" from above. But way to obtain "ping socket" coupled with UDP socket is above my brain. Or may be more common way? Semiraw socket for ability send some classes of IP packets and seceive all induced ICMP ICMP ECHO REQUEST, any UDP and other protocols exept TCP with correct source IP address is probably secure enough for use by root in jail. > In both cases, you also need to work out how to handle other random > ICMP packets that be received as a result of the outgoing packets. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message