Date: Tue, 9 Apr 2013 12:58:33 +0100 From: "Steven Hartland" <killing@multiplay.co.uk> To: <freebsd-net@freebsd.org> Subject: Review of patch for raw packet source address selection under jails Message-ID: <FAD0AD4FCFDF46E3A614EF333AA2FE76@multiplay.co.uk>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Currently source address selection for raw packets under jails
uses prison_get_ip4 in the INADDR_ANY case.
This can cause an invalid source address to be used, including
using addresses which are unusable e.g. down interfaces
un-routable addresses etc.
I suspect this is a hang over from when jails where essentially
single IP.
The attached patch switches to use full resolution for raw
packets via in_pcbladdr, which fixes this problem in all of
our testing.
Is this the correct path to take?
Regards
Steve
================================================
This e.mail is private and confidential between Multiplay (UK) Ltd. and the person or entity to whom it is addressed. In the event of misdirection, the recipient is prohibited from using, copying, printing or otherwise disseminating it or any information contained in it.
In the event of misdirection, illegible or incomplete transmission please telephone +44 845 868 1337
or return the E.mail to postmaster@multiplay.co.uk.
[-- Attachment #2 --]
Fix jailed raw sockets not setting the correct source address by
calling in_pcbladdr instead of prison_get_ip4
--- sys/netinet/in_pcb.h.orig 2013-04-05 16:59:33.005670964 +0000
+++ sys/netinet/in_pcb.h 2013-04-05 17:00:24.725266747 +0000
@@ -490,6 +490,8 @@
struct ucred *, int);
int in_pcbbind_setup(struct inpcb *, struct sockaddr *, in_addr_t *,
u_short *, struct ucred *);
+int in_pcbladdr(struct inpcb *, struct in_addr *, struct in_addr *,
+ struct ucred *);
int in_pcbconnect(struct inpcb *, struct sockaddr *, struct ucred *);
int in_pcbconnect_setup(struct inpcb *, struct sockaddr *, in_addr_t *,
u_short *, in_addr_t *, u_short *, struct inpcb **,
--- sys/netinet/in_pcb.c.orig 2013-04-05 16:59:28.252798648 +0000
+++ sys/netinet/in_pcb.c 2013-04-05 16:59:38.888509732 +0000
@@ -596,7 +596,7 @@
* Do proper source address selection on an unbound socket in case
* of connect. Take jails into account as well.
*/
-static int
+int
in_pcbladdr(struct inpcb *inp, struct in_addr *faddr, struct in_addr *laddr,
struct ucred *cred)
{
--- sys/netinet/raw_ip.c.orig 2013-04-05 16:44:24.458314711 +0000
+++ sys/netinet/raw_ip.c 2013-04-05 17:10:54.902524046 +0000
@@ -442,16 +442,16 @@
ip->ip_p = inp->inp_ip_p;
ip->ip_len = m->m_pkthdr.len;
ip->ip_src = inp->inp_laddr;
+ ip->ip_dst.s_addr = dst;
if (jailed(inp->inp_cred)) {
/*
* prison_local_ip4() would be good enough but would
* let a source of INADDR_ANY pass, which we do not
- * want to see from jails. We do not go through the
- * pain of in_pcbladdr() for raw sockets.
+ * want to see from jails.
*/
if (ip->ip_src.s_addr == INADDR_ANY)
- error = prison_get_ip4(inp->inp_cred,
- &ip->ip_src);
+ error = in_pcbladdr(inp, &ip->ip_dst, &ip->ip_src,
+ inp->inp_cred);
else
error = prison_local_ip4(inp->inp_cred,
&ip->ip_src);
@@ -461,7 +461,6 @@
return (error);
}
}
- ip->ip_dst.s_addr = dst;
ip->ip_ttl = inp->inp_ip_ttl;
} else {
if (m->m_pkthdr.len > IP_MAXPACKET) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FAD0AD4FCFDF46E3A614EF333AA2FE76>