From owner-freebsd-stable@FreeBSD.ORG Wed May 2 17:27:19 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5CC8B1065673 for ; Wed, 2 May 2012 17:27:19 +0000 (UTC) (envelope-from lx@redundancy.redundancy.org) Received: from redundancy.redundancy.org (75-101-96-57.dsl.static.sonic.net [75.101.96.57]) by mx1.freebsd.org (Postfix) with SMTP id 369A58FC12 for ; Wed, 2 May 2012 17:27:19 +0000 (UTC) Received: (qmail 70686 invoked by uid 1001); 2 May 2012 17:27:13 -0000 Date: Wed, 2 May 2012 10:27:13 -0659 From: David Thiel To: "Bjoern A. Zeeb" Message-ID: <20120502172649.GE66263@redundancy.redundancy.org> References: <20120501194101.GD66263@redundancy.redundancy.org> <597C92B2-02AA-4093-B6A3-B871CCDB70F8@lists.zabbadoz.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <597C92B2-02AA-4093-B6A3-B871CCDB70F8@lists.zabbadoz.net> X-OpenPGP-Key-fingerprint: 482A 8C46 C844 7E7C 8CBC 2313 96EE BEE5 1F4B CA13 X-OpenPGP-Key-available: http://redundancy.redundancy.org/lx.gpg X-Face: %H~{$1~NOw1y#%mM6{|4:/ List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 May 2012 17:27:19 -0000 On Tue, May 01, 2012 at 09:01:09PM +0000, Bjoern A. Zeeb wrote: > > So, I've been trying to debug an issue running nmap scans within jails, > > partially documented here: > > > > http://seclists.org/nmap-dev/2012/q2/220 > > > > On further debugging, it's seeming like jails can't read routing > > information directly at all: > > > > # route get 69.163.203.254 > > route: writing to routing socket: No such process > > > > Now, this is normally done via reading the routing table via something like > > socket(PF_ROUTE, SOCK_RAW, AF_INET), so one would suspect that this is a > > problem with raw sockets; but raw sockets are enabled within the jail. > > netstat is able to read routing information just fine, but I don't think > > it's doing it via the socket() call. > > hmm, sure you don't have /dev/mem in the jail? netstat -rn I think is still > using libkvm *sigh* and not the sysctl API. Actually I do - in desperation I put a "add path '*' unhide" in the devfs.rules. Now that I think of it, that is what makes netstat work. But, I still don't understand why "route get" doesn't work, given that the very existence of the "security.jail.socket_unixiproute_only" sysctl implies that by default, you should be able to open routing sockets in a jail (presuming raw sockets are enabled, which they are). > > Anyone know why this behavior might be happening? > > Without thinking too much (as in if I got the right case) I think you are > hitting this one: > > http://svnweb.freebsd.org/base/head/sys/net/rtsock.c?annotate=234572#l792 Hmm, that seems to relate to pulling via sysctl, which the "route" command doesn't do. It sounds useful for fixing netstat, though. Thanks, David