From owner-freebsd-stable@FreeBSD.ORG  Wed May  2 17:27:19 2012
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 5CC8B1065673
	for <freebsd-stable@freebsd.org>; Wed,  2 May 2012 17:27:19 +0000 (UTC)
	(envelope-from lx@redundancy.redundancy.org)
Received: from redundancy.redundancy.org (75-101-96-57.dsl.static.sonic.net
	[75.101.96.57]) by mx1.freebsd.org (Postfix) with SMTP id 369A58FC12
	for <freebsd-stable@freebsd.org>; Wed,  2 May 2012 17:27:19 +0000 (UTC)
Received: (qmail 70686 invoked by uid 1001); 2 May 2012 17:27:13 -0000
Date: Wed, 2 May 2012 10:27:13 -0659
From: David Thiel <lx@redundancy.redundancy.org>
To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
Message-ID: <20120502172649.GE66263@redundancy.redundancy.org>
References: <20120501194101.GD66263@redundancy.redundancy.org>
	<597C92B2-02AA-4093-B6A3-B871CCDB70F8@lists.zabbadoz.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <597C92B2-02AA-4093-B6A3-B871CCDB70F8@lists.zabbadoz.net>
X-OpenPGP-Key-fingerprint: 482A 8C46 C844 7E7C 8CBC 2313 96EE BEE5 1F4B CA13
X-OpenPGP-Key-available: http://redundancy.redundancy.org/lx.gpg
X-Face: %H~{$1~NOw1y#%mM6{|4:/<p]y9X%E+4%:1wo-M!re,
	zl.qH~yzbL-MWhtp$3QuKP&di/a{FOctD[FuX.\n4U*,
	M{TJg$oYp663.NyX!%H~~Tw$eR9xZU5W?1BM#t"a@'27^2x
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: freebsd-stable@freebsd.org
Subject: Re: Jails can't get routing info
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 May 2012 17:27:19 -0000

On Tue, May 01, 2012 at 09:01:09PM +0000, Bjoern A. Zeeb wrote:
> > So, I've been trying to debug an issue running nmap scans within jails, 
> > partially documented here:
> > 
> > http://seclists.org/nmap-dev/2012/q2/220
> > 
> > On further debugging, it's seeming like jails can't read routing 
> > information directly at all:
> > 
> > # route get 69.163.203.254
> > route: writing to routing socket: No such process
> > 
> > Now, this is normally done via reading the routing table via something like 
> > socket(PF_ROUTE, SOCK_RAW, AF_INET), so one would suspect that this is a 
> > problem with raw sockets; but raw sockets are enabled within the jail. 
> > netstat is able to read routing information just fine, but I don't think 
> > it's doing it via the socket() call.
> 
> hmm, sure you don't have /dev/mem in the jail? netstat -rn I think is still
> using libkvm *sigh* and not the sysctl API.

Actually I do - in desperation I put a "add path '*' unhide" in the 
devfs.rules. Now that I think of it, that is what makes netstat work. 
But, I still don't understand why "route get" doesn't work, given that 
the very existence of the "security.jail.socket_unixiproute_only" sysctl 
implies that by default, you should be able to open routing sockets in a 
jail (presuming raw sockets are enabled, which they are).

> > Anyone know why this behavior might be happening?
> 
> Without thinking too much (as in if I got the right case) I think you are
> hitting this one:
> 
> http://svnweb.freebsd.org/base/head/sys/net/rtsock.c?annotate=234572#l792

Hmm, that seems to relate to pulling via sysctl, which the "route" 
command doesn't do. It sounds useful for fixing netstat, though.

Thanks,
David