Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 2 May 2012 10:27:13 -0659
From:      David Thiel <lx@redundancy.redundancy.org>
To:        "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: Jails can't get routing info
Message-ID:  <20120502172649.GE66263@redundancy.redundancy.org>
In-Reply-To: <597C92B2-02AA-4093-B6A3-B871CCDB70F8@lists.zabbadoz.net>
References:  <20120501194101.GD66263@redundancy.redundancy.org> <597C92B2-02AA-4093-B6A3-B871CCDB70F8@lists.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, May 01, 2012 at 09:01:09PM +0000, Bjoern A. Zeeb wrote:
> > So, I've been trying to debug an issue running nmap scans within jails, 
> > partially documented here:
> > 
> > http://seclists.org/nmap-dev/2012/q2/220
> > 
> > On further debugging, it's seeming like jails can't read routing 
> > information directly at all:
> > 
> > # route get 69.163.203.254
> > route: writing to routing socket: No such process
> > 
> > Now, this is normally done via reading the routing table via something like 
> > socket(PF_ROUTE, SOCK_RAW, AF_INET), so one would suspect that this is a 
> > problem with raw sockets; but raw sockets are enabled within the jail. 
> > netstat is able to read routing information just fine, but I don't think 
> > it's doing it via the socket() call.
> 
> hmm, sure you don't have /dev/mem in the jail? netstat -rn I think is still
> using libkvm *sigh* and not the sysctl API.

Actually I do - in desperation I put a "add path '*' unhide" in the 
devfs.rules. Now that I think of it, that is what makes netstat work. 
But, I still don't understand why "route get" doesn't work, given that 
the very existence of the "security.jail.socket_unixiproute_only" sysctl 
implies that by default, you should be able to open routing sockets in a 
jail (presuming raw sockets are enabled, which they are).

> > Anyone know why this behavior might be happening?
> 
> Without thinking too much (as in if I got the right case) I think you are
> hitting this one:
> 
> http://svnweb.freebsd.org/base/head/sys/net/rtsock.c?annotate=234572#l792

Hmm, that seems to relate to pulling via sysctl, which the "route" 
command doesn't do. It sounds useful for fixing netstat, though.

Thanks,
David

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120502172649.GE66263>