Date: Sat, 25 Aug 2012 14:45:47 -0600 From: Jamie Gritton <jamie@FreeBSD.org> To: curtis@occnc.com Cc: freebsd-jail@FreeBSD.org Subject: Re: IPv6 multicast sent to jail Message-ID: <5039397B.7050205@FreeBSD.org> In-Reply-To: <201208252015.q7PKFVVi009920@gateway2.orleans.occnc.com> References: <201208252015.q7PKFVVi009920@gateway2.orleans.occnc.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08/25/12 14:15, Curtis Villamizar wrote:
> In message<503402FE.9080103@FreeBSD.org>
> Jamie Gritton writes:
>
>> On 08/19/12 11:35, Curtis Villamizar wrote:
>>> I'm trying to run isc-dhcpd using dhcpd -6 in a jail. No luck.
>>>
>>> The following code is run in the jail and doesn't fail.
>>>
>>> if (inet_pton(AF_INET6, All_DHCP_Relay_Agents_and_Servers,
>>> &mreq.ipv6mr_multiaddr)<= 0) {
>>> log_fatal("inet_pton: unable to convert '%s'",
>>> All_DHCP_Relay_Agents_and_Servers);
>>> }
>>> mreq.ipv6mr_interface = if_nametoindex(info->name);
>>> if (setsockopt(sock, IPPROTO_IPV6, IPV6_JOIN_GROUP,
>>> &mreq, sizeof(mreq))< 0) {
>>> log_fatal("setsockopt: IPV6_JOIN_GROUP: %m");
>>> }
>>>
>>> where All_DHCP_Relay_Agents_and_Servers is defined as "FF02::1:2".
>>>
>>> Later dhcpd binds to *.517 which can be seen in netstat -an.
>>>
>>> Packets to ff02::1:2.517 are seen on the jailer (as opposed to the
>>> jailee) using tcpdump, but no packets are received by the jailee.
>>>
>>> When the same command from the jailer using a chroot to the jailee
>>> directory, the multicast packets are received.
>>>
>>> Is there a solution to this other than changing the jail from an
>>> implied "ip6=new" with a specific address to "ip6=inherit". What I'd
>>> really like is a yet to be invented "ip6=new+multicast".
>>>
>>> Using "ip6=inherit" would be OK, adding very little exposure (mostly
>>> DoS attack exposure). It would be nice if "ip6=inherit" were
>>> supported in the rc.d/jail framework.
>>>
>>> Before I go changing anything I'm asking whether allowing the
>>> multicast join and then not passing multicast to the jail is
>>> considered a bug and how it should behave (the join should have failed
>>> or the packets should have arrived). If the best workaround for now
>>> is "ip6=inherit" would adding jail_<jailname>_ip[46] variables to the
>>> rc files be viewed as a good solution (with a comment in
>>> /etc/defaults/rc.conf indicating that the interaction between setting
>>> addressing using _ip and _ip_multi and setting _ip4 or _ip6 (setting
>>> an address for each family forces "ip[46]=net" for that AF.
>>>
>>> Curtis
>>
>> Offhand, it does sound like a bug. I imagine the solution would be to
>> reject the join - at least the easy solution to be done first until
>> something more complicated can be done to make jails play nice with
>> multicast.
>>
>> - Jamie
>
>
> Jamie,
>
> Certainly not the preferred solution. Best would be a
> jail.allow-ipv6multicast sysctl variable with rejecting the join if 0
> and accepting the join and passing in multicast if 1. Same for v4,
> though not of immediate concern since DHCPv4 doesn't need it.
>
> If you (or someone) would like to point me in the right direction, I
> would be willing to put some time into learning the relevant code and
> proposing a fix. No promises, but I can put some time into it. Off
> list if you prefer.
>
> Curtis
It'll have to be someone besides me - I don't know enough about
multicast myself to be able to do more than keep it out of jails.
- Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5039397B.7050205>