From owner-freebsd-net@FreeBSD.ORG Sun Apr 6 15:06:14 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3EB4F51E for ; Sun, 6 Apr 2014 15:06:14 +0000 (UTC) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D2E936EE for ; Sun, 6 Apr 2014 15:06:13 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 6243225D3897; Sun, 6 Apr 2014 15:06:04 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 94B7AC22BA7; Sun, 6 Apr 2014 15:06:03 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id 2WsZK6TJZQcV; Sun, 6 Apr 2014 15:06:01 +0000 (UTC) Received: from [IPv6:fde9:577b:c1a9:4410:395f:c902:48ef:f493] (unknown [IPv6:fde9:577b:c1a9:4410:395f:c902:48ef:f493]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 7F39FC22B9B; Sun, 6 Apr 2014 15:05:59 +0000 (UTC) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Subject: Re: SCTP binds to IPs outside of jail From: "Bjoern A. Zeeb" In-Reply-To: <7D1ABA78-D48D-48B7-9CE7-152BD59DB1B0@lurchi.franken.de> Date: Sun, 6 Apr 2014 15:05:50 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <77B6DEC1-D7E8-446E-A057-A692379D9EFB@lists.zabbadoz.net> References: <20140405210246.GB58138@cicely7.cicely.de> <7D1ABA78-D48D-48B7-9CE7-152BD59DB1B0@lurchi.franken.de> To: Michael Tuexen X-Mailer: Apple Mail (2.1874) Cc: FreeBSD Net , Bernd Walter , ticso@cicely.de X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2014 15:06:14 -0000 On 06 Apr 2014, at 11:42 , Michael Tuexen = wrote: > On 05 Apr 2014, at 23:02, Bernd Walter = wrote: >=20 >> So far I've tested this on FreeBSD-9.2 BETA2 r254053M only. >> The modifications are to allow IPv6 multicast support within jail >> which only makes a difference for multicast addresses and some = multicast >> loopback checksum bugs - both changes are open PR. >>=20 >> I've created an AF_INET6 SCTP one to many socket to receive incoming >> messages. >> The process was started within a jail. >> Now netstat -anW lists all host IPv6 IPs, not just those of the jail. >> Also not sure why this AF_INET6 socket is shown as sctp46. > This should be handled as a v6 only socket depending on your > setting of net.inet6.ip6.v6only sysctl variable by the SCTP stack. > However, netstat has no information about this and can not distinguish > between sctp6 and sctp46, so it reports sctp46 always. You can file > a PR about this. >=20 > The questions about the addresses and the jails: The SCTP code has > no jail specific code. If you bind a socket to the wildcard address > (which is what to do by not binding at all), the SCTP stack lists > all addresses it know about. I'm not sure what would happen, if > you send a packet to an address not owned by the jail. > You might want to file a separate PR about the support of jails. Aehm, the SCTP code was filtering addresses at one point and made sure = only jail-visible addresses were seen or bound very much like normal PCB = handling. If this is not the case (anymore) SCTP shall not be allowed = inside jails again.=20 >=20 > Best regards > Michael >>=20 >> This is the relevant C++ code part to open the socket: >> int >> setup_sctp_socket(uint16_t port) >> { >> int sc =3D socket(AF_INET6, SOCK_SEQPACKET, IPPROTO_SCTP); >> { >> // reuse address >> long val =3D 1; >> setsockopt(sc, SOL_SOCKET, SO_REUSEADDR, &val, = sizeof(val)); >> // XXX error handling >> } >> { >> // no delay >> long val =3D 1; >> setsockopt(sc, SOL_SOCKET, SCTP_NODELAY, &val, = sizeof(val)); >> // XXX error handling >> } >> { >> // eeor mode (last write needs MSG_EOR to declare end = of message) >> // Linux has MSG_MORE negative send flag >> long val =3D 1; >> setsockopt(sc, SOL_SOCKET, SCTP_EXPLICIT_EOR, &val, = sizeof(val)); >> // XXX error handling >> } >> #if 0 >> { >> struct sctp_initmsg init; >> bzero(&init, sizeof(init)); >> init.sinit_num_ostreams =3D HDB_STREAMS; >> init.sinit_max_instreams =3D HDB_STREAMS; >> // SOL_SCTP instead of IPPROTO_SCTP on Linux >> setsockopt(sc, IPPROTO_SCTP, SCTP_INITMSG, &init, = (socklen_t)sizeof(struct sctp_initmsg)); >> // XXX error handling >> } >> #endif >> { >> struct sockaddr_in6 addr; >> bzero(&addr, sizeof(addr)); >> addr.sin6_len =3D sizeof(addr); >> addr.sin6_family =3D AF_INET6; >> addr.sin6_port =3D htons(port); >> bind(sc, (struct sockaddr *)&addr, sizeof(struct = sockaddr_in)); >> // XXX error handling >> } >> { >> // enable heartbeats at 1000ms >> struct sctp_paddrparams paddr_params; >> bzero(&paddr_params, sizeof(paddr_params)); >> paddr_params.spp_address.ss_family =3D AF_INET6; >> paddr_params.spp_flags =3D SPP_HB_ENABLE; >> paddr_params.spp_hbinterval =3D 1000; >> // SOL_SCTP instead of IPPROTO_SCTP on Linux >> setsockopt(sc, IPPROTO_SCTP, SCTP_PEER_ADDR_PARAMS, = &paddr_params, sizeof(paddr_params));=20 >> // XXX error handling >> } >> { >> struct sctp_event_subscribe events; >> bzero(&events, sizeof(events)); >>=20 >> events.sctp_data_io_event =3D 1; // we need io_events = to know where the message came from >>=20 >> // subscribe to other events as well for testing >> events.sctp_association_event =3D 1; >> events.sctp_address_event =3D 1; >> events.sctp_send_failure_event =3D 1; >> events.sctp_peer_error_event =3D 1; >> events.sctp_shutdown_event =3D 1; >> events.sctp_partial_delivery_event =3D 1; >> events.sctp_adaptation_layer_event =3D 1; >> events.sctp_authentication_event =3D 1; >> events.sctp_sender_dry_event =3D 1; >> events.sctp_stream_reset_event =3D 1; >>=20 >> setsockopt(sc, IPPROTO_SCTP, SCTP_EVENTS, &events, = sizeof(events)); >> // XXX error handling >> } >> { >> // setup send and receive buffers (default on FreeBSD = 9.x) >> long val; >> val =3D 1864135; >> setsockopt(sc, SOL_SOCKET, SO_RCVBUF, &val, = sizeof(val)); >> // XXX error handling >> val =3D 1864135; >> setsockopt(sc, SOL_SOCKET, SO_SNDBUF, &val, = sizeof(val)); >> // XXX error handling >> } >> listen (sc, 1); // listen is required to allow incoming = associations, but no listen queue >> // XXX error handling >>=20 >> return sc; >> } >>=20 >> --=20 >> B.Walter http://www.bwct.de >> Modbus/TCP Ethernet I/O Baugruppen, ARM basierte FreeBSD Rechner uvm. >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to = "freebsd-net-unsubscribe@freebsd.org" >>=20 >=20 > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" =97=20 Bjoern A. Zeeb ????????? ??? ??????? ??????: '??? ??? ???? ?????? ??????? ?? ?? ??????? ??????? ??? ????? ????? ???? ?????? ?? ????? ????', ????????? ?????????, "??? ????? ?? ?????", ?.???