Date: Sun, 6 Apr 2014 21:46:33 +0200 From: Michael Tuexen <Michael.Tuexen@lurchi.franken.de> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: FreeBSD Net <freebsd-net@freebsd.org>, Bernd Walter <ticso@cicely7.cicely.de>, ticso@cicely.de Subject: Re: SCTP binds to IPs outside of jail Message-ID: <D963B78D-8EAF-4FE1-8367-627574D83EF0@lurchi.franken.de> In-Reply-To: <798F4E1E-693B-4B94-847D-2A2106A47C0A@lists.zabbadoz.net> References: <20140405210246.GB58138@cicely7.cicely.de> <7D1ABA78-D48D-48B7-9CE7-152BD59DB1B0@lurchi.franken.de> <77B6DEC1-D7E8-446E-A057-A692379D9EFB@lists.zabbadoz.net> <CA6B7EC4-B96B-4295-9F8C-3067DC2A972A@lurchi.franken.de> <798F4E1E-693B-4B94-847D-2A2106A47C0A@lists.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 06 Apr 2014, at 20:44, Bjoern A. Zeeb =
<bzeeb-lists@lists.zabbadoz.net> wrote:
>=20
> On 06 Apr 2014, at 16:42 , Michael Tuexen =
<Michael.Tuexen@lurchi.franken.de> wrote:
>=20
>> On 06 Apr 2014, at 17:05, Bjoern A. Zeeb =
<bzeeb-lists@lists.zabbadoz.net> wrote:
>>=20
>>>=20
>>> On 06 Apr 2014, at 11:42 , Michael Tuexen =
<Michael.Tuexen@lurchi.franken.de> wrote:
>>>=20
>>>> On 05 Apr 2014, at 23:02, Bernd Walter <ticso@cicely7.cicely.de> =
wrote:
>>>>=20
>>>>> So far I've tested this on FreeBSD-9.2 BETA2 r254053M only.
>>>>> The modifications are to allow IPv6 multicast support within jail
>>>>> which only makes a difference for multicast addresses and some =
multicast
>>>>> loopback checksum bugs - both changes are open PR.
>>>>>=20
>>>>> I've created an AF_INET6 SCTP one to many socket to receive =
incoming
>>>>> messages.
>>>>> The process was started within a jail.
>>>>> Now netstat -anW lists all host IPv6 IPs, not just those of the =
jail.
>>>>> Also not sure why this AF_INET6 socket is shown as sctp46.
>>>> This should be handled as a v6 only socket depending on your
>>>> setting of net.inet6.ip6.v6only sysctl variable by the SCTP stack.
>>>> However, netstat has no information about this and can not =
distinguish
>>>> between sctp6 and sctp46, so it reports sctp46 always. You can file
>>>> a PR about this.
>>>>=20
>>>> The questions about the addresses and the jails: The SCTP code has
>>>> no jail specific code. If you bind a socket to the wildcard address
>>>> (which is what to do by not binding at all), the SCTP stack lists
>>>> all addresses it know about. I'm not sure what would happen, if
>>>> you send a packet to an address not owned by the jail.
>>>> You might want to file a separate PR about the support of jails.
>>>=20
>>> Aehm, the SCTP code was filtering addresses at one point and made =
sure only jail-visible addresses were seen or bound very much like =
normal PCB handling. If this is not the case (anymore) SCTP shall not =
be allowed inside jails again.=20
>> Can you point me to the "normal PCB handling"? Maybe I'm just =
overlooking something=85
>=20
> I guess what helps you more is looking for prison_* calls in the SCTP =
stack (and equally in in*_pcb*, tcp_*, udp_*).
Thanks for the hint.
Best regards
Michael
>=20
>=20
>=20
>>>> Best regards
>>>> Michael
>>>>>=20
>>>>> This is the relevant C++ code part to open the socket:
>>>>> int
>>>>> setup_sctp_socket(uint16_t port)
>>>>> {
>>>>> int sc =3D socket(AF_INET6, SOCK_SEQPACKET, IPPROTO_SCTP);
>>>>> {
>>>>> // reuse address
>>>>> long val =3D 1;
>>>>> setsockopt(sc, SOL_SOCKET, SO_REUSEADDR, &val, =
sizeof(val));
>>>>> // XXX error handling
>>>>> }
>>>>> {
>>>>> // no delay
>>>>> long val =3D 1;
>>>>> setsockopt(sc, SOL_SOCKET, SCTP_NODELAY, &val, =
sizeof(val));
>>>>> // XXX error handling
>>>>> }
>>>>> {
>>>>> // eeor mode (last write needs MSG_EOR to declare end =
of message)
>>>>> // Linux has MSG_MORE negative send flag
>>>>> long val =3D 1;
>>>>> setsockopt(sc, SOL_SOCKET, SCTP_EXPLICIT_EOR, &val, =
sizeof(val));
>>>>> // XXX error handling
>>>>> }
>>>>> #if 0
>>>>> {
>>>>> struct sctp_initmsg init;
>>>>> bzero(&init, sizeof(init));
>>>>> init.sinit_num_ostreams =3D HDB_STREAMS;
>>>>> init.sinit_max_instreams =3D HDB_STREAMS;
>>>>> // SOL_SCTP instead of IPPROTO_SCTP on Linux
>>>>> setsockopt(sc, IPPROTO_SCTP, SCTP_INITMSG, &init, =
(socklen_t)sizeof(struct sctp_initmsg));
>>>>> // XXX error handling
>>>>> }
>>>>> #endif
>>>>> {
>>>>> struct sockaddr_in6 addr;
>>>>> bzero(&addr, sizeof(addr));
>>>>> addr.sin6_len =3D sizeof(addr);
>>>>> addr.sin6_family =3D AF_INET6;
>>>>> addr.sin6_port =3D htons(port);
>>>>> bind(sc, (struct sockaddr *)&addr, sizeof(struct =
sockaddr_in));
>>>>> // XXX error handling
>>>>> }
>>>>> {
>>>>> // enable heartbeats at 1000ms
>>>>> struct sctp_paddrparams paddr_params;
>>>>> bzero(&paddr_params, sizeof(paddr_params));
>>>>> paddr_params.spp_address.ss_family =3D AF_INET6;
>>>>> paddr_params.spp_flags =3D SPP_HB_ENABLE;
>>>>> paddr_params.spp_hbinterval =3D 1000;
>>>>> // SOL_SCTP instead of IPPROTO_SCTP on Linux
>>>>> setsockopt(sc, IPPROTO_SCTP, SCTP_PEER_ADDR_PARAMS, =
&paddr_params, sizeof(paddr_params));=20
>>>>> // XXX error handling
>>>>> }
>>>>> {
>>>>> struct sctp_event_subscribe events;
>>>>> bzero(&events, sizeof(events));
>>>>>=20
>>>>> events.sctp_data_io_event =3D 1; // we need io_events =
to know where the message came from
>>>>>=20
>>>>> // subscribe to other events as well for testing
>>>>> events.sctp_association_event =3D 1;
>>>>> events.sctp_address_event =3D 1;
>>>>> events.sctp_send_failure_event =3D 1;
>>>>> events.sctp_peer_error_event =3D 1;
>>>>> events.sctp_shutdown_event =3D 1;
>>>>> events.sctp_partial_delivery_event =3D 1;
>>>>> events.sctp_adaptation_layer_event =3D 1;
>>>>> events.sctp_authentication_event =3D 1;
>>>>> events.sctp_sender_dry_event =3D 1;
>>>>> events.sctp_stream_reset_event =3D 1;
>>>>>=20
>>>>> setsockopt(sc, IPPROTO_SCTP, SCTP_EVENTS, &events, =
sizeof(events));
>>>>> // XXX error handling
>>>>> }
>>>>> {
>>>>> // setup send and receive buffers (default on FreeBSD =
9.x)
>>>>> long val;
>>>>> val =3D 1864135;
>>>>> setsockopt(sc, SOL_SOCKET, SO_RCVBUF, &val, =
sizeof(val));
>>>>> // XXX error handling
>>>>> val =3D 1864135;
>>>>> setsockopt(sc, SOL_SOCKET, SO_SNDBUF, &val, =
sizeof(val));
>>>>> // XXX error handling
>>>>> }
>>>>> listen (sc, 1); // listen is required to allow incoming =
associations, but no listen queue
>>>>> // XXX error handling
>>>>>=20
>>>>> return sc;
>>>>> }
>>>>>=20
>>>>> --=20
>>>>> B.Walter <bernd@bwct.de> http://www.bwct.de
>>>>> Modbus/TCP Ethernet I/O Baugruppen, ARM basierte FreeBSD Rechner =
uvm.
>>>>> _______________________________________________
>>>>> freebsd-net@freebsd.org mailing list
>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>>>> To unsubscribe, send any mail to =
"freebsd-net-unsubscribe@freebsd.org"
>>>>>=20
>>>>=20
>>>> _______________________________________________
>>>> freebsd-net@freebsd.org mailing list
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>>> To unsubscribe, send any mail to =
"freebsd-net-unsubscribe@freebsd.org"
>>>=20
>>> =97=20
>>> Bjoern A. Zeeb ????????? ??? ??????? =
??????:
>>> '??? ??? ???? ?????? ??????? ?? ?? ??????? ??????? ??? ????? ????? =
????
>>> ?????? ?? ????? ????', ????????? ?????????, "??? ????? ?? ?????", =
?.???
>>>=20
>>>=20
>>=20
>> _______________________________________________
>> freebsd-net@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to =
"freebsd-net-unsubscribe@freebsd.org"
>=20
> =97=20
> Bjoern A. Zeeb ????????? ??? ??????? =
??????:
> '??? ??? ???? ?????? ??????? ?? ?? ??????? ??????? ??? ????? ????? =
????
> ?????? ?? ????? ????', ????????? ?????????, "??? ????? ?? ?????", =
?.???
>=20
>=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D963B78D-8EAF-4FE1-8367-627574D83EF0>