From owner-freebsd-net@FreeBSD.ORG Sun Apr 6 19:46:39 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5086F258 for ; Sun, 6 Apr 2014 19:46:39 +0000 (UTC) Received: from mail-n.franken.de (drew.ipv6.franken.de [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mail-n.franken.de", Issuer "Thawte DV SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CF51333B for ; Sun, 6 Apr 2014 19:46:38 +0000 (UTC) Received: from [192.168.1.103] (p508F3041.dip0.t-ipconnect.de [80.143.48.65]) (Authenticated sender: macmic) by mail-n.franken.de (Postfix) with ESMTP id C56EA1C0E96FA; Sun, 6 Apr 2014 21:46:35 +0200 (CEST) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Subject: Re: SCTP binds to IPs outside of jail From: Michael Tuexen In-Reply-To: <798F4E1E-693B-4B94-847D-2A2106A47C0A@lists.zabbadoz.net> Date: Sun, 6 Apr 2014 21:46:33 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20140405210246.GB58138@cicely7.cicely.de> <7D1ABA78-D48D-48B7-9CE7-152BD59DB1B0@lurchi.franken.de> <77B6DEC1-D7E8-446E-A057-A692379D9EFB@lists.zabbadoz.net> <798F4E1E-693B-4B94-847D-2A2106A47C0A@lists.zabbadoz.net> To: "Bjoern A. Zeeb" X-Mailer: Apple Mail (2.1874) Cc: FreeBSD Net , Bernd Walter , ticso@cicely.de X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2014 19:46:39 -0000 On 06 Apr 2014, at 20:44, Bjoern A. Zeeb = wrote: >=20 > On 06 Apr 2014, at 16:42 , Michael Tuexen = wrote: >=20 >> On 06 Apr 2014, at 17:05, Bjoern A. Zeeb = wrote: >>=20 >>>=20 >>> On 06 Apr 2014, at 11:42 , Michael Tuexen = wrote: >>>=20 >>>> On 05 Apr 2014, at 23:02, Bernd Walter = wrote: >>>>=20 >>>>> So far I've tested this on FreeBSD-9.2 BETA2 r254053M only. >>>>> The modifications are to allow IPv6 multicast support within jail >>>>> which only makes a difference for multicast addresses and some = multicast >>>>> loopback checksum bugs - both changes are open PR. >>>>>=20 >>>>> I've created an AF_INET6 SCTP one to many socket to receive = incoming >>>>> messages. >>>>> The process was started within a jail. >>>>> Now netstat -anW lists all host IPv6 IPs, not just those of the = jail. >>>>> Also not sure why this AF_INET6 socket is shown as sctp46. >>>> This should be handled as a v6 only socket depending on your >>>> setting of net.inet6.ip6.v6only sysctl variable by the SCTP stack. >>>> However, netstat has no information about this and can not = distinguish >>>> between sctp6 and sctp46, so it reports sctp46 always. You can file >>>> a PR about this. >>>>=20 >>>> The questions about the addresses and the jails: The SCTP code has >>>> no jail specific code. If you bind a socket to the wildcard address >>>> (which is what to do by not binding at all), the SCTP stack lists >>>> all addresses it know about. I'm not sure what would happen, if >>>> you send a packet to an address not owned by the jail. >>>> You might want to file a separate PR about the support of jails. >>>=20 >>> Aehm, the SCTP code was filtering addresses at one point and made = sure only jail-visible addresses were seen or bound very much like = normal PCB handling. If this is not the case (anymore) SCTP shall not = be allowed inside jails again.=20 >> Can you point me to the "normal PCB handling"? Maybe I'm just = overlooking something=85 >=20 > I guess what helps you more is looking for prison_* calls in the SCTP = stack (and equally in in*_pcb*, tcp_*, udp_*). Thanks for the hint. Best regards Michael >=20 >=20 >=20 >>>> Best regards >>>> Michael >>>>>=20 >>>>> This is the relevant C++ code part to open the socket: >>>>> int >>>>> setup_sctp_socket(uint16_t port) >>>>> { >>>>> int sc =3D socket(AF_INET6, SOCK_SEQPACKET, IPPROTO_SCTP); >>>>> { >>>>> // reuse address >>>>> long val =3D 1; >>>>> setsockopt(sc, SOL_SOCKET, SO_REUSEADDR, &val, = sizeof(val)); >>>>> // XXX error handling >>>>> } >>>>> { >>>>> // no delay >>>>> long val =3D 1; >>>>> setsockopt(sc, SOL_SOCKET, SCTP_NODELAY, &val, = sizeof(val)); >>>>> // XXX error handling >>>>> } >>>>> { >>>>> // eeor mode (last write needs MSG_EOR to declare end = of message) >>>>> // Linux has MSG_MORE negative send flag >>>>> long val =3D 1; >>>>> setsockopt(sc, SOL_SOCKET, SCTP_EXPLICIT_EOR, &val, = sizeof(val)); >>>>> // XXX error handling >>>>> } >>>>> #if 0 >>>>> { >>>>> struct sctp_initmsg init; >>>>> bzero(&init, sizeof(init)); >>>>> init.sinit_num_ostreams =3D HDB_STREAMS; >>>>> init.sinit_max_instreams =3D HDB_STREAMS; >>>>> // SOL_SCTP instead of IPPROTO_SCTP on Linux >>>>> setsockopt(sc, IPPROTO_SCTP, SCTP_INITMSG, &init, = (socklen_t)sizeof(struct sctp_initmsg)); >>>>> // XXX error handling >>>>> } >>>>> #endif >>>>> { >>>>> struct sockaddr_in6 addr; >>>>> bzero(&addr, sizeof(addr)); >>>>> addr.sin6_len =3D sizeof(addr); >>>>> addr.sin6_family =3D AF_INET6; >>>>> addr.sin6_port =3D htons(port); >>>>> bind(sc, (struct sockaddr *)&addr, sizeof(struct = sockaddr_in)); >>>>> // XXX error handling >>>>> } >>>>> { >>>>> // enable heartbeats at 1000ms >>>>> struct sctp_paddrparams paddr_params; >>>>> bzero(&paddr_params, sizeof(paddr_params)); >>>>> paddr_params.spp_address.ss_family =3D AF_INET6; >>>>> paddr_params.spp_flags =3D SPP_HB_ENABLE; >>>>> paddr_params.spp_hbinterval =3D 1000; >>>>> // SOL_SCTP instead of IPPROTO_SCTP on Linux >>>>> setsockopt(sc, IPPROTO_SCTP, SCTP_PEER_ADDR_PARAMS, = &paddr_params, sizeof(paddr_params));=20 >>>>> // XXX error handling >>>>> } >>>>> { >>>>> struct sctp_event_subscribe events; >>>>> bzero(&events, sizeof(events)); >>>>>=20 >>>>> events.sctp_data_io_event =3D 1; // we need io_events = to know where the message came from >>>>>=20 >>>>> // subscribe to other events as well for testing >>>>> events.sctp_association_event =3D 1; >>>>> events.sctp_address_event =3D 1; >>>>> events.sctp_send_failure_event =3D 1; >>>>> events.sctp_peer_error_event =3D 1; >>>>> events.sctp_shutdown_event =3D 1; >>>>> events.sctp_partial_delivery_event =3D 1; >>>>> events.sctp_adaptation_layer_event =3D 1; >>>>> events.sctp_authentication_event =3D 1; >>>>> events.sctp_sender_dry_event =3D 1; >>>>> events.sctp_stream_reset_event =3D 1; >>>>>=20 >>>>> setsockopt(sc, IPPROTO_SCTP, SCTP_EVENTS, &events, = sizeof(events)); >>>>> // XXX error handling >>>>> } >>>>> { >>>>> // setup send and receive buffers (default on FreeBSD = 9.x) >>>>> long val; >>>>> val =3D 1864135; >>>>> setsockopt(sc, SOL_SOCKET, SO_RCVBUF, &val, = sizeof(val)); >>>>> // XXX error handling >>>>> val =3D 1864135; >>>>> setsockopt(sc, SOL_SOCKET, SO_SNDBUF, &val, = sizeof(val)); >>>>> // XXX error handling >>>>> } >>>>> listen (sc, 1); // listen is required to allow incoming = associations, but no listen queue >>>>> // XXX error handling >>>>>=20 >>>>> return sc; >>>>> } >>>>>=20 >>>>> --=20 >>>>> B.Walter http://www.bwct.de >>>>> Modbus/TCP Ethernet I/O Baugruppen, ARM basierte FreeBSD Rechner = uvm. >>>>> _______________________________________________ >>>>> freebsd-net@freebsd.org mailing list >>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>>>> To unsubscribe, send any mail to = "freebsd-net-unsubscribe@freebsd.org" >>>>>=20 >>>>=20 >>>> _______________________________________________ >>>> freebsd-net@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net >>>> To unsubscribe, send any mail to = "freebsd-net-unsubscribe@freebsd.org" >>>=20 >>> =97=20 >>> Bjoern A. Zeeb ????????? ??? ??????? = ??????: >>> '??? ??? ???? ?????? ??????? ?? ?? ??????? ??????? ??? ????? ????? = ???? >>> ?????? ?? ????? ????', ????????? ?????????, "??? ????? ?? ?????", = ?.??? >>>=20 >>>=20 >>=20 >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to = "freebsd-net-unsubscribe@freebsd.org" >=20 > =97=20 > Bjoern A. Zeeb ????????? ??? ??????? = ??????: > '??? ??? ???? ?????? ??????? ?? ?? ??????? ??????? ??? ????? ????? = ???? > ?????? ?? ????? ????', ????????? ?????????, "??? ????? ?? ?????", = ?.??? >=20 >=20