From owner-freebsd-jail@FreeBSD.ORG Mon Sep 3 12:21:08 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94FDD106566B; Mon, 3 Sep 2012 12:21:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id 4767C8FC0A; Mon, 3 Sep 2012 12:21:08 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 0824B25D38A0; Mon, 3 Sep 2012 12:21:06 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 2089BBE8496; Mon, 3 Sep 2012 12:21:06 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id STJ7wNbmBwEL; Mon, 3 Sep 2012 12:21:04 +0000 (UTC) Received: from nv.sbone.de (nv.sbone.de [IPv6:fde9:577b:c1a9:31::2013:138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 58829BE8495; Mon, 3 Sep 2012 12:21:04 +0000 (UTC) Date: Mon, 3 Sep 2012 12:21:03 +0000 (UTC) From: "Bjoern A. Zeeb" To: Jamie Gritton In-Reply-To: <5039397B.7050205@FreeBSD.org> Message-ID: References: <201208252015.q7PKFVVi009920@gateway2.orleans.occnc.com> <5039397B.7050205@FreeBSD.org> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@FreeBSD.org, curtis@occnc.com Subject: Re: IPv6 multicast sent to jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Sep 2012 12:21:08 -0000 On Sat, 25 Aug 2012, Jamie Gritton wrote: ... >>>> Curtis >>> >>> Offhand, it does sound like a bug. I imagine the solution would be to >>> reject the join - at least the easy solution to be done first until >>> something more complicated can be done to make jails play nice with >>> multicast. >>> >>> - Jamie >> >> >> Jamie, >> >> Certainly not the preferred solution. Best would be a >> jail.allow-ipv6multicast sysctl variable with rejecting the join if 0 >> and accepting the join and passing in multicast if 1. Same for v4, >> though not of immediate concern since DHCPv4 doesn't need it. >> >> If you (or someone) would like to point me in the right direction, I >> would be willing to put some time into learning the relevant code and >> proposing a fix. No promises, but I can put some time into it. Off >> list if you prefer. >> >> Curtis > > It'll have to be someone besides me - I don't know enough about > multicast myself to be able to do more than keep it out of jails. sysctl souns bad to me; I think it should actually be grouped by ip4.* and ip6.*. What dod we currently do for raw sockets? Can we have a third level easily, as in ip4.raw.*, ip6.mc.*, ... which of course would kill the classic "allow" thing for raw sockets myabe? /bz -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family.