Date: Wed, 05 Sep 2012 15:14:39 -0400 From: Curtis Villamizar <curtis@occnc.com> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: freebsd-jail@FreeBSD.org, Jamie Gritton <jamie@FreeBSD.org>, curtis@occnc.com Subject: Re: IPv6 multicast sent to jail Message-ID: <201209051914.q85JEdGR058616@gateway2.orleans.occnc.com> In-Reply-To: Your message of "Mon, 03 Sep 2012 12:21:03 -0000." <alpine.BSF.2.00.1209031219120.76284@ai.fobar.qr>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <alpine.BSF.2.00.1209031219120.76284@ai.fobar.qr> "Bjoern A. Zeeb" writes: > On Sat, 25 Aug 2012, Jamie Gritton wrote: > > ... > >>>> Curtis > >>> > >>> Offhand, it does sound like a bug. I imagine the solution would be to > >>> reject the join - at least the easy solution to be done first until > >>> something more complicated can be done to make jails play nice with > >>> multicast. > >>> > >>> - Jamie > >> > >> > >> Jamie, > >> > >> Certainly not the preferred solution. Best would be a > >> jail.allow-ipv6multicast sysctl variable with rejecting the join if 0 > >> and accepting the join and passing in multicast if 1. Same for v4, > >> though not of immediate concern since DHCPv4 doesn't need it. > >> > >> If you (or someone) would like to point me in the right direction, I > >> would be willing to put some time into learning the relevant code and > >> proposing a fix. No promises, but I can put some time into it. Off > >> list if you prefer. > >> > >> Curtis > > > > It'll have to be someone besides me - I don't know enough about > > multicast myself to be able to do more than keep it out of jails. > > sysctl souns bad to me; I think it should actually be grouped by > ip4.* and ip6.*. What dod we currently do for raw sockets? Can we > have a third level easily, as in ip4.raw.*, ip6.mc.*, ... which of > course would kill the classic "allow" thing for raw sockets myabe? > > /bz For raw sockets the sysctl variable is: security.jail.allow_raw_sockets One sysctl variable for both inet and inet6 AF. Perhaps a reasonable name would be: security.jail.ip4.allow_multicast security.jail.ip6.allow_multicast Just to be clear, I was hoping to get some help if I were to make an attempt to allow ipv6 multicast through, though I suspect that the code would be very similar for ipv4. Curtis > -- > Bjoern A. Zeeb You have to have visions! > Stop bit received. Insert coin for new address family.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201209051914.q85JEdGR058616>