From owner-freebsd-jail@FreeBSD.ORG Mon Aug 20 11:24:12 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C1BD7106567B for ; Mon, 20 Aug 2012 11:24:12 +0000 (UTC) (envelope-from spry@anarchy.in.the.ph) Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id 8FF898FC1B for ; Mon, 20 Aug 2012 11:24:12 +0000 (UTC) Received: by pbbrp2 with SMTP id rp2so7185979pbb.13 for ; Mon, 20 Aug 2012 04:24:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding :x-gm-message-state; bh=qG9Wqa79tzf8y0pkC5Ngj7BhJm4hwYEe2ImjhH6bOjE=; b=kCqy5NL0/qNI4L2pzvRKauifwhFQPvbQSg/MP71rMzUojiDJVbh/0SzFY+5AD3uobj VpHsEoEFByBPNEBOeL2tpJ12oeSy4CD9/KCzr8HoRsJ/uX2CyuGBQECYeBmshTqXsuxr kZyJomBWP46erq1gNtV7LtPFvIpzSzsg52ALhNjN1cXMwrFQYgIEg1eFPbS4pvhzHtOL 4mBeDxuHcpNmbIqEXBQKg013Gto5IXGiMojrEQlWUI92S1DhWpNfpG75LuvlRkczOvG0 1Mvm9MYDOiln/z9AF8z0fcBuQ+UVZCdPxJI581V8RFDMiUOyPgwpvKYpG/y1MHMnHw+o /a/g== Received: by 10.68.230.232 with SMTP id tb8mr33705345pbc.19.1345461851996; Mon, 20 Aug 2012 04:24:11 -0700 (PDT) Received: from blackbox.spry.lan ([2001:470:83c9:1:feed:da:deed:beef]) by mx.google.com with ESMTPS id wn1sm10918148pbc.57.2012.08.20.04.24.08 (version=SSLv3 cipher=OTHER); Mon, 20 Aug 2012 04:24:11 -0700 (PDT) Message-ID: <50321E56.3080906@anarchy.in.the.ph> Date: Mon, 20 Aug 2012 19:24:06 +0800 From: "Mars G. Miro" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:10.0) Gecko/20120209 Thunderbird/10.0 MIME-Version: 1.0 To: curtis@occnc.com References: <201208191735.q7JHZDti072004@gateway2.orleans.occnc.com> In-Reply-To: <201208191735.q7JHZDti072004@gateway2.orleans.occnc.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQkxmZsgvnirCDSssLyU6/sIdRyUtwOd9NND2geT/mALIML5MhNuIdAOAb9gjf6oSSDyslIB Cc: freebsd-jail@freebsd.org Subject: Re: IPv6 multicast sent to jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2012 11:24:13 -0000 On 08/20/12 01:35, Curtis Villamizar wrote: > I'm trying to run isc-dhcpd using dhcpd -6 in a jail. No luck. > > The following code is run in the jail and doesn't fail. > > if (inet_pton(AF_INET6, All_DHCP_Relay_Agents_and_Servers, > &mreq.ipv6mr_multiaddr)<= 0) { > log_fatal("inet_pton: unable to convert '%s'", > All_DHCP_Relay_Agents_and_Servers); > } > mreq.ipv6mr_interface = if_nametoindex(info->name); > if (setsockopt(sock, IPPROTO_IPV6, IPV6_JOIN_GROUP, > &mreq, sizeof(mreq))< 0) { > log_fatal("setsockopt: IPV6_JOIN_GROUP: %m"); > } > > where All_DHCP_Relay_Agents_and_Servers is defined as "FF02::1:2". > > Later dhcpd binds to *.517 which can be seen in netstat -an. > > Packets to ff02::1:2.517 are seen on the jailer (as opposed to the > jailee) using tcpdump, but no packets are received by the jailee. > > When the same command from the jailer using a chroot to the jailee > directory, the multicast packets are received. > Probably because there is no bpf in a default jail ? Try making bpf visible in the jail via devfs. > Is there a solution to this other than changing the jail from an > implied "ip6=new" with a specific address to "ip6=inherit". What I'd > really like is a yet to be invented "ip6=new+multicast". > > Using "ip6=inherit" would be OK, adding very little exposure (mostly > DoS attack exposure). It would be nice if "ip6=inherit" were > supported in the rc.d/jail framework. > > Before I go changing anything I'm asking whether allowing the > multicast join and then not passing multicast to the jail is > considered a bug and how it should behave (the join should have failed > or the packets should have arrived). If the best workaround for now > is "ip6=inherit" would adding jail__ip[46] variables to the > rc files be viewed as a good solution (with a comment in > /etc/defaults/rc.conf indicating that the interaction between setting > addressing using _ip and _ip_multi and setting _ip4 or _ip6 (setting > an address for each family forces "ip[46]=net" for that AF. > > Curtis > > > btw- not subscribed to freebsd-jail so please leave me on the Cc. > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" -- When I was crossing the border into Canada, they asked if I had any firearms with me. I said, "Well, what do you need?" -- Steven Wright