From owner-freebsd-jail@FreeBSD.ORG Fri Sep 7 15:04:50 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8A4031065674 for ; Fri, 7 Sep 2012 15:04:50 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id 55BCD8FC12 for ; Fri, 7 Sep 2012 15:04:49 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id q87F4ee5040296; Fri, 7 Sep 2012 09:04:41 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <504A0D03.7040700@FreeBSD.org> Date: Fri, 07 Sep 2012 09:04:35 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0) Gecko/20120126 Thunderbird/9.0 MIME-Version: 1.0 To: freebsd-jail@FreeBSD.org References: <201209051914.q85JEdGR058616@gateway2.orleans.occnc.com> In-Reply-To: Content-Type: multipart/mixed; boundary="------------060102050303020403000502" Cc: "Bjoern A. Zeeb" , Curtis Villamizar Subject: Re: IPv6 multicast sent to jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Sep 2012 15:04:50 -0000 This is a multi-part message in MIME format. --------------060102050303020403000502 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 09/05/12 16:51, Bjoern A. Zeeb wrote: > On Wed, 5 Sep 2012, Curtis Villamizar wrote: > >> >> In message >> "Bjoern A. Zeeb" writes: >> >>> On Sat, 25 Aug 2012, Jamie Gritton wrote: >>> >>> ... >>>>>>> Curtis >>>>>> >>>>>> Offhand, it does sound like a bug. I imagine the solution would be to >>>>>> reject the join - at least the easy solution to be done first until >>>>>> something more complicated can be done to make jails play nice with >>>>>> multicast. >>>>>> >>>>>> - Jamie >>>>> >>>>> >>>>> Jamie, >>>>> >>>>> Certainly not the preferred solution. Best would be a >>>>> jail.allow-ipv6multicast sysctl variable with rejecting the join if 0 >>>>> and accepting the join and passing in multicast if 1. Same for v4, >>>>> though not of immediate concern since DHCPv4 doesn't need it. >>>>> >>>>> If you (or someone) would like to point me in the right direction, I >>>>> would be willing to put some time into learning the relevant code and >>>>> proposing a fix. No promises, but I can put some time into it. Off >>>>> list if you prefer. >>>>> >>>>> Curtis >>>> >>>> It'll have to be someone besides me - I don't know enough about >>>> multicast myself to be able to do more than keep it out of jails. >>> >>> sysctl souns bad to me; I think it should actually be grouped by >>> ip4.* and ip6.*. What dod we currently do for raw sockets? Can we >>> have a third level easily, as in ip4.raw.*, ip6.mc.*, ... which of >>> course would kill the classic "allow" thing for raw sockets myabe? >>> >>> /bz >> >> For raw sockets the sysctl variable is: >> >> security.jail.allow_raw_sockets >> >> One sysctl variable for both inet and inet6 AF. Perhaps a reasonable >> name would be: >> >> security.jail.ip4.allow_multicast >> security.jail.ip6.allow_multicast >> >> Just to be clear, I was hoping to get some help if I were to make an >> attempt to allow ipv6 multicast through, though I suspect that the >> code would be very similar for ipv4. > > The sysctls are mostly not relevant anymore but yes, if we can get > these options we can look at the code. Defaults to off. > I might be able to help on the v6 trailing end. Jamie could you > prepare the jail options changes for us? Here's a patch that adds flags for multicast, with the parameters ip4.multicast and ip6.multicast. They default to false, and don't have any associated sysctls (which I'd like to phase out). This needs work on my end, as far making sure permissions are handled correctly for jail hierarchies, but is enough for starting the work on the multicast side of things. The check you'll want to make is prison_flag(cred, PR_IP4_MCAST). - Jamie --------------060102050303020403000502 Content-Type: text/plain; name="mcast.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="mcast.diff" Index: sys/sys/jail.h =================================================================== --- sys/sys/jail.h (revision 240198) +++ sys/sys/jail.h (working copy) @@ -207,6 +207,8 @@ /* primary jail address. */ #define PR_IP6_SADDRSEL 0x00000100 /* Do IPv6 src addr sel. or use the */ /* primary jail address. */ +#define PR_IP4_MCAST 0x00000200 /* Allow IPv4 multicast */ +#define PR_IP6_MCAST 0x00000400 /* Allow IPv6 multicast */ /* Internal flag bits */ #define PR_REMOVE 0x01000000 /* In process of being removed */ Index: sys/kern/kern_jail.c =================================================================== --- sys/kern/kern_jail.c (revision 240198) +++ sys/kern/kern_jail.c (working copy) @@ -84,14 +84,17 @@ #ifdef INET #ifdef INET6 #define _PR_IP_SADDRSEL PR_IP4_SADDRSEL|PR_IP6_SADDRSEL +#define _PR_IP_MCAST PR_IP4_MCAST|PR_IP6_MCAST #else #define _PR_IP_SADDRSEL PR_IP4_SADDRSEL +#define _PR_IP_MCAST PR_IP4_MCAST #endif #else /* !INET */ #ifdef INET6 #define _PR_IP_SADDRSEL PR_IP6_SADDRSEL +#define _PR_IP_MCAST PR_IP6_MCAST #else -#define _PR_IP_SADDRSEL 0 +#define _PR_IP_MCAST 0 #endif #endif @@ -108,9 +111,9 @@ .pr_hostuuid = DEFAULT_HOSTUUID, .pr_children = LIST_HEAD_INITIALIZER(prison0.pr_children), #ifdef VIMAGE - .pr_flags = PR_HOST|PR_VNET|_PR_IP_SADDRSEL, + .pr_flags = PR_HOST|PR_VNET|_PR_IP_SADDRSEL|_PR_IP_MCAST, #else - .pr_flags = PR_HOST|_PR_IP_SADDRSEL, + .pr_flags = PR_HOST|_PR_IP_SADDRSEL|_PR_IP_MCAST, #endif .pr_allow = PR_ALLOW_ALL, }; @@ -158,9 +161,11 @@ [0] = "persist", #ifdef INET [7] = "ip4.saddrsel", + [9] = "ip4.multicast", #endif #ifdef INET6 [8] = "ip6.saddrsel", + [10] = "ip6.multicast", #endif }; const size_t pr_flag_names_size = sizeof(pr_flag_names); @@ -169,9 +174,11 @@ [0] = "nopersist", #ifdef INET [7] = "ip4.nosaddrsel", + [9] = "ip4.nomulticast", #endif #ifdef INET6 [8] = "ip6.nosaddrsel", + [10] = "ip6.nomulticast", #endif }; const size_t pr_flag_nonames_size = sizeof(pr_flag_nonames); @@ -232,6 +239,7 @@ static int jail_default_devfs_rsnum = JAIL_DEFAULT_DEVFS_RSNUM; #if defined(INET) || defined(INET6) static unsigned jail_max_af_ips = 255; +static unsigned jail_default_ip = JAIL_DEFAULT_ALLOW; #endif #ifdef INET @@ -4341,6 +4349,8 @@ SYSCTL_JAIL_PARAM(_ip4, saddrsel, CTLTYPE_INT | CTLFLAG_RW, "B", "Do (not) use IPv4 source address selection rather than the " "primary jail IPv4 address."); +SYSCTL_JAIL_PARAM(_ip4, multicast, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may use IPv4 multicast addresses"); #endif #ifdef INET6 SYSCTL_JAIL_PARAM_SYS_NODE(ip6, CTLFLAG_RDTUN, @@ -4350,6 +4360,8 @@ SYSCTL_JAIL_PARAM(_ip6, saddrsel, CTLTYPE_INT | CTLFLAG_RW, "B", "Do (not) use IPv6 source address selection rather than the " "primary jail IPv6 address."); +SYSCTL_JAIL_PARAM(_ip6, multicast, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may use IPv6 multicast addresses"); #endif SYSCTL_JAIL_PARAM_NODE(allow, "Jail permission flags"); --------------060102050303020403000502--