Date: Sun, 6 Apr 2014 18:44:05 +0000 From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Michael Tuexen <Michael.Tuexen@lurchi.franken.de> Cc: FreeBSD Net <freebsd-net@freebsd.org>, Bernd Walter <ticso@cicely7.cicely.de>, ticso@cicely.de Subject: Re: SCTP binds to IPs outside of jail Message-ID: <798F4E1E-693B-4B94-847D-2A2106A47C0A@lists.zabbadoz.net> In-Reply-To: <CA6B7EC4-B96B-4295-9F8C-3067DC2A972A@lurchi.franken.de> References: <20140405210246.GB58138@cicely7.cicely.de> <7D1ABA78-D48D-48B7-9CE7-152BD59DB1B0@lurchi.franken.de> <77B6DEC1-D7E8-446E-A057-A692379D9EFB@lists.zabbadoz.net> <CA6B7EC4-B96B-4295-9F8C-3067DC2A972A@lurchi.franken.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 06 Apr 2014, at 16:42 , Michael Tuexen =
<Michael.Tuexen@lurchi.franken.de> wrote:
> On 06 Apr 2014, at 17:05, Bjoern A. Zeeb =
<bzeeb-lists@lists.zabbadoz.net> wrote:
>=20
>>=20
>> On 06 Apr 2014, at 11:42 , Michael Tuexen =
<Michael.Tuexen@lurchi.franken.de> wrote:
>>=20
>>> On 05 Apr 2014, at 23:02, Bernd Walter <ticso@cicely7.cicely.de> =
wrote:
>>>=20
>>>> So far I've tested this on FreeBSD-9.2 BETA2 r254053M only.
>>>> The modifications are to allow IPv6 multicast support within jail
>>>> which only makes a difference for multicast addresses and some =
multicast
>>>> loopback checksum bugs - both changes are open PR.
>>>>=20
>>>> I've created an AF_INET6 SCTP one to many socket to receive =
incoming
>>>> messages.
>>>> The process was started within a jail.
>>>> Now netstat -anW lists all host IPv6 IPs, not just those of the =
jail.
>>>> Also not sure why this AF_INET6 socket is shown as sctp46.
>>> This should be handled as a v6 only socket depending on your
>>> setting of net.inet6.ip6.v6only sysctl variable by the SCTP stack.
>>> However, netstat has no information about this and can not =
distinguish
>>> between sctp6 and sctp46, so it reports sctp46 always. You can file
>>> a PR about this.
>>>=20
>>> The questions about the addresses and the jails: The SCTP code has
>>> no jail specific code. If you bind a socket to the wildcard address
>>> (which is what to do by not binding at all), the SCTP stack lists
>>> all addresses it know about. I'm not sure what would happen, if
>>> you send a packet to an address not owned by the jail.
>>> You might want to file a separate PR about the support of jails.
>>=20
>> Aehm, the SCTP code was filtering addresses at one point and made =
sure only jail-visible addresses were seen or bound very much like =
normal PCB handling. If this is not the case (anymore) SCTP shall not =
be allowed inside jails again.=20
> Can you point me to the "normal PCB handling"? Maybe I'm just =
overlooking something=85
I guess what helps you more is looking for prison_* calls in the SCTP =
stack (and equally in in*_pcb*, tcp_*, udp_*).
>>> Best regards
>>> Michael
>>>>=20
>>>> This is the relevant C++ code part to open the socket:
>>>> int
>>>> setup_sctp_socket(uint16_t port)
>>>> {
>>>> int sc =3D socket(AF_INET6, SOCK_SEQPACKET, IPPROTO_SCTP);
>>>> {
>>>> // reuse address
>>>> long val =3D 1;
>>>> setsockopt(sc, SOL_SOCKET, SO_REUSEADDR, &val, =
sizeof(val));
>>>> // XXX error handling
>>>> }
>>>> {
>>>> // no delay
>>>> long val =3D 1;
>>>> setsockopt(sc, SOL_SOCKET, SCTP_NODELAY, &val, =
sizeof(val));
>>>> // XXX error handling
>>>> }
>>>> {
>>>> // eeor mode (last write needs MSG_EOR to declare end =
of message)
>>>> // Linux has MSG_MORE negative send flag
>>>> long val =3D 1;
>>>> setsockopt(sc, SOL_SOCKET, SCTP_EXPLICIT_EOR, &val, =
sizeof(val));
>>>> // XXX error handling
>>>> }
>>>> #if 0
>>>> {
>>>> struct sctp_initmsg init;
>>>> bzero(&init, sizeof(init));
>>>> init.sinit_num_ostreams =3D HDB_STREAMS;
>>>> init.sinit_max_instreams =3D HDB_STREAMS;
>>>> // SOL_SCTP instead of IPPROTO_SCTP on Linux
>>>> setsockopt(sc, IPPROTO_SCTP, SCTP_INITMSG, &init, =
(socklen_t)sizeof(struct sctp_initmsg));
>>>> // XXX error handling
>>>> }
>>>> #endif
>>>> {
>>>> struct sockaddr_in6 addr;
>>>> bzero(&addr, sizeof(addr));
>>>> addr.sin6_len =3D sizeof(addr);
>>>> addr.sin6_family =3D AF_INET6;
>>>> addr.sin6_port =3D htons(port);
>>>> bind(sc, (struct sockaddr *)&addr, sizeof(struct =
sockaddr_in));
>>>> // XXX error handling
>>>> }
>>>> {
>>>> // enable heartbeats at 1000ms
>>>> struct sctp_paddrparams paddr_params;
>>>> bzero(&paddr_params, sizeof(paddr_params));
>>>> paddr_params.spp_address.ss_family =3D AF_INET6;
>>>> paddr_params.spp_flags =3D SPP_HB_ENABLE;
>>>> paddr_params.spp_hbinterval =3D 1000;
>>>> // SOL_SCTP instead of IPPROTO_SCTP on Linux
>>>> setsockopt(sc, IPPROTO_SCTP, SCTP_PEER_ADDR_PARAMS, =
&paddr_params, sizeof(paddr_params));=20
>>>> // XXX error handling
>>>> }
>>>> {
>>>> struct sctp_event_subscribe events;
>>>> bzero(&events, sizeof(events));
>>>>=20
>>>> events.sctp_data_io_event =3D 1; // we need io_events =
to know where the message came from
>>>>=20
>>>> // subscribe to other events as well for testing
>>>> events.sctp_association_event =3D 1;
>>>> events.sctp_address_event =3D 1;
>>>> events.sctp_send_failure_event =3D 1;
>>>> events.sctp_peer_error_event =3D 1;
>>>> events.sctp_shutdown_event =3D 1;
>>>> events.sctp_partial_delivery_event =3D 1;
>>>> events.sctp_adaptation_layer_event =3D 1;
>>>> events.sctp_authentication_event =3D 1;
>>>> events.sctp_sender_dry_event =3D 1;
>>>> events.sctp_stream_reset_event =3D 1;
>>>>=20
>>>> setsockopt(sc, IPPROTO_SCTP, SCTP_EVENTS, &events, =
sizeof(events));
>>>> // XXX error handling
>>>> }
>>>> {
>>>> // setup send and receive buffers (default on FreeBSD =
9.x)
>>>> long val;
>>>> val =3D 1864135;
>>>> setsockopt(sc, SOL_SOCKET, SO_RCVBUF, &val, =
sizeof(val));
>>>> // XXX error handling
>>>> val =3D 1864135;
>>>> setsockopt(sc, SOL_SOCKET, SO_SNDBUF, &val, =
sizeof(val));
>>>> // XXX error handling
>>>> }
>>>> listen (sc, 1); // listen is required to allow incoming =
associations, but no listen queue
>>>> // XXX error handling
>>>>=20
>>>> return sc;
>>>> }
>>>>=20
>>>> --=20
>>>> B.Walter <bernd@bwct.de> http://www.bwct.de
>>>> Modbus/TCP Ethernet I/O Baugruppen, ARM basierte FreeBSD Rechner =
uvm.
>>>> _______________________________________________
>>>> freebsd-net@freebsd.org mailing list
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>>> To unsubscribe, send any mail to =
"freebsd-net-unsubscribe@freebsd.org"
>>>>=20
>>>=20
>>> _______________________________________________
>>> freebsd-net@freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>> To unsubscribe, send any mail to =
"freebsd-net-unsubscribe@freebsd.org"
>>=20
>> =97=20
>> Bjoern A. Zeeb ????????? ??? ??????? =
??????:
>> '??? ??? ???? ?????? ??????? ?? ?? ??????? ??????? ??? ????? ????? =
????
>> ?????? ?? ????? ????', ????????? ?????????, "??? ????? ?? ?????", =
?.???
>>=20
>>=20
>=20
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
=97=20
Bjoern A. Zeeb ????????? ??? ??????? ??????:
'??? ??? ???? ?????? ??????? ?? ?? ??????? ??????? ??? ????? ????? ????
?????? ?? ????? ????', ????????? ?????????, "??? ????? ?? ?????", ?.???
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?798F4E1E-693B-4B94-847D-2A2106A47C0A>