On 08/25/12 14:15, Curtis Villamizar wrote:
In message<503402fe.9080...@freebsd.org>
Jamie Gritton writes:
On 08/19/12 11:35, Curtis Villamizar wrote:
I'm trying to run isc-dhcpd using dhcpd -6 in a jail. No luck.
The following code is run in the jail and doesn't fail.
if (inet_pton(AF_INET6, All_DHCP_Relay_Agents_and_Servers,
&mreq.ipv6mr_multiaddr)<= 0) {
log_fatal("inet_pton: unable to convert '%s'",
All_DHCP_Relay_Agents_and_Servers);
}
mreq.ipv6mr_interface = if_nametoindex(info->name);
if (setsockopt(sock, IPPROTO_IPV6, IPV6_JOIN_GROUP,
&mreq, sizeof(mreq))< 0) {
log_fatal("setsockopt: IPV6_JOIN_GROUP: %m");
}
where All_DHCP_Relay_Agents_and_Servers is defined as "FF02::1:2".
Later dhcpd binds to *.517 which can be seen in netstat -an.
Packets to ff02::1:2.517 are seen on the jailer (as opposed to the
jailee) using tcpdump, but no packets are received by the jailee.
When the same command from the jailer using a chroot to the jailee
directory, the multicast packets are received.
Is there a solution to this other than changing the jail from an
implied "ip6=new" with a specific address to "ip6=inherit". What I'd
really like is a yet to be invented "ip6=new+multicast".
Using "ip6=inherit" would be OK, adding very little exposure (mostly
DoS attack exposure). It would be nice if "ip6=inherit" were
supported in the rc.d/jail framework.
Before I go changing anything I'm asking whether allowing the
multicast join and then not passing multicast to the jail is
considered a bug and how it should behave (the join should have failed
or the packets should have arrived). If the best workaround for now
is "ip6=inherit" would adding jail_<jailname>_ip[46] variables to the
rc files be viewed as a good solution (with a comment in
/etc/defaults/rc.conf indicating that the interaction between setting
addressing using _ip and _ip_multi and setting _ip4 or _ip6 (setting
an address for each family forces "ip[46]=net" for that AF.
Curtis
Offhand, it does sound like a bug. I imagine the solution would be to
reject the join - at least the easy solution to be done first until
something more complicated can be done to make jails play nice with
multicast.
- Jamie
Jamie,
Certainly not the preferred solution. Best would be a
jail.allow-ipv6multicast sysctl variable with rejecting the join if 0
and accepting the join and passing in multicast if 1. Same for v4,
though not of immediate concern since DHCPv4 doesn't need it.
If you (or someone) would like to point me in the right direction, I
would be willing to put some time into learning the relevant code and
proposing a fix. No promises, but I can put some time into it. Off
list if you prefer.
Curtis
It'll have to be someone besides me - I don't know enough about
multicast myself to be able to do more than keep it out of jails.
- Jamie
_______________________________________________
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
