IPv6 multicast sent to jail

Mars G. Miro spry at anarchy.in.the.ph
Mon Aug 20 11:24:13 UTC 2012 

On 08/20/12 01:35, Curtis Villamizar wrote:
> I'm trying to run isc-dhcpd using dhcpd -6 in a jail.  No luck.
>
> The following code is run in the jail and doesn't fail.
>
>          if (inet_pton(AF_INET6, All_DHCP_Relay_Agents_and_Servers,
>                        &mreq.ipv6mr_multiaddr)<= 0) {
>                  log_fatal("inet_pton: unable to convert '%s'",
>                            All_DHCP_Relay_Agents_and_Servers);
>          }
>          mreq.ipv6mr_interface = if_nametoindex(info->name);
>          if (setsockopt(sock, IPPROTO_IPV6, IPV6_JOIN_GROUP,
>                         &mreq, sizeof(mreq))<  0) {
>                  log_fatal("setsockopt: IPV6_JOIN_GROUP: %m");
>          }
>
> where All_DHCP_Relay_Agents_and_Servers is defined as "FF02::1:2".
>
> Later dhcpd binds to *.517 which can be seen in netstat -an.
>
> Packets to ff02::1:2.517 are seen on the jailer (as opposed to the
> jailee) using tcpdump, but no packets are received by the jailee.
>
> When the same command from the jailer using a chroot to the jailee
> directory, the multicast packets are received.
>

Probably because there is no bpf in a default jail ?

Try making bpf visible in the jail via devfs.


> Is there a solution to this other than changing the jail from an
> implied "ip6=new" with a specific address to "ip6=inherit".  What I'd
> really like is a yet to be invented "ip6=new+multicast".
>
> Using "ip6=inherit" would be OK, adding very little exposure (mostly
> DoS attack exposure).  It would be nice if "ip6=inherit" were
> supported in the rc.d/jail framework.
>
> Before I go changing anything I'm asking whether allowing the
> multicast join and then not passing multicast to the jail is
> considered a bug and how it should behave (the join should have failed
> or the packets should have arrived).  If the best workaround for now
> is "ip6=inherit" would adding jail_<jailname>_ip[46] variables to the
> rc files be viewed as a good solution (with a comment in
> /etc/defaults/rc.conf indicating that the interaction between setting
> addressing using _ip and _ip_multi and setting _ip4 or _ip6 (setting
> an address for each family forces "ip[46]=net" for that AF.
>
> Curtis
>
>
> btw- not subscribed to freebsd-jail so please leave me on the Cc.
> _______________________________________________
> freebsd-jail at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe at freebsd.org"


-- 
When I was crossing the border into Canada, they asked if
I had any firearms with me.  I said, "Well, what do you need?"
		-- Steven Wright

More information about the freebsd-jail mailing list