IPv6 multicast sent to jail

[Curtis Villamizar]

In message <503402FE.9080103 at FreeBSD.org>
Jamie Gritton writes:
 
> On 08/19/12 11:35, Curtis Villamizar wrote:
> > I'm trying to run isc-dhcpd using dhcpd -6 in a jail.  No luck.
> >
> > The following code is run in the jail and doesn't fail.
> >
> >          if (inet_pton(AF_INET6, All_DHCP_Relay_Agents_and_Servers,
> >                        &mreq.ipv6mr_multiaddr)<= 0) {
> >                  log_fatal("inet_pton: unable to convert '%s'",
> >                            All_DHCP_Relay_Agents_and_Servers);
> >          }
> >          mreq.ipv6mr_interface = if_nametoindex(info->name);
> >          if (setsockopt(sock, IPPROTO_IPV6, IPV6_JOIN_GROUP,
> >                         &mreq, sizeof(mreq))<  0) {
> >                  log_fatal("setsockopt: IPV6_JOIN_GROUP: %m");
> >          }
> >
> > where All_DHCP_Relay_Agents_and_Servers is defined as "FF02::1:2".
> >
> > Later dhcpd binds to *.517 which can be seen in netstat -an.
> >
> > Packets to ff02::1:2.517 are seen on the jailer (as opposed to the
> > jailee) using tcpdump, but no packets are received by the jailee.
> >
> > When the same command from the jailer using a chroot to the jailee
> > directory, the multicast packets are received.
> >
> > Is there a solution to this other than changing the jail from an
> > implied "ip6=new" with a specific address to "ip6=inherit".  What I'd
> > really like is a yet to be invented "ip6=new+multicast".
> >
> > Using "ip6=inherit" would be OK, adding very little exposure (mostly
> > DoS attack exposure).  It would be nice if "ip6=inherit" were
> > supported in the rc.d/jail framework.
> >
> > Before I go changing anything I'm asking whether allowing the
> > multicast join and then not passing multicast to the jail is
> > considered a bug and how it should behave (the join should have failed
> > or the packets should have arrived).  If the best workaround for now
> > is "ip6=inherit" would adding jail_<jailname>_ip[46] variables to the
> > rc files be viewed as a good solution (with a comment in
> > /etc/defaults/rc.conf indicating that the interaction between setting
> > addressing using _ip and _ip_multi and setting _ip4 or _ip6 (setting
> > an address for each family forces "ip[46]=net" for that AF.
> >
> > Curtis
>  
> Offhand, it does sound like a bug. I imagine the solution would be to
> reject the join - at least the easy solution to be done first until
> something more complicated can be done to make jails play nice with
> multicast.
>  
> - Jamie


Jamie,

Certainly not the preferred solution.  Best would be a
jail.allow-ipv6multicast sysctl variable with rejecting the join if 0
and accepting the join and passing in multicast if 1.  Same for v4,
though not of immediate concern since DHCPv4 doesn't need it.

If you (or someone) would like to point me in the right direction, I
would be willing to put some time into learning the relevant code and
proposing a fix.  No promises, but I can put some time into it.  Off
list if you prefer.

Curtis