Re: IPv6 multicast sent to jail

2012-09-05 Thread Curtis Villamizar 

In message alpine.bsf.2.00.1209031219120.76...@ai.fobar.qr
Bjoern A. Zeeb writes:
 
 On Sat, 25 Aug 2012, Jamie Gritton wrote:
  
 ...
  Curtis
  
  Offhand, it does sound like a bug. I imagine the solution would be to
  reject the join - at least the easy solution to be done first until
  something more complicated can be done to make jails play nice with
  multicast.
  
  - Jamie
  
  
  Jamie,
  
  Certainly not the preferred solution.  Best would be a
  jail.allow-ipv6multicast sysctl variable with rejecting the join if 0
  and accepting the join and passing in multicast if 1.  Same for v4,
  though not of immediate concern since DHCPv4 doesn't need it.
  
  If you (or someone) would like to point me in the right direction, I
  would be willing to put some time into learning the relevant code and
  proposing a fix.  No promises, but I can put some time into it.  Off
  list if you prefer.
  
  Curtis
 
  It'll have to be someone besides me - I don't know enough about
  multicast myself to be able to do more than keep it out of jails.
  
 sysctl souns bad to me;  I think it should actually be grouped by
 ip4.* and ip6.*.  What dod we currently do for raw sockets?  Can we
 have a third level easily, as in ip4.raw.*, ip6.mc.*, ...  which of
 course would kill the classic allow thing for raw sockets myabe?
  
 /bz

For raw sockets the sysctl variable is:

 security.jail.allow_raw_sockets

One sysctl variable for both inet and inet6 AF.  Perhaps a reasonable
name would be:

  security.jail.ip4.allow_multicast
  security.jail.ip6.allow_multicast

Just to be clear, I was hoping to get some help if I were to make an
attempt to allow ipv6 multicast through, though I suspect that the
code would be very similar for ipv4.

Curtis

 -- 
 Bjoern A. Zeeb You have to have visions!
   Stop bit received. Insert coin for new address family.
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org

Re: IPv6 multicast sent to jail

2012-09-05 Thread Bjoern A. Zeeb 

On Wed, 5 Sep 2012, Curtis Villamizar wrote:



In message alpine.bsf.2.00.1209031219120.76...@ai.fobar.qr
Bjoern A. Zeeb writes:


On Sat, 25 Aug 2012, Jamie Gritton wrote:

...

Curtis


Offhand, it does sound like a bug. I imagine the solution would be to
reject the join - at least the easy solution to be done first until
something more complicated can be done to make jails play nice with
multicast.

- Jamie



Jamie,

Certainly not the preferred solution.  Best would be a
jail.allow-ipv6multicast sysctl variable with rejecting the join if 0
and accepting the join and passing in multicast if 1.  Same for v4,
though not of immediate concern since DHCPv4 doesn't need it.

If you (or someone) would like to point me in the right direction, I
would be willing to put some time into learning the relevant code and
proposing a fix.  No promises, but I can put some time into it.  Off
list if you prefer.

Curtis


It'll have to be someone besides me - I don't know enough about
multicast myself to be able to do more than keep it out of jails.


sysctl souns bad to me;  I think it should actually be grouped by
ip4.* and ip6.*.  What dod we currently do for raw sockets?  Can we
have a third level easily, as in ip4.raw.*, ip6.mc.*, ...  which of
course would kill the classic allow thing for raw sockets myabe?

/bz


For raw sockets the sysctl variable is:

security.jail.allow_raw_sockets

One sysctl variable for both inet and inet6 AF.  Perhaps a reasonable
name would be:

 security.jail.ip4.allow_multicast
 security.jail.ip6.allow_multicast

Just to be clear, I was hoping to get some help if I were to make an
attempt to allow ipv6 multicast through, though I suspect that the
code would be very similar for ipv4.


The sysctls are mostly not relevant anymore but yes, if we can get
these options we can look at the code.  Defaults to off.
I might be able to help on the v6 trailing end.  Jamie could you
prepare the jail options changes for us?

--
Bjoern A. Zeeb You have to have visions!
 Stop bit received. Insert coin for new address family.
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org