SCTP binds to IPs outside of jail
Michael Tuexen
Michael.Tuexen at lurchi.franken.de
Sun Apr 6 17:04:54 UTC 2014
On 06 Apr 2014, at 17:05, Bjoern A. Zeeb <bzeeb-lists at lists.zabbadoz.net> wrote:
>
> On 06 Apr 2014, at 11:42 , Michael Tuexen <Michael.Tuexen at lurchi.franken.de> wrote:
>
>> On 05 Apr 2014, at 23:02, Bernd Walter <ticso at cicely7.cicely.de> wrote:
>>
>>> So far I've tested this on FreeBSD-9.2 BETA2 r254053M only.
>>> The modifications are to allow IPv6 multicast support within jail
>>> which only makes a difference for multicast addresses and some multicast
>>> loopback checksum bugs - both changes are open PR.
>>>
>>> I've created an AF_INET6 SCTP one to many socket to receive incoming
>>> messages.
>>> The process was started within a jail.
>>> Now netstat -anW lists all host IPv6 IPs, not just those of the jail.
>>> Also not sure why this AF_INET6 socket is shown as sctp46.
>> This should be handled as a v6 only socket depending on your
>> setting of net.inet6.ip6.v6only sysctl variable by the SCTP stack.
>> However, netstat has no information about this and can not distinguish
>> between sctp6 and sctp46, so it reports sctp46 always. You can file
>> a PR about this.
>>
>> The questions about the addresses and the jails: The SCTP code has
>> no jail specific code. If you bind a socket to the wildcard address
>> (which is what to do by not binding at all), the SCTP stack lists
>> all addresses it know about. I'm not sure what would happen, if
>> you send a packet to an address not owned by the jail.
>> You might want to file a separate PR about the support of jails.
>
> Aehm, the SCTP code was filtering addresses at one point and made sure only jail-visible addresses were seen or bound very much like normal PCB handling. If this is not the case (anymore) SCTP shall not be allowed inside jails again.
Are you referring to prison_local_ip4() and prison_local_ip6() calls?
These are used while explicit binding. However, I don't think we
do the corresponding filtering when sending INIT-/INIT-ACKs or
export the list of address via the sysctl interface used by netstat.
I guess this needs to be added, right?
Best regards
Michael
>
>
>
>
>>
>> Best regards
>> Michael
>>>
>>> This is the relevant C++ code part to open the socket:
>>> int
>>> setup_sctp_socket(uint16_t port)
>>> {
>>> int sc = socket(AF_INET6, SOCK_SEQPACKET, IPPROTO_SCTP);
>>> {
>>> // reuse address
>>> long val = 1;
>>> setsockopt(sc, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val));
>>> // XXX error handling
>>> }
>>> {
>>> // no delay
>>> long val = 1;
>>> setsockopt(sc, SOL_SOCKET, SCTP_NODELAY, &val, sizeof(val));
>>> // XXX error handling
>>> }
>>> {
>>> // eeor mode (last write needs MSG_EOR to declare end of message)
>>> // Linux has MSG_MORE negative send flag
>>> long val = 1;
>>> setsockopt(sc, SOL_SOCKET, SCTP_EXPLICIT_EOR, &val, sizeof(val));
>>> // XXX error handling
>>> }
>>> #if 0
>>> {
>>> struct sctp_initmsg init;
>>> bzero(&init, sizeof(init));
>>> init.sinit_num_ostreams = HDB_STREAMS;
>>> init.sinit_max_instreams = HDB_STREAMS;
>>> // SOL_SCTP instead of IPPROTO_SCTP on Linux
>>> setsockopt(sc, IPPROTO_SCTP, SCTP_INITMSG, &init, (socklen_t)sizeof(struct sctp_initmsg));
>>> // XXX error handling
>>> }
>>> #endif
>>> {
>>> struct sockaddr_in6 addr;
>>> bzero(&addr, sizeof(addr));
>>> addr.sin6_len = sizeof(addr);
>>> addr.sin6_family = AF_INET6;
>>> addr.sin6_port = htons(port);
>>> bind(sc, (struct sockaddr *)&addr, sizeof(struct sockaddr_in));
>>> // XXX error handling
>>> }
>>> {
>>> // enable heartbeats at 1000ms
>>> struct sctp_paddrparams paddr_params;
>>> bzero(&paddr_params, sizeof(paddr_params));
>>> paddr_params.spp_address.ss_family = AF_INET6;
>>> paddr_params.spp_flags = SPP_HB_ENABLE;
>>> paddr_params.spp_hbinterval = 1000;
>>> // SOL_SCTP instead of IPPROTO_SCTP on Linux
>>> setsockopt(sc, IPPROTO_SCTP, SCTP_PEER_ADDR_PARAMS, &paddr_params, sizeof(paddr_params));
>>> // XXX error handling
>>> }
>>> {
>>> struct sctp_event_subscribe events;
>>> bzero(&events, sizeof(events));
>>>
>>> events.sctp_data_io_event = 1; // we need io_events to know where the message came from
>>>
>>> // subscribe to other events as well for testing
>>> events.sctp_association_event = 1;
>>> events.sctp_address_event = 1;
>>> events.sctp_send_failure_event = 1;
>>> events.sctp_peer_error_event = 1;
>>> events.sctp_shutdown_event = 1;
>>> events.sctp_partial_delivery_event = 1;
>>> events.sctp_adaptation_layer_event = 1;
>>> events.sctp_authentication_event = 1;
>>> events.sctp_sender_dry_event = 1;
>>> events.sctp_stream_reset_event = 1;
>>>
>>> setsockopt(sc, IPPROTO_SCTP, SCTP_EVENTS, &events, sizeof(events));
>>> // XXX error handling
>>> }
>>> {
>>> // setup send and receive buffers (default on FreeBSD 9.x)
>>> long val;
>>> val = 1864135;
>>> setsockopt(sc, SOL_SOCKET, SO_RCVBUF, &val, sizeof(val));
>>> // XXX error handling
>>> val = 1864135;
>>> setsockopt(sc, SOL_SOCKET, SO_SNDBUF, &val, sizeof(val));
>>> // XXX error handling
>>> }
>>> listen (sc, 1); // listen is required to allow incoming associations, but no listen queue
>>> // XXX error handling
>>>
>>> return sc;
>>> }
>>>
>>> --
>>> B.Walter <bernd at bwct.de> http://www.bwct.de
>>> Modbus/TCP Ethernet I/O Baugruppen, ARM basierte FreeBSD Rechner uvm.
>>> _______________________________________________
>>> freebsd-net at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>>
>>
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
> —
> Bjoern A. Zeeb ????????? ??? ??????? ??????:
> '??? ??? ???? ?????? ??????? ?? ?? ??????? ??????? ??? ????? ????? ????
> ?????? ?? ????? ????', ????????? ?????????, "??? ????? ?? ?????", ?.???
>
>
More information about the freebsd-net
mailing list