Jails can't get routing info
David Thiel
lx at redundancy.redundancy.org
Wed May 2 17:27:19 UTC 2012
On Tue, May 01, 2012 at 09:01:09PM +0000, Bjoern A. Zeeb wrote:
> > So, I've been trying to debug an issue running nmap scans within jails,
> > partially documented here:
> >
> > http://seclists.org/nmap-dev/2012/q2/220
> >
> > On further debugging, it's seeming like jails can't read routing
> > information directly at all:
> >
> > # route get 69.163.203.254
> > route: writing to routing socket: No such process
> >
> > Now, this is normally done via reading the routing table via something like
> > socket(PF_ROUTE, SOCK_RAW, AF_INET), so one would suspect that this is a
> > problem with raw sockets; but raw sockets are enabled within the jail.
> > netstat is able to read routing information just fine, but I don't think
> > it's doing it via the socket() call.
>
> hmm, sure you don't have /dev/mem in the jail? netstat -rn I think is still
> using libkvm *sigh* and not the sysctl API.
Actually I do - in desperation I put a "add path '*' unhide" in the
devfs.rules. Now that I think of it, that is what makes netstat work.
But, I still don't understand why "route get" doesn't work, given that
the very existence of the "security.jail.socket_unixiproute_only" sysctl
implies that by default, you should be able to open routing sockets in a
jail (presuming raw sockets are enabled, which they are).
> > Anyone know why this behavior might be happening?
>
> Without thinking too much (as in if I got the right case) I think you are
> hitting this one:
>
> http://svnweb.freebsd.org/base/head/sys/net/rtsock.c?annotate=234572#l792
Hmm, that seems to relate to pulling via sysctl, which the "route"
command doesn't do. It sounds useful for fixing netstat, though.
Thanks,
David
More information about the freebsd-stable
mailing list