IPv6 multicast sent to jail

[Curtis Villamizar]

In message <alpine.BSF.2.00.1209031219120.76284 at ai.fobar.qr>
"Bjoern A. Zeeb" writes:
 
> On Sat, 25 Aug 2012, Jamie Gritton wrote:
>  
> ...
> >>>> Curtis
> >>> 
> >>> Offhand, it does sound like a bug. I imagine the solution would be to
> >>> reject the join - at least the easy solution to be done first until
> >>> something more complicated can be done to make jails play nice with
> >>> multicast.
> >>> 
> >>> - Jamie
> >> 
> >> 
> >> Jamie,
> >> 
> >> Certainly not the preferred solution.  Best would be a
> >> jail.allow-ipv6multicast sysctl variable with rejecting the join if 0
> >> and accepting the join and passing in multicast if 1.  Same for v4,
> >> though not of immediate concern since DHCPv4 doesn't need it.
> >> 
> >> If you (or someone) would like to point me in the right direction, I
> >> would be willing to put some time into learning the relevant code and
> >> proposing a fix.  No promises, but I can put some time into it.  Off
> >> list if you prefer.
> >> 
> >> Curtis
> >
> > It'll have to be someone besides me - I don't know enough about
> > multicast myself to be able to do more than keep it out of jails.
>  
> sysctl souns bad to me;  I think it should actually be grouped by
> ip4.* and ip6.*.  What dod we currently do for raw sockets?  Can we
> have a third level easily, as in ip4.raw.*, ip6.mc.*, ...  which of
> course would kill the classic "allow" thing for raw sockets myabe?
>  
> /bz

For raw sockets the sysctl variable is:

 security.jail.allow_raw_sockets

One sysctl variable for both inet and inet6 AF.  Perhaps a reasonable
name would be:

  security.jail.ip4.allow_multicast
  security.jail.ip6.allow_multicast

Just to be clear, I was hoping to get some help if I were to make an
attempt to allow ipv6 multicast through, though I suspect that the
code would be very similar for ipv4.

Curtis

> -- 
> Bjoern A. Zeeb                                 You have to have visions!
>           Stop bit received. Insert coin for new address family.