SCTP binds to IPs outside of jail

Michael Tuexen Michael.Tuexen at lurchi.franken.de
Sun Apr 6 19:46:39 UTC 2014 

On 06 Apr 2014, at 20:44, Bjoern A. Zeeb <bzeeb-lists at lists.zabbadoz.net> wrote:

> 
> On 06 Apr 2014, at 16:42 , Michael Tuexen <Michael.Tuexen at lurchi.franken.de> wrote:
> 
>> On 06 Apr 2014, at 17:05, Bjoern A. Zeeb <bzeeb-lists at lists.zabbadoz.net> wrote:
>> 
>>> 
>>> On 06 Apr 2014, at 11:42 , Michael Tuexen <Michael.Tuexen at lurchi.franken.de> wrote:
>>> 
>>>> On 05 Apr 2014, at 23:02, Bernd Walter <ticso at cicely7.cicely.de> wrote:
>>>> 
>>>>> So far I've tested this on FreeBSD-9.2 BETA2 r254053M only.
>>>>> The modifications are to allow IPv6 multicast support within jail
>>>>> which only makes a difference for multicast addresses and some multicast
>>>>> loopback checksum bugs - both changes are open PR.
>>>>> 
>>>>> I've created an AF_INET6 SCTP one to many socket to receive incoming
>>>>> messages.
>>>>> The process was started within a jail.
>>>>> Now netstat -anW lists all host IPv6 IPs, not just those of the jail.
>>>>> Also not sure why this AF_INET6 socket is shown as sctp46.
>>>> This should be handled as a v6 only socket depending on your
>>>> setting of net.inet6.ip6.v6only sysctl variable by the SCTP stack.
>>>> However, netstat has no information about this and can not distinguish
>>>> between sctp6 and sctp46, so it reports sctp46 always. You can file
>>>> a PR about this.
>>>> 
>>>> The questions about the addresses and the jails: The SCTP code has
>>>> no jail specific code. If you bind a socket to the wildcard address
>>>> (which is what to do by not binding at all), the SCTP stack lists
>>>> all addresses it know about. I'm not sure what would happen, if
>>>> you send a packet to an address not owned by the jail.
>>>> You might want to file a separate PR about the support of jails.
>>> 
>>> Aehm, the SCTP code was filtering addresses at one point and made sure only jail-visible addresses were seen or bound very much like normal PCB handling.  If this is not the case (anymore) SCTP shall not be allowed inside jails again. 
>> Can you point me to the "normal PCB handling"? Maybe I'm just overlooking something…
> 
> I guess what helps you more is looking for prison_* calls in the SCTP stack (and equally in in*_pcb*, tcp_*, udp_*).
Thanks for the hint.

Best regards
Michael
> 
> 
> 
>>>> Best regards
>>>> Michael
>>>>> 
>>>>> This is the relevant C++ code part to open the socket:
>>>>> int
>>>>> setup_sctp_socket(uint16_t port)
>>>>> {
>>>>>    int sc = socket(AF_INET6, SOCK_SEQPACKET, IPPROTO_SCTP);
>>>>>    {
>>>>>            // reuse address
>>>>>            long val = 1;
>>>>>            setsockopt(sc, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val));
>>>>>            // XXX error handling
>>>>>    }
>>>>>    {
>>>>>            // no delay
>>>>>            long val = 1;
>>>>>            setsockopt(sc, SOL_SOCKET, SCTP_NODELAY, &val, sizeof(val));
>>>>>            // XXX error handling
>>>>>    }
>>>>>    {
>>>>>            // eeor mode (last write needs MSG_EOR to declare end of message)
>>>>>            // Linux has MSG_MORE negative send flag
>>>>>            long val = 1;
>>>>>            setsockopt(sc, SOL_SOCKET, SCTP_EXPLICIT_EOR, &val, sizeof(val));
>>>>>            // XXX error handling
>>>>>    }
>>>>> #if 0
>>>>>    {
>>>>>            struct sctp_initmsg init;
>>>>>            bzero(&init, sizeof(init));
>>>>>            init.sinit_num_ostreams = HDB_STREAMS;
>>>>>            init.sinit_max_instreams = HDB_STREAMS;
>>>>>            // SOL_SCTP instead of IPPROTO_SCTP on Linux
>>>>>            setsockopt(sc, IPPROTO_SCTP, SCTP_INITMSG, &init, (socklen_t)sizeof(struct sctp_initmsg));
>>>>>            // XXX error handling
>>>>>    }
>>>>> #endif
>>>>>    {
>>>>>            struct sockaddr_in6 addr;
>>>>>            bzero(&addr, sizeof(addr));
>>>>>            addr.sin6_len         = sizeof(addr);
>>>>>            addr.sin6_family      = AF_INET6;
>>>>>            addr.sin6_port        = htons(port);
>>>>>            bind(sc, (struct sockaddr *)&addr, sizeof(struct sockaddr_in));
>>>>>            // XXX error handling
>>>>>    }
>>>>>    {
>>>>>            // enable heartbeats at 1000ms
>>>>>            struct sctp_paddrparams paddr_params;
>>>>>            bzero(&paddr_params, sizeof(paddr_params));
>>>>>            paddr_params.spp_address.ss_family = AF_INET6;
>>>>>            paddr_params.spp_flags = SPP_HB_ENABLE;
>>>>>            paddr_params.spp_hbinterval = 1000;
>>>>>            // SOL_SCTP instead of IPPROTO_SCTP on Linux
>>>>>            setsockopt(sc, IPPROTO_SCTP, SCTP_PEER_ADDR_PARAMS, &paddr_params, sizeof(paddr_params)); 
>>>>>            // XXX error handling
>>>>>    }
>>>>>    {
>>>>>            struct sctp_event_subscribe events;
>>>>>            bzero(&events, sizeof(events));
>>>>> 
>>>>>            events.sctp_data_io_event = 1; // we need io_events to know where the message came from
>>>>> 
>>>>>            // subscribe to other events as well for testing
>>>>>            events.sctp_association_event = 1;
>>>>>            events.sctp_address_event = 1;
>>>>>            events.sctp_send_failure_event = 1;
>>>>>            events.sctp_peer_error_event = 1;
>>>>>            events.sctp_shutdown_event = 1;
>>>>>            events.sctp_partial_delivery_event = 1;
>>>>>            events.sctp_adaptation_layer_event = 1;
>>>>>            events.sctp_authentication_event = 1;
>>>>>            events.sctp_sender_dry_event = 1;
>>>>>            events.sctp_stream_reset_event = 1;
>>>>> 
>>>>>            setsockopt(sc, IPPROTO_SCTP, SCTP_EVENTS, &events, sizeof(events));
>>>>>            // XXX error handling
>>>>>    }
>>>>>    {
>>>>>            // setup send and receive buffers (default on FreeBSD 9.x)
>>>>>            long val;
>>>>>            val = 1864135;
>>>>>            setsockopt(sc, SOL_SOCKET, SO_RCVBUF, &val, sizeof(val));
>>>>>            // XXX error handling
>>>>>            val = 1864135;
>>>>>            setsockopt(sc, SOL_SOCKET, SO_SNDBUF, &val, sizeof(val));
>>>>>            // XXX error handling
>>>>>    }
>>>>>    listen (sc, 1); // listen is required to allow incoming associations, but no listen queue
>>>>>    // XXX error handling
>>>>> 
>>>>>    return sc;
>>>>> }
>>>>> 
>>>>> -- 
>>>>> B.Walter <bernd at bwct.de> http://www.bwct.de
>>>>> Modbus/TCP Ethernet I/O Baugruppen, ARM basierte FreeBSD Rechner uvm.
>>>>> _______________________________________________
>>>>> freebsd-net at freebsd.org mailing list
>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>>>> 
>>>> 
>>>> _______________________________________________
>>>> freebsd-net at freebsd.org mailing list
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>> 
>>>>>> Bjoern A. Zeeb                             ????????? ??? ??????? ??????:
>>> '??? ??? ???? ??????  ??????? ?? ?? ??????? ??????? ??? ????? ????? ????
>>> ?????? ?? ????? ????',  ????????? ?????????, "??? ????? ?? ?????", ?.???
>>> 
>>> 
>> 
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
> 
>> Bjoern A. Zeeb                             ????????? ??? ??????? ??????:
> '??? ??? ???? ??????  ??????? ?? ?? ??????? ??????? ??? ????? ????? ????
> ?????? ?? ????? ????',  ????????? ?????????, "??? ????? ?? ?????", ?.???
> 
>

More information about the freebsd-net mailing list