SCTP binds to IPs outside of jail
Michael Tuexen
Michael.Tuexen at lurchi.franken.de
Sun Apr 6 19:46:39 UTC 2014
On 06 Apr 2014, at 20:44, Bjoern A. Zeeb <bzeeb-lists at lists.zabbadoz.net> wrote:
>
> On 06 Apr 2014, at 16:42 , Michael Tuexen <Michael.Tuexen at lurchi.franken.de> wrote:
>
>> On 06 Apr 2014, at 17:05, Bjoern A. Zeeb <bzeeb-lists at lists.zabbadoz.net> wrote:
>>
>>>
>>> On 06 Apr 2014, at 11:42 , Michael Tuexen <Michael.Tuexen at lurchi.franken.de> wrote:
>>>
>>>> On 05 Apr 2014, at 23:02, Bernd Walter <ticso at cicely7.cicely.de> wrote:
>>>>
>>>>> So far I've tested this on FreeBSD-9.2 BETA2 r254053M only.
>>>>> The modifications are to allow IPv6 multicast support within jail
>>>>> which only makes a difference for multicast addresses and some multicast
>>>>> loopback checksum bugs - both changes are open PR.
>>>>>
>>>>> I've created an AF_INET6 SCTP one to many socket to receive incoming
>>>>> messages.
>>>>> The process was started within a jail.
>>>>> Now netstat -anW lists all host IPv6 IPs, not just those of the jail.
>>>>> Also not sure why this AF_INET6 socket is shown as sctp46.
>>>> This should be handled as a v6 only socket depending on your
>>>> setting of net.inet6.ip6.v6only sysctl variable by the SCTP stack.
>>>> However, netstat has no information about this and can not distinguish
>>>> between sctp6 and sctp46, so it reports sctp46 always. You can file
>>>> a PR about this.
>>>>
>>>> The questions about the addresses and the jails: The SCTP code has
>>>> no jail specific code. If you bind a socket to the wildcard address
>>>> (which is what to do by not binding at all), the SCTP stack lists
>>>> all addresses it know about. I'm not sure what would happen, if
>>>> you send a packet to an address not owned by the jail.
>>>> You might want to file a separate PR about the support of jails.
>>>
>>> Aehm, the SCTP code was filtering addresses at one point and made sure only jail-visible addresses were seen or bound very much like normal PCB handling. If this is not the case (anymore) SCTP shall not be allowed inside jails again.
>> Can you point me to the "normal PCB handling"? Maybe I'm just overlooking something…
>
> I guess what helps you more is looking for prison_* calls in the SCTP stack (and equally in in*_pcb*, tcp_*, udp_*).
Thanks for the hint.
Best regards
Michael
>
>
>
>>>> Best regards
>>>> Michael
>>>>>
>>>>> This is the relevant C++ code part to open the socket:
>>>>> int
>>>>> setup_sctp_socket(uint16_t port)
>>>>> {
>>>>> int sc = socket(AF_INET6, SOCK_SEQPACKET, IPPROTO_SCTP);
>>>>> {
>>>>> // reuse address
>>>>> long val = 1;
>>>>> setsockopt(sc, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val));
>>>>> // XXX error handling
>>>>> }
>>>>> {
>>>>> // no delay
>>>>> long val = 1;
>>>>> setsockopt(sc, SOL_SOCKET, SCTP_NODELAY, &val, sizeof(val));
>>>>> // XXX error handling
>>>>> }
>>>>> {
>>>>> // eeor mode (last write needs MSG_EOR to declare end of message)
>>>>> // Linux has MSG_MORE negative send flag
>>>>> long val = 1;
>>>>> setsockopt(sc, SOL_SOCKET, SCTP_EXPLICIT_EOR, &val, sizeof(val));
>>>>> // XXX error handling
>>>>> }
>>>>> #if 0
>>>>> {
>>>>> struct sctp_initmsg init;
>>>>> bzero(&init, sizeof(init));
>>>>> init.sinit_num_ostreams = HDB_STREAMS;
>>>>> init.sinit_max_instreams = HDB_STREAMS;
>>>>> // SOL_SCTP instead of IPPROTO_SCTP on Linux
>>>>> setsockopt(sc, IPPROTO_SCTP, SCTP_INITMSG, &init, (socklen_t)sizeof(struct sctp_initmsg));
>>>>> // XXX error handling
>>>>> }
>>>>> #endif
>>>>> {
>>>>> struct sockaddr_in6 addr;
>>>>> bzero(&addr, sizeof(addr));
>>>>> addr.sin6_len = sizeof(addr);
>>>>> addr.sin6_family = AF_INET6;
>>>>> addr.sin6_port = htons(port);
>>>>> bind(sc, (struct sockaddr *)&addr, sizeof(struct sockaddr_in));
>>>>> // XXX error handling
>>>>> }
>>>>> {
>>>>> // enable heartbeats at 1000ms
>>>>> struct sctp_paddrparams paddr_params;
>>>>> bzero(&paddr_params, sizeof(paddr_params));
>>>>> paddr_params.spp_address.ss_family = AF_INET6;
>>>>> paddr_params.spp_flags = SPP_HB_ENABLE;
>>>>> paddr_params.spp_hbinterval = 1000;
>>>>> // SOL_SCTP instead of IPPROTO_SCTP on Linux
>>>>> setsockopt(sc, IPPROTO_SCTP, SCTP_PEER_ADDR_PARAMS, &paddr_params, sizeof(paddr_params));
>>>>> // XXX error handling
>>>>> }
>>>>> {
>>>>> struct sctp_event_subscribe events;
>>>>> bzero(&events, sizeof(events));
>>>>>
>>>>> events.sctp_data_io_event = 1; // we need io_events to know where the message came from
>>>>>
>>>>> // subscribe to other events as well for testing
>>>>> events.sctp_association_event = 1;
>>>>> events.sctp_address_event = 1;
>>>>> events.sctp_send_failure_event = 1;
>>>>> events.sctp_peer_error_event = 1;
>>>>> events.sctp_shutdown_event = 1;
>>>>> events.sctp_partial_delivery_event = 1;
>>>>> events.sctp_adaptation_layer_event = 1;
>>>>> events.sctp_authentication_event = 1;
>>>>> events.sctp_sender_dry_event = 1;
>>>>> events.sctp_stream_reset_event = 1;
>>>>>
>>>>> setsockopt(sc, IPPROTO_SCTP, SCTP_EVENTS, &events, sizeof(events));
>>>>> // XXX error handling
>>>>> }
>>>>> {
>>>>> // setup send and receive buffers (default on FreeBSD 9.x)
>>>>> long val;
>>>>> val = 1864135;
>>>>> setsockopt(sc, SOL_SOCKET, SO_RCVBUF, &val, sizeof(val));
>>>>> // XXX error handling
>>>>> val = 1864135;
>>>>> setsockopt(sc, SOL_SOCKET, SO_SNDBUF, &val, sizeof(val));
>>>>> // XXX error handling
>>>>> }
>>>>> listen (sc, 1); // listen is required to allow incoming associations, but no listen queue
>>>>> // XXX error handling
>>>>>
>>>>> return sc;
>>>>> }
>>>>>
>>>>> --
>>>>> B.Walter <bernd at bwct.de> http://www.bwct.de
>>>>> Modbus/TCP Ethernet I/O Baugruppen, ARM basierte FreeBSD Rechner uvm.
>>>>> _______________________________________________
>>>>> freebsd-net at freebsd.org mailing list
>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>>>>
>>>>
>>>> _______________________________________________
>>>> freebsd-net at freebsd.org mailing list
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>>
>>> —
>>> Bjoern A. Zeeb ????????? ??? ??????? ??????:
>>> '??? ??? ???? ?????? ??????? ?? ?? ??????? ??????? ??? ????? ????? ????
>>> ?????? ?? ????? ????', ????????? ?????????, "??? ????? ?? ?????", ?.???
>>>
>>>
>>
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
> —
> Bjoern A. Zeeb ????????? ??? ??????? ??????:
> '??? ??? ???? ?????? ??????? ?? ?? ??????? ??????? ??? ????? ????? ????
> ?????? ?? ????? ????', ????????? ?????????, "??? ????? ?? ?????", ?.???
>
>
More information about the freebsd-net
mailing list