Hi,
I wasn't able to use multicast for some application server load
balancer, and it didn't work inside a vserver, despite apparently having
every related capability like NET_ADMIN, NET_RAW, NET_BROADCAST,
NET_BIND_SERVICE..
I tried to make a simple multicast application work:
udpcast, http://udpcast.linux.lu/
It didn't work either.
First because it attempted to bind to the broadcast address of the
vserver interface, ie: 192.168.0.255, it failed with: -EADDRNOTAVAIL.
Then because it attempted to bind to a multicast address, which resulted
in the same error. (I saw it when I patched enough to pass the first error.)
I patched the /usr/src/linux/net/ipv4/af_inet.c from 2.6.14-vs2.01.
I think that without the patch in a vserver i'm only allowed to bind to:
0.0.0.0, the loopback address, vserver own addresses and "v4_bcast"
which seems to always be 255.255.255.255, whatever value is in
/etc/vserver/<vserver_name>/bcast.
With the patch I can also bind to 192.168.0.255 and multicast addresses.
And perhaps even more addresses as i don't fully know what
inet_addr_type() returning RTN_BROADCAST implies.
Now udpcast works (receiving and sending data), even if I give no
capabilities at all to the vserver.
I'm wondering if I'm too permissive. Do we need some more checks ? Or
even a new ccapability ?
I'll try the load balancing software as soon as I find the time to
reinstall it.
At least this patch could help people who need multicast where security
isn't that much of a concern.
Regards, Luc.
--- linux-2.6.14.3-vs2.0.1/net/ipv4/af_inet.c.orig 2006-04-14 15:33:09.000000000 +0200
+++ linux-2.6.14.3-vs2.0.1/net/ipv4/af_inet.c 2006-04-14 13:59:41.000000000 +0200
@@ -427,6 +427,9 @@
sk, sk->sk_nx_info, sk->sk_socket,
(sk->sk_socket?sk->sk_socket->flags:0),
VXD_QUAD(s_addr));
+
+ chk_addr_ret = inet_addr_type(s_addr);
+
if (nxi) {
__u32 v4_bcast = nxi->v4_bcast;
__u32 ipv4root = nxi->ipv4[0];
@@ -441,13 +444,12 @@
/* rewrite localhost to ipv4root */
s_addr = ipv4root;
s_addr1 = ipv4root;
- } else if (s_addr != v4_bcast) {
+ } else if ((chk_addr_ret != RTN_BROADCAST) && (chk_addr_ret != RTN_MULTICAST)) {
/* normal address bind */
if (!addr_in_nx_info(nxi, s_addr))
return -EADDRNOTAVAIL;
}
}
- chk_addr_ret = inet_addr_type(s_addr);
vxdprintk(VXD_CBIT(net, 3),
"inet_bind(%p) %d.%d.%d.%d, %d.%d.%d.%d, %d.%d.%d.%d",
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Fri Apr 14 17:10:17 2006