Hi, I wasn't able to use multicast for some application server load balancer, and it didn't work inside a vserver, despite apparently having every related capability like NET_ADMIN, NET_RAW, NET_BROADCAST, NET_BIND_SERVICE..
I tried to make a simple multicast application work: udpcast, http://udpcast.linux.lu/ It didn't work either. First because it attempted to bind to the broadcast address of the vserver interface, ie: 192.168.0.255, it failed with: -EADDRNOTAVAIL. Then because it attempted to bind to a multicast address, which resulted in the same error. (I saw it when I patched enough to pass the first error.) I patched the /usr/src/linux/net/ipv4/af_inet.c from 2.6.14-vs2.01. I think that without the patch in a vserver i'm only allowed to bind to: 0.0.0.0, the loopback address, vserver own addresses and "v4_bcast" which seems to always be 255.255.255.255, whatever value is in /etc/vserver/<vserver_name>/bcast. With the patch I can also bind to 192.168.0.255 and multicast addresses. And perhaps even more addresses as i don't fully know what inet_addr_type() returning RTN_BROADCAST implies. Now udpcast works (receiving and sending data), even if I give no capabilities at all to the vserver. I'm wondering if I'm too permissive. Do we need some more checks ? Or even a new ccapability ? I'll try the load balancing software as soon as I find the time to reinstall it. At least this patch could help people who need multicast where security isn't that much of a concern. Regards, Luc.
--- linux-2.6.14.3-vs2.0.1/net/ipv4/af_inet.c.orig 2006-04-14 15:33:09.000000000 +0200 +++ linux-2.6.14.3-vs2.0.1/net/ipv4/af_inet.c 2006-04-14 13:59:41.000000000 +0200 @@ -427,6 +427,9 @@ sk, sk->sk_nx_info, sk->sk_socket, (sk->sk_socket?sk->sk_socket->flags:0), VXD_QUAD(s_addr)); + + chk_addr_ret = inet_addr_type(s_addr); + if (nxi) { __u32 v4_bcast = nxi->v4_bcast; __u32 ipv4root = nxi->ipv4[0]; @@ -441,13 +444,12 @@ /* rewrite localhost to ipv4root */ s_addr = ipv4root; s_addr1 = ipv4root; - } else if (s_addr != v4_bcast) { + } else if ((chk_addr_ret != RTN_BROADCAST) && (chk_addr_ret != RTN_MULTICAST)) { /* normal address bind */ if (!addr_in_nx_info(nxi, s_addr)) return -EADDRNOTAVAIL; } } - chk_addr_ret = inet_addr_type(s_addr); vxdprintk(VXD_CBIT(net, 3), "inet_bind(%p) %d.%d.%d.%d, %d.%d.%d.%d, %d.%d.%d.%d",
_______________________________________________ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver