Photo of Jordan Sissel
Jordan Sissel
hacker

Search this site

Metadata

Articles

Projects

Presentations

FreeBSD, Jails, and BPF.

Posted Wed, 11 Jun 2008

Tonight's fun was spent learning bpf's internals (the pseudo-machine code it uses). The point was to find out exactly how much effort it would take to add secure bpf support to jails. Ideally, we'd want to expose the bpf(4) device to any jail but only make available the traffic that is actually destined for the jail (or broadcast traffic).

It seems like you could get away with this, if you prefixed all jailed bpf filters with: (ip and (host [jail_ip] or multicast or broadcast)). I've got userland-code that does exactly this. Once I knew how to inject my own bpf code into an existing bpf_program struct, I was basically ready to go. The only other thing left was to figure out how, in the FreeBSD kernel, to figure out if you were in a jail and what that jail's IP was - turns out this is a trivial operation :)

Userland example code: pcapinject.c

Working Patch: bpf-jail.patch

The code in the patch is crappyish and has a pile of debug statements, but it does appear to work as intended.

Comments: 3 | Link to this post | posted at: 02:15
Tags: , , , , , ,

3 responses to 'FreeBSD, Jails, and BPF.'

Showing last 3 comments... (Click here to view all comments)

Adam wrote at Thu Jun 12 08:42:37 2008...
Forgive my ignorance, Jordan, but does this mean I'll be able to have my pf configuration within the jail instead of outside it? I'll be able to let a jail administrator manage his own ruleset?

Jordan Sissel wrote at Thu Jun 12 10:03:30 2008...
The patch provided is geared towards requiring that jails are only able to sniff their own traffic. It's for BPF (berkeley packet filter) not PF. BPF is used in tools like tcpdump.

It doesn't prevent using bpf to write raw traffic, so in that sense it's not a complete solution.

Adam wrote at Fri Jun 13 07:17:27 2008...
Ah. I think I need to read more about bpf. I knew tcpdump used it, but wasn't sure what else did. I forgot I couldn't tcpdump within a jail.

Leave a reply

You need javascript enabled to use this form. Anti-spam efforts ongoing. Also, if the comment doesn't show up, it's because the form expired. Go back and copy your comment, reload the form, and resubmit. Apologies if this is a hassle, I'm just playing with antispam methods right now. If this insists on not working, please email me about it.

Name (required)
E-mail (optional, if you want me to be able to email you back)
URL (also optional)
Comment: