From owner-freebsd-jail@FreeBSD.ORG Mon Apr 27 11:06:57 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 59C1D1065674 for ; Mon, 27 Apr 2009 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 463BE8FC23 for ; Mon, 27 Apr 2009 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n3RB6vCI002336 for ; Mon, 27 Apr 2009 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n3RB6uce002332 for freebsd-jail@FreeBSD.org; Mon, 27 Apr 2009 11:06:56 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 27 Apr 2009 11:06:56 GMT Message-Id: <200904271106.n3RB6uce002332@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Apr 2009 11:06:57 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/132092 jail [jail] jail can listen on *:port when jail_socket_unix o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 5 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Apr 27 21:00:11 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 792F11065670 for ; Mon, 27 Apr 2009 21:00:11 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [195.88.108.3]) by mx1.freebsd.org (Postfix) with ESMTP id 27BDF8FC1F for ; Mon, 27 Apr 2009 21:00:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 5B21E41C751; Mon, 27 Apr 2009 23:00:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([195.88.108.3]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id fgDTSLWflyFp; Mon, 27 Apr 2009 23:00:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id C3ABC41C75B; Mon, 27 Apr 2009 23:00:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id EDAC04448E6; Mon, 27 Apr 2009 20:59:11 +0000 (UTC) Date: Mon, 27 Apr 2009 20:59:11 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Miroslav Lachman <000.fbsd@quip.cz> In-Reply-To: <49F0F81F.8050503@quip.cz> Message-ID: <20090427205719.T15361@maildrop.int.zabbadoz.net> References: <49EE4B6B.5020005@quip.cz> <20090422094447.A15361@maildrop.int.zabbadoz.net> <49EEF5DB.4030408@quip.cz> <20090423141908.T15361@maildrop.int.zabbadoz.net> <49F0F81F.8050503@quip.cz> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@freebsd.org Subject: Re: changing cpuset of jail from inside of jail - is it feature? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Apr 2009 21:00:11 -0000 On Fri, 24 Apr 2009, Miroslav Lachman wrote: > Bjoern A. Zeeb wrote: > > [...] > >> Ok, I am not sure what is going wrong here; well I know but I don't >> know if it's intended in cpuset. Trying to talk to the right people >> but they seen to be AWOL atm. >> >> >> If you are brave, you could try: >> >> http://people.freebsd.org/~bz/20090423-01-cpuset-jails.diff >> >> I haven't even compiled it yet. It may work, it may not work, it may >> make your machine panicing, ... just to warn you. >> >> it should still allow you to create further sets within a jail but you >> should not be able to change the "root set" of the jail from inside >> the jail anymore (in case it works;) > > I did just a quick test. (OK, not so quick, because compilation inside Qemu > on my old PC takes 2 hours ;]) > It compiles without problems and did what I expect: > ... > I have no real multicore machine to test it more deeply. (can't test it on > production servers and spare machine is blocked by another task) > > Will this fix be included in 7.2-RELEASE or is it too late to commit this > fix? FreeBSD 7/7.2 just got a BUGS entry for the man pages. The patch will not make it; it's still waiting review for HEAD and possibly discussion if a super user inside a jail would still be allowed to further restrict the cpuset (but not extend it). /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From owner-freebsd-jail@FreeBSD.ORG Mon Apr 27 21:48:34 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C5BF1065676 for ; Mon, 27 Apr 2009 21:48:34 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id EC5948FC12 for ; Mon, 27 Apr 2009 21:48:33 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 47CF619E019; Mon, 27 Apr 2009 23:48:32 +0200 (CEST) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 1794319E023; Mon, 27 Apr 2009 23:48:30 +0200 (CEST) Message-ID: <49F6282E.8020807@quip.cz> Date: Mon, 27 Apr 2009 23:48:30 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <49EE4B6B.5020005@quip.cz> <20090422094447.A15361@maildrop.int.zabbadoz.net> <49EEF5DB.4030408@quip.cz> <20090423141908.T15361@maildrop.int.zabbadoz.net> <49F0F81F.8050503@quip.cz> <20090427205719.T15361@maildrop.int.zabbadoz.net> In-Reply-To: <20090427205719.T15361@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org Subject: Re: changing cpuset of jail from inside of jail - is it feature? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Apr 2009 21:48:34 -0000 Bjoern A. Zeeb wrote: > On Fri, 24 Apr 2009, Miroslav Lachman wrote: > >> Bjoern A. Zeeb wrote: >> >> [...] >> >>> Ok, I am not sure what is going wrong here; well I know but I don't >>> know if it's intended in cpuset. Trying to talk to the right people >>> but they seen to be AWOL atm. >>> >>> >>> If you are brave, you could try: >>> >>> http://people.freebsd.org/~bz/20090423-01-cpuset-jails.diff >>> >>> I haven't even compiled it yet. It may work, it may not work, it may >>> make your machine panicing, ... just to warn you. >>> >>> it should still allow you to create further sets within a jail but you >>> should not be able to change the "root set" of the jail from inside >>> the jail anymore (in case it works;) >> >> >> I did just a quick test. (OK, not so quick, because compilation inside >> Qemu on my old PC takes 2 hours ;]) >> It compiles without problems and did what I expect: >> > ... > >> I have no real multicore machine to test it more deeply. (can't test >> it on production servers and spare machine is blocked by another task) >> >> Will this fix be included in 7.2-RELEASE or is it too late to commit >> this fix? > > > FreeBSD 7/7.2 just got a BUGS entry for the man pages. The patch will > not make it; it's still waiting review for HEAD and possibly > discussion if a super user inside a jail would still be allowed to > further restrict the cpuset (but not extend it). OK, thank you for information. Allowing root inside jail to further restrict the cpuset for some services running inside jail seems useful to me. Just to inform others, this issue has PR number 134050 http://www.freebsd.org/cgi/query-pr.cgi?pr=134050 Miroslav Lachman From owner-freebsd-jail@FreeBSD.ORG Thu Apr 30 17:31:33 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2DE19106566B for ; Thu, 30 Apr 2009 17:31:33 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: from blah.sun-fish.com (blah.sun-fish.com [217.18.249.150]) by mx1.freebsd.org (Postfix) with ESMTP id 762998FC19 for ; Thu, 30 Apr 2009 17:31:32 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: by blah.sun-fish.com (Postfix, from userid 1002) id E08DB1B13A03; Thu, 30 Apr 2009 19:31:30 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on malcho.cmotd.com X-Spam-Level: X-Spam-Status: No, score=-10.6 required=5.0 tests=ALL_TRUSTED,BAYES_00, HTML_MESSAGE autolearn=ham version=3.2.5 Received: from postal.dev.moneybookers.net (postal.dev.moneybookers.net [192.168.3.200]) by blah.sun-fish.com (Postfix) with ESMTP id 43DBD1B12BFD; Thu, 30 Apr 2009 19:31:07 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by postal.dev.moneybookers.net (Postfix) with ESMTP id 3E8B39367CD; Thu, 30 Apr 2009 19:30:19 +0200 (CEST) X-Virus-Scanned: amavisd-new at moneybookers.com Received: from postal.dev.moneybookers.net ([127.0.0.1]) by localhost (postal.dev.moneybookers.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id fqWWxmQ1hSPs; Thu, 30 Apr 2009 19:30:16 +0200 (CEST) Received: from hater.cmotd.com (hater.cmotd.com [192.168.3.125]) by postal.dev.moneybookers.net (Postfix) with ESMTP id E94B7935FAA; Thu, 30 Apr 2009 19:30:16 +0200 (CEST) Message-Id: <2FFE746D-9F46-4405-9CCE-01B3EF055EA0@moneybookers.com> From: Stefan Lambrev To: Miroslav Lachman <000.fbsd@quip.cz> In-Reply-To: <49EF7D57.9010307@quip.cz> Mime-Version: 1.0 (Apple Message framework v930.3) Date: Thu, 30 Apr 2009 20:31:04 +0300 References: <20090207174104.Y93725@maildrop.int.zabbadoz.net> <49EF7D57.9010307@quip.cz> X-Mailer: Apple Mail (2.930.3) X-Virus-Scanned: ClamAV 0.94/9307/Thu Apr 30 13:49:56 2009 on blah.cmotd.com X-Virus-Status: Clean Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-jail@freebsd.org Subject: Re: HEADS UP: multi-IPv4/v6/no-IP jails now in 7-STABLE X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Apr 2009 17:31:33 -0000 Hi, On Apr 22, 2009, at 11:25 PM, Miroslav Lachman wrote: > Stefan Lambrev wrote: >> Hi, >> Does this allow multiple network interfaces to be used by a single >> jail instance? > > Yes, I am using it. > - cut - Basically it works, but I found another problem. I have created on two servers jails with 2 IPs on different interfaces. First IP is on "external" interface and second IP is on internal interface. As expected if I send packets from the host (outside jail) their source address match the IP of the interface (from which they are leaving the machine), but if I send packets from jail they always go out with source address equal to the first IP of the jail even when they are going out through the second interface. I do not know if this matters but in my case, internal interface have few vlans and the IP is set on the vlan not directly on the interface. Here is some output from the jail which can be useful: igb0: flags=8843 metric 0 mtu 1500 options=19b ether 00:30:48:9c:3a:0a inet 192.168.3.100 netmask 0xffffffff broadcast 192.168.3.100 media: Ethernet autoselect (100baseTX ) status: active igb1.2: flags=8843 metric 0 mtu 1500 options=3 ether 00:30:48:9c:3a:0b inet 10.35.1.1 netmask 0xffffff00 broadcast 10.35.1.255 media: Ethernet autoselect (1000baseTX ) status: active vlan: 2 parent interface: igb1 And here is the tcpdump from igb1.2 when trying to ping 10.35.1.2 from inside jail: 17:20:04.109972 IP 192.168.3.100 > 10.35.1.2: ICMP echo request, id 28421, seq 0, length 64 17:20:05.110321 IP 192.168.3.100 > 10.35.1.2: ICMP echo request, id 28421, seq 1, length 64 Any idea how this can be fixed? P.S. I know I can rewrite outgoing packets with firewall, but it's not performance wise, and I expect lot of udp multicast through igb1.2, that's why this doesn't look like a proper solution for me. -- Best Wishes, Stefan Lambrev ICQ# 24134177 From owner-freebsd-jail@FreeBSD.ORG Thu Apr 30 18:49:46 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1C4D9106564A for ; Thu, 30 Apr 2009 18:49:46 +0000 (UTC) (envelope-from alexus@gmail.com) Received: from mail-gx0-f176.google.com (mail-gx0-f176.google.com [209.85.217.176]) by mx1.freebsd.org (Postfix) with ESMTP id C93DA8FC12 for ; Thu, 30 Apr 2009 18:49:45 +0000 (UTC) (envelope-from alexus@gmail.com) Received: by gxk24 with SMTP id 24so2981667gxk.19 for ; Thu, 30 Apr 2009 11:49:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=8T3DDWbG+UWP0THZs7u3Jz6YaG9/BeKOzhWspr87qlA=; b=NM8pGwhGV4ERkLihP1YN0NAgbxWWEvj81RSp1iCExa/JySM9XUc24wUbM4qmZjXQWV FphUMCQTJoZuAUVOna0onWtGrH2s30NnRWilRpdYOCPHnmlPH6KKtNc8bcd3fyInicqA 7DKwCbECrNS1wb0aMNCYETp2MUnGaGDxHeMhQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=XyX+XsGE2jTRtxqd0xinEjTAcwlv9TVvdKKz7k/4amOrrX9X7Hya6RlKyrH4J7XQ3K hK8eEzrJyM2n/H48u2MDf0/FVkiiCYtdo/UGnHJfC75VfSXRvOTYVwZ4DRnWAcdni3lJ y28oVV2rj9xpKTbQN2gUDg1p6rp33bsf+EYlY= MIME-Version: 1.0 Received: by 10.151.137.5 with SMTP id p5mr3979359ybn.223.1241115842867; Thu, 30 Apr 2009 11:24:02 -0700 (PDT) In-Reply-To: <2FFE746D-9F46-4405-9CCE-01B3EF055EA0@moneybookers.com> References: <20090207174104.Y93725@maildrop.int.zabbadoz.net> <49EF7D57.9010307@quip.cz> <2FFE746D-9F46-4405-9CCE-01B3EF055EA0@moneybookers.com> Date: Thu, 30 Apr 2009 14:24:02 -0400 Message-ID: <6ae50c2d0904301124x6b4ec794v81dc307e52e6e618@mail.gmail.com> From: alexus To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: HEADS UP: multi-IPv4/v6/no-IP jails now in 7-STABLE X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Apr 2009 18:49:46 -0000 thank you so much for all your hard work and all of your time! -- http://alexus.org/ From owner-freebsd-jail@FreeBSD.ORG Fri May 1 00:00:12 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 89AA11065678 for ; Fri, 1 May 2009 00:00:12 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [195.88.108.3]) by mx1.freebsd.org (Postfix) with ESMTP id 187338FC0C for ; Fri, 1 May 2009 00:00:11 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id EC7AD41C76D; Fri, 1 May 2009 02:00:10 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([195.88.108.3]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id noYBQ-cpxFzu; Fri, 1 May 2009 02:00:08 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 6A4C841C690; Fri, 1 May 2009 02:00:08 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id E623C4448E6; Thu, 30 Apr 2009 23:58:59 +0000 (UTC) Date: Thu, 30 Apr 2009 23:58:59 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Stefan Lambrev In-Reply-To: <2FFE746D-9F46-4405-9CCE-01B3EF055EA0@moneybookers.com> Message-ID: <20090430234402.M15361@maildrop.int.zabbadoz.net> References: <20090207174104.Y93725@maildrop.int.zabbadoz.net> <49EF7D57.9010307@quip.cz> <2FFE746D-9F46-4405-9CCE-01B3EF055EA0@moneybookers.com> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@freebsd.org Subject: Re: HEADS UP: multi-IPv4/v6/no-IP jails now in 7-STABLE X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 May 2009 00:00:12 -0000 On Thu, 30 Apr 2009, Stefan Lambrev wrote: > Hi, > > On Apr 22, 2009, at 11:25 PM, Miroslav Lachman wrote: > >> Stefan Lambrev wrote: >>> Hi, >>> Does this allow multiple network interfaces to be used by a single jail >>> instance? >> >> Yes, I am using it. >> > - cut - > > Basically it works, but I found another problem. > I have created on two servers jails with 2 IPs on different interfaces. > First IP is on "external" interface and second IP is on internal interface. > As expected if I send packets from the host (outside jail) their source > address match the IP of the interface (from which they are leaving the > machine), > but if I send packets from jail they always go out with source address equal > to the first IP of the jail even when they are going out > through the second interface. > > I do not know if this matters but in my case, internal interface have few > vlans and the IP is set on the vlan not directly on the interface. > > Here is some output from the jail which can be useful: > > igb0: flags=8843 metric 0 mtu 1500 > options=19b > ether 00:30:48:9c:3a:0a > inet 192.168.3.100 netmask 0xffffffff broadcast 192.168.3.100 > media: Ethernet autoselect (100baseTX ) > status: active > > igb1.2: flags=8843 metric 0 mtu 1500 > options=3 > ether 00:30:48:9c:3a:0b > inet 10.35.1.1 netmask 0xffffff00 broadcast 10.35.1.255 > media: Ethernet autoselect (1000baseTX ) > status: active > vlan: 2 parent interface: igb1 > > And here is the tcpdump from igb1.2 when trying to ping 10.35.1.2 from inside > jail: > > 17:20:04.109972 IP 192.168.3.100 > 10.35.1.2: ICMP echo request, id 28421, > seq 0, length 64 > 17:20:05.110321 IP 192.168.3.100 > 10.35.1.2: ICMP echo request, id 28421, > seq 1, length 64 > > Any idea how this can be fixed? > > P.S. I know I can rewrite outgoing packets with firewall, but it's not > performance wise, > and I expect lot of udp multicast through igb1.2, that's why this doesn't > look like a proper solution for me. 1) you turned on a non-default feature permitting raw-ip-sockets from inside jails. You lost supp^Wpredicatability. Well not really but this is just the beware-of reminder. 2) you are using 1) with ping to test source address selection which will not work well. There is more magic involved. Does it work properly and as requested with ping -S ? 3) turn off 1) and/or use telnet, ssh, or nc to test outgoing connections in each direction. Does source address selection work here as expected? 4) jails do not support MC. You'll have to wait for full-blown network stack virtualization. -- Bjoern A. Zeeb The greatest risk is not taking one.