From owner-freebsd-jail@FreeBSD.ORG Mon Apr 9 11:07:15 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4FBB2106566B for ; Mon, 9 Apr 2012 11:07:15 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 398988FC14 for ; Mon, 9 Apr 2012 11:07:15 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q39B7FAW039645 for ; Mon, 9 Apr 2012 11:07:15 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q39B7Emf039643 for freebsd-jail@FreeBSD.org; Mon, 9 Apr 2012 11:07:14 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 9 Apr 2012 11:07:14 GMT Message-Id: <201204091107.q39B7Emf039643@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Apr 2012 11:07:15 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- p bin/165515 jail [jail][patch] "jail: unknown parameter: allow.nomount" p bin/161957 jail jls(8): jls -v doesn't show anything if system compile o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin o conf/149050 jail [jail] rcorder ``nojail'' too coarse for Jail+VNET s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 13 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Apr 9 16:21:07 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 65DBC106566B for ; Mon, 9 Apr 2012 16:21:07 +0000 (UTC) (envelope-from feld@feld.me) Received: from feld.me (unknown [IPv6:2607:f4e0:100:300::2]) by mx1.freebsd.org (Postfix) with ESMTP id 3A0D48FC14 for ; Mon, 9 Apr 2012 16:21:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=feld.me; s=blargle; h=Message-Id:From:Mime-Version:Subject:Date:To:Content-Type; bh=wXXwkvq8V/GIR+jcmAyz2Eeoe8rKoopjvdc22NkjE1s=; b=sU8GpFvZ6OpVnEUQAGhdE5w/cGaO4xYPaebv5bD7APSyIjcpEaotxnKa3TqpX4D0kiGSoK0/K962IyC4eNNngxMUKK4vbgDH8tpJ97EUvmEf3xflbrW5f62eH3TZ8JqN; Received: from localhost ([127.0.0.1] helo=mwi1.coffeenet.org) by feld.me with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1SHHL0-00044a-8x for freebsd-jail@freebsd.org; Mon, 09 Apr 2012 11:21:06 -0500 Received: from feld@feld.me by mwi1.coffeenet.org (Archiveopteryx 3.1.4) with esmtpa id 1333988459-23734-23733/5/4; Mon, 9 Apr 2012 16:20:59 +0000 Content-Type: multipart/mixed; boundary=----------DZTV0lLpP6HX1689Xgs3wP To: freebsd-jail@freebsd.org Date: Mon, 9 Apr 2012 11:20:59 -0500 Mime-Version: 1.0 From: Mark Felder Message-Id: User-Agent: Opera Mail/11.62 (FreeBSD) X-SA-Score: -1.0 Subject: Jail source address selection broken, patch for ping X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Apr 2012 16:21:07 -0000 ------------DZTV0lLpP6HX1689Xgs3wP Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes Hello, This weekend I was deploying our monitoring server into a 32bit FreeBSD jail on a 64bit install. This was necessary because we needed the newer hardware but couldn't migrate the RRDs to 64bit format without breaking other machines that rely on the RRD files and are still 32bit. Our monitoring server is fairly extensive and talks to many different VLANs and subnets. As a result, IPs on these different VLAN interfaces were passed through to the jail. I noticed pretty quickly that for some reason PINGs were not able to reach many subnets even though I am allowing raw sockets. After doing some traffic sniffing I was able to determine that the source IP address was incorrect. By pure chance I was able to contact bz@ and he provided me with a patch for ping based on his recent work on a similar issue with traceroute. This solved my problem with the system ping utility, but my tests with fping and the ping utility included with our monitoring software still exhibited the same issue. bz informed me that he believes he knows where the bug is in the kernel -- I believe he pointed me to the area of sys/netinet/ip_raw.c around line 461. Jails are getting the first IP as a source no matter what. Anyway, attached is the patch he asked me to post to the mailing list for those that need a workaround for ping. I'm sure fixing this in the kernel will probably require further discussion among those with actual programming skills :-) Cheers, Mark ------------DZTV0lLpP6HX1689Xgs3wP Content-Disposition: attachment; filename=20120407-01-ping-source-addr.diff Content-Type: application/octet-stream; name=20120407-01-ping-source-addr.diff Content-Transfer-Encoding: base64 IQohIElmIG5vIHNvdXJjZSBhZGRyZXNzIGlzIGdpdmVuIHVzZSB0aGUgVURQIHNvY2tldCB0 cmljayB0byBnZXQgYW4KISBpZGVhIG9mIHdoYXQgdGhlIGtlcm5lbCB0aGlua3Mgb3VyIHNv dXJjZSBhZGRyZXNzIGZvciBhIGdpdmVuCiEgdGFyZ2V0IHNob3VsZCBiZS4gIEFuIGVxdWFs IGNoYW5nZSBoYXMgYmVlbiBjb21taXR0ZWQgdG8gdHJhY2Vyb3V0ZQohIGluIHIyMDE4MDYu ICBUaGlzIGlzIG5lZWRlZCBhcyBsb25nIGFzIHJpcF9vdXRwdXQoKSBpbiB0aGUKISAhSU5Q X0hEUklOQ0wgYWx3YXlzIHBpY2tzIHRoZSBwcmltYXJ5IGphaWwgYWRkcmVzcyBpZiBqYWls ZWQuCiEgVGhlIHByb3BlciBzb2x1dGlvbiB3b3VsZCBiZSB0byBkbyB3aGF0IHRoZSBjb21t ZW50IHRoZXJlIHN1Z2dlc3RzCiEgYW5kIGNhbGwgaW4ta2VybmVsIHNvdXJjZSBhZGRyZXNz IHNlbGVjdGlvbi4KIQohIFJlcXVlc3RlZCBieToJbWFueSAoYWxsIGZpbmRpbmcgcGluZyBk b2VzIG5vdCB3b3JrIChwcm9wZXJseSkgaW4gamFpbCkKISBUZXN0ZWQgYnk6CU1hcmsgRmVs ZGVyIChmZWxkIGZlbGQgbWUpCiEgVE9ETzoJCWJ6IHRvIGZpeCB0aGUga2VybmVsIGFzIHRo ZSBwcm9wZXIgZml4CiEKSW5kZXg6IHNiaW4vcGluZy9waW5nLmMKPT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQot LS0gc2Jpbi9waW5nL3BpbmcuYwkocmV2aXNpb24gMjMzODc2KQorKysgc2Jpbi9waW5nL3Bp bmcuYwkod29ya2luZyBjb3B5KQpAQCAtMjEyLDYgKzIxMiw3IEBAIHN0YXRpYyB2b2lkIHN0 YXR1cyhpbnQpOwogc3RhdGljIHZvaWQgc3RvcGl0KGludCk7CiBzdGF0aWMgdm9pZCB0dnN1 YihzdHJ1Y3QgdGltZXZhbCAqLCBjb25zdCBzdHJ1Y3QgdGltZXZhbCAqKTsKIHN0YXRpYyB2 b2lkIHVzYWdlKHZvaWQpIF9fZGVhZDI7CitzdGF0aWMgaW50IGdldHNhZGRyKHN0cnVjdCBz b2NrYWRkcl9pbiAqLCBzdHJ1Y3Qgc29ja2FkZHJfaW4gKik7CiAKIGludAogbWFpbihpbnQg YXJnYywgY2hhciAqY29uc3QgKmFyZ3YpCkBAIC01MjYsOSArNTI3LDMwIEBAIG1haW4oaW50 IGFyZ2MsIGNoYXIgKmNvbnN0ICphcmd2KQogCWlmIChvcHRpb25zICYgRl9QSU5HRklMTEVE KSB7CiAJCWZpbGwoKGNoYXIgKilkYXRhcCwgcGF5bG9hZCk7CiAJfQorCisJYnplcm8oJndo ZXJldG8sIHNpemVvZih3aGVyZXRvKSk7CisJdG8gPSAmd2hlcmV0bzsKKwl0by0+c2luX2Zh bWlseSA9IEFGX0lORVQ7CisJdG8tPnNpbl9sZW4gPSBzaXplb2YgKnRvOworCWlmIChpbmV0 X2F0b24odGFyZ2V0LCAmdG8tPnNpbl9hZGRyKSAhPSAwKSB7CisJCWhvc3RuYW1lID0gdGFy Z2V0OworCX0gZWxzZSB7CisJCWhwID0gZ2V0aG9zdGJ5bmFtZTIodGFyZ2V0LCBBRl9JTkVU KTsKKwkJaWYgKCFocCkKKwkJCWVycngoRVhfTk9IT1NULCAiY2Fubm90IHJlc29sdmUgJXM6 ICVzIiwKKwkJCSAgICB0YXJnZXQsIGhzdHJlcnJvcihoX2Vycm5vKSk7CisKKwkJaWYgKCh1 bnNpZ25lZClocC0+aF9sZW5ndGggPiBzaXplb2YodG8tPnNpbl9hZGRyKSkKKwkJCWVycngo MSwgImdldGhvc3RieW5hbWUyIHJldHVybmVkIGFuIGlsbGVnYWwgYWRkcmVzcyIpOworCQlt ZW1jcHkoJnRvLT5zaW5fYWRkciwgaHAtPmhfYWRkcl9saXN0WzBdLCBzaXplb2YgdG8tPnNp bl9hZGRyKTsKKwkJKHZvaWQpc3RybmNweShobmFtZWJ1ZiwgaHAtPmhfbmFtZSwgc2l6ZW9m KGhuYW1lYnVmKSAtIDEpOworCQlobmFtZWJ1ZltzaXplb2YoaG5hbWVidWYpIC0gMV0gPSAn XDAnOworCQlob3N0bmFtZSA9IGhuYW1lYnVmOworCX0KKworCWJ6ZXJvKChjaGFyICopJnNv Y2tfaW4sIHNpemVvZihzb2NrX2luKSk7CisJc29ja19pbi5zaW5fZmFtaWx5ID0gQUZfSU5F VDsKIAlpZiAoc291cmNlKSB7Ci0JCWJ6ZXJvKChjaGFyICopJnNvY2tfaW4sIHNpemVvZihz b2NrX2luKSk7Ci0JCXNvY2tfaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7CiAJCWlmIChpbmV0 X2F0b24oc291cmNlLCAmc29ja19pbi5zaW5fYWRkcikgIT0gMCkgewogCQkJc2hvc3RuYW1l ID0gc291cmNlOwogCQl9IGVsc2UgewpAQCAtNTQ4LDI5ICs1NzAsMTMgQEAgbWFpbihpbnQg YXJnYywgY2hhciAqY29uc3QgKmFyZ3YpCiAJCQlzbmFtZWJ1ZltzaXplb2Yoc25hbWVidWYp IC0gMV0gPSAnXDAnOwogCQkJc2hvc3RuYW1lID0gc25hbWVidWY7CiAJCX0KLQkJaWYgKGJp bmQocywgKHN0cnVjdCBzb2NrYWRkciAqKSZzb2NrX2luLCBzaXplb2Ygc29ja19pbikgPT0g LTEpCi0JCQllcnIoMSwgImJpbmQiKTsKLQl9Ci0KLQliemVybygmd2hlcmV0bywgc2l6ZW9m KHdoZXJldG8pKTsKLQl0byA9ICZ3aGVyZXRvOwotCXRvLT5zaW5fZmFtaWx5ID0gQUZfSU5F VDsKLQl0by0+c2luX2xlbiA9IHNpemVvZiAqdG87Ci0JaWYgKGluZXRfYXRvbih0YXJnZXQs ICZ0by0+c2luX2FkZHIpICE9IDApIHsKLQkJaG9zdG5hbWUgPSB0YXJnZXQ7CiAJfSBlbHNl IHsKLQkJaHAgPSBnZXRob3N0YnluYW1lMih0YXJnZXQsIEFGX0lORVQpOwotCQlpZiAoIWhw KQotCQkJZXJyeChFWF9OT0hPU1QsICJjYW5ub3QgcmVzb2x2ZSAlczogJXMiLAotCQkJICAg IHRhcmdldCwgaHN0cmVycm9yKGhfZXJybm8pKTsKLQotCQlpZiAoKHVuc2lnbmVkKWhwLT5o X2xlbmd0aCA+IHNpemVvZih0by0+c2luX2FkZHIpKQotCQkJZXJyeCgxLCAiZ2V0aG9zdGJ5 bmFtZTIgcmV0dXJuZWQgYW4gaWxsZWdhbCBhZGRyZXNzIik7Ci0JCW1lbWNweSgmdG8tPnNp bl9hZGRyLCBocC0+aF9hZGRyX2xpc3RbMF0sIHNpemVvZiB0by0+c2luX2FkZHIpOwotCQko dm9pZClzdHJuY3B5KGhuYW1lYnVmLCBocC0+aF9uYW1lLCBzaXplb2YoaG5hbWVidWYpIC0g MSk7Ci0JCWhuYW1lYnVmW3NpemVvZihobmFtZWJ1ZikgLSAxXSA9ICdcMCc7Ci0JCWhvc3Ru YW1lID0gaG5hbWVidWY7CisJCWlmIChnZXRzYWRkcih0bywgJnNvY2tfaW4pICE9IDApCisJ CQllcnIoMSwgImdldHNhZGRyIik7CisJCS8qIFhYWC1CWiBzZXQgc291cmNlPyAqLwogCX0K KwlpZiAoYmluZChzLCAoc3RydWN0IHNvY2thZGRyICopJnNvY2tfaW4sIHNpemVvZiBzb2Nr X2luKSA9PSAtMSkKKwkJZXJyKDEsICJiaW5kIik7CiAKIAlpZiAob3B0aW9ucyAmIEZfRkxP T0QgJiYgb3B0aW9ucyAmIEZfSU5URVJWQUwpCiAJCWVycngoRVhfVVNBR0UsICItZiBhbmQg LWk6IGluY29tcGF0aWJsZSBvcHRpb25zIik7CkBAIC0xNzAxLDMgKzE3MDcsNzcgQEAgdXNh Z2Uodm9pZCkKICIgICAgICAgICAgICBbLXogdG9zXSBtY2FzdC1ncm91cCIpOwogCWV4aXQo RVhfVVNBR0UpOwogfQorCisvKiBEZXJpdmVkIGZyb20gdXNyLnNiaW4vdHJhY2Vyb3V0ZS9m aW5kc2FkZHItdWRwLmMuICovCisvKi0KKyAqIENvcHlyaWdodCAoYykgMjAxMCwyMDEyIEJq b2VybiBBLiBaZWViIDxiekBGcmVlQlNELm9yZz4KKyAqIEFsbCByaWdodHMgcmVzZXJ2ZWQu CisgKgorICogUmVkaXN0cmlidXRpb24gYW5kIHVzZSBpbiBzb3VyY2UgYW5kIGJpbmFyeSBm b3Jtcywgd2l0aCBvciB3aXRob3V0CisgKiBtb2RpZmljYXRpb24sIGFyZSBwZXJtaXR0ZWQg cHJvdmlkZWQgdGhhdCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnMKKyAqIGFyZSBtZXQ6Cisg KiAxLiBSZWRpc3RyaWJ1dGlvbnMgb2Ygc291cmNlIGNvZGUgbXVzdCByZXRhaW4gdGhlIGFi b3ZlIGNvcHlyaWdodAorICogbm90aWNlLCB0aGlzIGxpc3Qgb2YgY29uZGl0aW9ucyBhbmQg dGhlIGZvbGxvd2luZyBkaXNjbGFpbWVyLgorICogMi4gUmVkaXN0cmlidXRpb25zIGluIGJp bmFyeSBmb3JtIG11c3QgcmVwcm9kdWNlIHRoZSBhYm92ZSBjb3B5cmlnaHQKKyAqIG5vdGlj ZSwgdGhpcyBsaXN0IG9mIGNvbmRpdGlvbnMgYW5kIHRoZSBmb2xsb3dpbmcgZGlzY2xhaW1l ciBpbiB0aGUKKyAqIGRvY3VtZW50YXRpb24gYW5kL29yIG90aGVyIG1hdGVyaWFscyBwcm92 aWRlZCB3aXRoIHRoZSBkaXN0cmlidXRpb24uCisgKgorICogVEhJUyBTT0ZUV0FSRSBJUyBQ Uk9WSURFRCBCWSBUSEUgQVVUSE9SIEFORCBDT05UUklCVVRPUlMgYGBBUyBJUycnIEFORAor ICogQU5ZIEVYUFJFU1MgT1IgSU1QTElFRCBXQVJSQU5USUVTLCBJTkNMVURJTkcsIEJVVCBO T1QgTElNSVRFRCBUTywgVEhFCisgKiBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRB QklMSVRZIEFORCBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9TRQorICogQVJFIERJ U0NMQUlNRUQuIElOIE5PIEVWRU5UIFNIQUxMIFRIRSBBVVRIT1IgT1IgQ09OVFJJQlVUT1JT IEJFIExJQUJMRQorICogRk9SIEFOWSBESVJFQ1QsIElORElSRUNULCBJTkNJREVOVEFMLCBT UEVDSUFMLCBFWEVNUExBUlksIE9SIENPTlNFUVVFTlRJQUwKKyAqIERBTUFHRVMgKElOQ0xV RElORywgQlVUIE5PVCBMSU1JVEVEIFRPLCBQUk9DVVJFTUVOVCBPRiBTVUJTVElUVVRFIEdP T0RTCisgKiBPUiBTRVJWSUNFUzsgTE9TUyBPRiBVU0UsIERBVEEsIE9SIFBST0ZJVFM7IE9S IEJVU0lORVNTIElOVEVSUlVQVElPTikKKyAqIEhPV0VWRVIgQ0FVU0VEIEFORCBPTiBBTlkg VEhFT1JZIE9GIExJQUJJTElUWSwgV0hFVEhFUiBJTiBDT05UUkFDVCwgU1RSSUNUCisgKiBM SUFCSUxJVFksIE9SIFRPUlQgKElOQ0xVRElORyBORUdMSUdFTkNFIE9SIE9USEVSV0lTRSkg QVJJU0lORyBJTiBBTlkgV0FZCisgKiBPVVQgT0YgVEhFIFVTRSBPRiBUSElTIFNPRlRXQVJF LCBFVkVOIElGIEFEVklTRUQgT0YgVEhFIFBPU1NJQklMSVRZIE9GCisgKiBTVUNIIERBTUFH RS4KKyAqLworLyoKKyAqIFJldHVybiB0aGUgc291cmNlIGFkZHJlc3MgZm9yIHRoZSBnaXZl biBkZXN0aW5hdGlvbiBhZGRyZXNzLgorICoKKyAqIFRoaXMgbWFrZXMgdXNlIG9mIHByb3Bl ciBzb3VyY2UgYWRkcmVzcyBzZWxlY3Rpb24gaW4gdGhlIEZyZWVCU0Qga2VybmVsCisgKiBl dmVuIHRha2luZyBqYWlscyBpbnRvIGFjY291bnQgKHN5cy9uZXRpbmV0L2luX3BjYi5jOmlu X3BjYmxhZGRyKCkpLgorICogV2Ugb3BlbiBhIFVEUCBzb2NrZXQsIGFuZCBjb25uZWN0IHRv IHRoZSBkZXN0aW5hdGlvbiwgbGV0dGluZyB0aGUga2VybmVsCisgKiBkbyB0aGUgYmluZCBh bmQgdGhlbiByZWFkIHRoZSBzb3VyY2UgSVB2NCBhZGRyZXNzIHVzaW5nIGdldHNvY2tuYW1l KDIpLgorICogVGhpcyBoYXMgbXVsdGlwbGUgYWR2YW50YWdlczogbm8gbmVlZCB0byBkbyBQ Rl9ST1VURSBvcGVyYXRpb25zIHBvc3NpYmx5CisgKiBuZWVkaW5nIHNwZWNpYWwgcHJpdmls ZWdlcywgamFpbHMgcHJvcGVybHkgdGFrZW4gaW50byBhY2NvdW50IGFuZCBtb3N0CisgKiBp bXBvcnRhbnQgLSBnZXR0aW5nIHRoZSByZXN1bHQgdGhlIGtlcm5lbCB3b3VsZCBnaXZlIHVz IHJhdGhlciB0aGFuCisgKiBiZXN0LWd1ZXNzaW5nIG91cnNlbHZlcy4KKyAqLworc3RhdGlj IGludAorZ2V0c2FkZHIoc3RydWN0IHNvY2thZGRyX2luICp0bywgc3RydWN0IHNvY2thZGRy X2luICpmcm9tKQoreworCXN0cnVjdCBzb2NrYWRkcl9pbiBjdG8sIGNmcm9tOworCXNvY2ts ZW5fdCBsZW47CisJaW50IGVycm9yLCBzOworCisJcyA9IHNvY2tldChBRl9JTkVULCBTT0NL X0RHUkFNLCAwKTsKKwlpZiAocyA9PSAtMSkKKwkJcmV0dXJuIChzKTsKKworCWxlbiA9IHNp emVvZihzdHJ1Y3Qgc29ja2FkZHJfaW4pOworCW1lbWNweSgmY3RvLCB0bywgbGVuKTsKKwlj dG8uc2luX3BvcnQgPSBodG9ucyg2NTUzNSk7CS8qIER1bW15IHBvcnQgZm9yIGNvbm5lY3Qo MikuICovCisJZXJyb3IgPSBjb25uZWN0KHMsIChzdHJ1Y3Qgc29ja2FkZHIgKikmY3RvLCBs ZW4pOworCWlmIChlcnJvciA9PSAtMSkKKwkJZ290byBlcnI7CisKKwllcnJvciA9IGdldHNv Y2tuYW1lKHMsIChzdHJ1Y3Qgc29ja2FkZHIgKikmY2Zyb20sICZsZW4pOworCWlmIChlcnJv ciA9PSAtMSkKKwkJZ290byBlcnI7CisKKwlpZiAobGVuICE9IHNpemVvZihzdHJ1Y3Qgc29j a2FkZHJfaW4pIHx8IGNmcm9tLnNpbl9mYW1pbHkgIT0gQUZfSU5FVCkgeworCQllcnJvciA9 IC0yOworCQlnb3RvIGVycjsKKwl9CisKKwkvKiBVcGRhdGUgc291cmNlIGFkZHJlc3MgZm9y IHRyYWNlcm91dGUuICovCisJZnJvbS0+c2luX2FkZHIuc19hZGRyID0gY2Zyb20uc2luX2Fk ZHIuc19hZGRyOworCitlcnI6CisJKHZvaWQpIGNsb3NlKHMpOworCisJcmV0dXJuIChlcnJv cik7Cit9Cg== ------------DZTV0lLpP6HX1689Xgs3wP-- From owner-freebsd-jail@FreeBSD.ORG Mon Apr 9 16:48:42 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94A9010656D2 for ; Mon, 9 Apr 2012 16:48:42 +0000 (UTC) (envelope-from jfd@mrecic.gov.ar) Received: from mx2.mrecic.gov.ar (mx2.mrecic.gov.ar [200.16.97.20]) by mx1.freebsd.org (Postfix) with ESMTP id 15A0F8FC1B for ; Mon, 9 Apr 2012 16:48:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mrecic.gov.ar; i=jfd@mrecic.gov.ar; q=dns/txt; s=mrecic; t=1333989542; x=1365525542; h=date:from:to:cc:message-id:in-reply-to:subject: mime-version:content-transfer-encoding; bh=/VR6nrm3opUQGF4rfSd/26V4aS7gQtBrA/PLG24Fnug=; b=NN31Yeb5mlNbfQDRaGpClxjfKbfdct71VXtk6s2WSai0eWZzLGZIc+Zp KpF6NuhLeJfyJW0Or5uHk4L0NipDuub/WT9ftYtt4UsrI3nEdxuuw5+wM 1lTnViMSsBYFjW4ERHrLBkNxn6EDpGM5Rr52aAOzDh6vzkq9p56ZDUpsi M=; Authentication-Results: mx2.mrecic.gov.ar; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AlADAMFPe0+MvzAmgWdsb2JhbABFhUuyRiIBARYmJ4IJAQEBBAEBASArIAsMDw4DBAEBAwINGQIpAQMDAx4IBggEAwQBHASHaAuoMpF1gS+JWIRHgRgEhGGOV4IxgQuFP4xhgUI X-IronPort-AV: E=Sophos;i="4.75,364,1330916400"; d="scan'208";a="29355331" Received: from mrelmx07.mrec.ar ([140.191.48.38]) by mx2.mrecic.gov.ar with ESMTP; 09 Apr 2012 13:38:55 -0300 Received: from localhost (localhost.localdomain [127.0.0.1]) by mrelmx07.mrec.ar (Postfix) with ESMTP id E486871EED; Mon, 9 Apr 2012 13:48:34 -0300 (ART) X-Virus-Scanned: amavisd-new at mrelmx07.mrec.ar Received: from mrelmx07.mrec.ar ([127.0.0.1]) by localhost (mrelmx07.mrec.ar [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2HeW-HXfJX+l; Mon, 9 Apr 2012 13:48:34 -0300 (ART) Received: from mrelmx05.mrec.ar (mrelmx09.mrec.ar [140.191.48.41]) by mrelmx07.mrec.ar (Postfix) with ESMTP id 72E3971EAC; Mon, 9 Apr 2012 13:48:34 -0300 (ART) Date: Mon, 9 Apr 2012 13:50:35 -0300 (ART) From: =?utf-8?Q?Juan_F=2E_D=C3=ADaz_y_D=C3=ADaz?= To: Mark Felder Message-ID: <1074043264.46101.1333990235616.JavaMail.root@mrelmx09.mrec.ar> In-Reply-To: <1455938359.46095.1333990210970.JavaMail.root@mrelmx09.mrec.ar> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [140.191.48.40] X-Mailer: Zimbra 6.0.6_GA_2330.DEBIAN5_64 (ZimbraWebClient - SAF3 (Linux)/6.0.6_GA_2330.DEBIAN5_64) Cc: freebsd-jail@freebsd.org Subject: Re: Jail source address selection broken, patch for ping X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Apr 2012 16:48:42 -0000 Mark, did you tried using the setfib utility? Regards, ----- Original Message ----- From: "Mark Felder" To: freebsd-jail@freebsd.org Sent: Monday, April 9, 2012 1:20:59 PM Subject: Jail source address selection broken, patch for ping Hello, This weekend I was deploying our monitoring server into a 32bit FreeBSD jail on a 64bit install. This was necessary because we needed the newer hardware but couldn't migrate the RRDs to 64bit format without breaking other machines that rely on the RRD files and are still 32bit. Our monitoring server is fairly extensive and talks to many different VLANs and subnets. As a result, IPs on these different VLAN interfaces were passed through to the jail. I noticed pretty quickly that for some reason PINGs were not able to reach many subnets even though I am allowing raw sockets. After doing some traffic sniffing I was able to determine that the source IP address was incorrect. By pure chance I was able to contact bz@ and he provided me with a patch for ping based on his recent work on a similar issue with traceroute. This solved my problem with the system ping utility, but my tests with fping and the ping utility included with our monitoring software still exhibited the same issue. bz informed me that he believes he knows where the bug is in the kernel -- I believe he pointed me to the area of sys/netinet/ip_raw.c around line 461. Jails are getting the first IP as a source no matter what. Anyway, attached is the patch he asked me to post to the mailing list for those that need a workaround for ping. I'm sure fixing this in the kernel will probably require further discussion among those with actual programming skills :-) Cheers, Mark _______________________________________________ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" -- Juan F. Diaz From owner-freebsd-jail@FreeBSD.ORG Mon Apr 9 17:07:23 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 49C92106566C for ; Mon, 9 Apr 2012 17:07:23 +0000 (UTC) (envelope-from feld@feld.me) Received: from feld.me (unknown [IPv6:2607:f4e0:100:300::2]) by mx1.freebsd.org (Postfix) with ESMTP id 1BF6B8FC18 for ; Mon, 9 Apr 2012 17:07:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=feld.me; s=blargle; h=In-Reply-To:Message-Id:From:Content-Transfer-Encoding:Mime-Version:Date:References:Subject:To:Content-Type; bh=J8yyi1sNzx/BRb9BhAvpr/vb1HYdir/6GAipYssVyKA=; b=YX9CLCbi05y6kizFEtigHnESNgRAfu9xZVyp03jSwsrHxjR0VLLB4QoiiB1TF9JUIfADqDvo0SmDdGAzdJPj56c5bRScaSUd6NWs33Ek4POQD1leelxdj+25Z2I+QCC0; Received: from localhost ([127.0.0.1] helo=mwi1.coffeenet.org) by feld.me with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1SHI3l-0006Mw-Bh for freebsd-jail@freebsd.org; Mon, 09 Apr 2012 12:07:22 -0500 Received: from feld@feld.me by mwi1.coffeenet.org (Archiveopteryx 3.1.4) with esmtpa id 1333991235-23734-23733/5/5; Mon, 9 Apr 2012 17:07:15 +0000 Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes To: freebsd-jail@freebsd.org References: <1074043264.46101.1333990235616.JavaMail.root@mrelmx09.mrec.ar> Date: Mon, 9 Apr 2012 12:07:14 -0500 Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: Mark Felder Message-Id: In-Reply-To: <1074043264.46101.1333990235616.JavaMail.root@mrelmx09.mrec.ar> User-Agent: Opera Mail/11.62 (FreeBSD) X-SA-Score: -1.5 Subject: Re: Jail source address selection broken, patch for ping X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Apr 2012 17:07:23 -0000 On Mon, 09 Apr 2012 11:50:35 -0500, Juan F. D=C3=ADaz y D=C3=ADaz =20 wrote: > Mark, did you tried using the setfib utility? No, and even if that could have helped I would probably have to modify = our =20 monitoring software (Xymon/Hobbit/BigBrother) in undesirable ways to = have =20 it launch every child process with setfib. This would certainly be a = nasty =20 hack and honestly networking should "just work" from within a jail; =20 utilities shouldn't have to be tricked into working with a jail's = network =20 stack. Here's the results of trying setfib, though: root@xymon:/# setfib 0 fping 192.168.xxx.1 (censored for our privacy) setfib: setfib: Function not implemented Do you have to set some sysctl to get setfib to work in a jail, or does = it =20 just not work in jails period? From owner-freebsd-jail@FreeBSD.ORG Mon Apr 9 19:14:47 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 09599106564A for ; Mon, 9 Apr 2012 19:14:47 +0000 (UTC) (envelope-from jfd@mrecic.gov.ar) Received: from mx2.mrecic.gov.ar (mx2.mrecic.gov.ar [200.16.97.20]) by mx1.freebsd.org (Postfix) with ESMTP id 7FF0F8FC12 for ; Mon, 9 Apr 2012 19:14:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mrecic.gov.ar; i=jfd@mrecic.gov.ar; q=dns/txt; s=mrecic; t=1333998306; x=1365534306; h=date:from:to:cc:message-id:in-reply-to:subject: mime-version:content-transfer-encoding; bh=xk6H2Zyxzoqb8NzbivT31hUHtly0Z+zGP0/+dHy71sM=; b=cLXU4gwlHVoTYHyaDvbg3EGPfCFJPl41lcSefQAGhWacC7ZYr82V5z50 VyFC7uEB7rTTTFj+71T2rzFNY8GHK44ttShfIW+hIOQvAlAUznXDQeiqD FBgh3dy/ug6N+J7HgAyqLFFA5oZuAKG1647R4BvVpxy84UT2tDt+zYjP9 k=; Authentication-Results: mx2.mrecic.gov.ar; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AlADAMFPe0+MvzAogWdsb2JhbABFhUuyRiIBARYmJ4IJAQEBAwEBAQEgKyALBQcPDgMEAQEDAg0ZAikBAwMDHggGCAQDBAEcBIdjBQuoMpF1gS+JWIRHgRgEhGGOV4IxgQuFP4xhgUI X-IronPort-AV: E=Sophos;i="4.75,364,1330916400"; d="scan'208";a="29368785" Received: from mrelmx08.mrec.ar ([140.191.48.40]) by mx2.mrecic.gov.ar with ESMTP; 09 Apr 2012 16:05:04 -0300 Received: from localhost (localhost.localdomain [127.0.0.1]) by mrelmx08.mrec.ar (Postfix) with ESMTP id 8B40C6E3B2; Mon, 9 Apr 2012 16:14:44 -0300 (ART) X-Virus-Scanned: amavisd-new at mrelmx08.mrec.ar Received: from mrelmx08.mrec.ar ([127.0.0.1]) by localhost (mrelmx08.mrec.ar [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y8j1dvr3NftI; Mon, 9 Apr 2012 16:14:44 -0300 (ART) Received: from mrelmx05.mrec.ar (mrelmx09.mrec.ar [140.191.48.41]) by mrelmx08.mrec.ar (Postfix) with ESMTP id 3F4446E39B; Mon, 9 Apr 2012 16:14:44 -0300 (ART) Date: Mon, 9 Apr 2012 16:16:47 -0300 (ART) From: =?utf-8?Q?Juan_F=2E_D=C3=ADaz_y_D=C3=ADaz?= To: Mark Felder Message-ID: <493438014.49159.1333999007132.JavaMail.root@mrelmx09.mrec.ar> In-Reply-To: <1630049596.48296.1333997133303.JavaMail.root@mrelmx09.mrec.ar> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [140.191.48.40] X-Mailer: Zimbra 6.0.6_GA_2330.DEBIAN5_64 (ZimbraWebClient - SAF3 (Linux)/6.0.6_GA_2330.DEBIAN5_64) Cc: freebsd-jail@freebsd.org Subject: Re: Jail source address selection broken, patch for ping X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Apr 2012 19:14:47 -0000 Mark, you can just run a jail with the setfib utility so you don't need to = modify all your scripts. # First you need to setup the routing table for each fib # /etc/rc.local setfib 1 route add default 10.1.1.1 setfib 1 route del 192.168.1.0/24 setfib 2 route add default 192.168.1.1 setfib 2 route del 10.1.1.0/24 # For each jail config define a fib id # /etc/rc.conf ... jail_NAME1_ip=3D"10.1.1.2/24 jail_NAME1_fib=3D"1" ... jail_NAME2_ip=3D"192.168.1.2/24 jail_NAME2_fib=3D"2" # Then just exec your jail with the setfib setfib 1 jexec 1 bash Regards ----- Original Message ----- From: "Mark Felder" To: freebsd-jail@freebsd.org Sent: Monday, April 9, 2012 2:07:14 PM Subject: Re: Jail source address selection broken, patch for ping On Mon, 09 Apr 2012 11:50:35 -0500, Juan F. D=C3=ADaz y D=C3=ADaz wrote: > Mark, did you tried using the setfib utility? No, and even if that could have helped I would probably have to modify our monitoring software (Xymon/Hobbit/BigBrother) in undesirable ways to have it launch every child process with setfib. This would certainly be a nasty hack and honestly networking should "just work" from within a jail; utilities shouldn't have to be tricked into working with a jail's network stack. Here's the results of trying setfib, though: root@xymon:/# setfib 0 fping 192.168.xxx.1 (censored for our privacy) setfib: setfib: Function not implemented Do you have to set some sysctl to get setfib to work in a jail, or does it just not work in jails period? _______________________________________________ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" --=20 Juan F. Diaz y Diaz MRECIC Esmeralda 1212 Piso 3 - Bs As, Argentina +54 (11) 4819 7261 PGP ID 0x27911364 (http://pgp.mit.edu) From owner-freebsd-jail@FreeBSD.ORG Mon Apr 9 20:11:59 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9014B106564A for ; Mon, 9 Apr 2012 20:11:59 +0000 (UTC) (envelope-from feld@feld.me) Received: from feld.me (unknown [IPv6:2607:f4e0:100:300::2]) by mx1.freebsd.org (Postfix) with ESMTP id 5369B8FC16 for ; Mon, 9 Apr 2012 20:11:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=feld.me; s=blargle; h=In-Reply-To:Message-Id:From:Content-Transfer-Encoding:Mime-Version:Date:References:Subject:To:Content-Type; bh=3r81EjGwmNXpbPCliSlDSDAaaWtztZI4Vb9YojaZqiw=; b=rVZtvuYktsHk0LIF22NyrVOoNleMM22pSouB40isLz962iASAE2W61qX2hA8HF8PMKtfpcP+jLkUhIfsnoTz+EfS3mpdk4ovzk0uiG6Uz2DeuAW7aAzN+qwau3hvcFJk; Received: from localhost ([127.0.0.1] helo=mwi1.coffeenet.org) by feld.me with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1SHKwP-0009qi-Qc for freebsd-jail@freebsd.org; Mon, 09 Apr 2012 15:11:58 -0500 Received: from feld@feld.me by mwi1.coffeenet.org (Archiveopteryx 3.1.4) with esmtpa id 1334002311-23734-23733/5/7; Mon, 9 Apr 2012 20:11:51 +0000 Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes To: freebsd-jail@freebsd.org References: <493438014.49159.1333999007132.JavaMail.root@mrelmx09.mrec.ar> Date: Mon, 9 Apr 2012 15:11:50 -0500 Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: Mark Felder Message-Id: In-Reply-To: <493438014.49159.1333999007132.JavaMail.root@mrelmx09.mrec.ar> User-Agent: Opera Mail/11.62 (FreeBSD) X-SA-Score: -1.5 Subject: Re: Jail source address selection broken, patch for ping X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Apr 2012 20:11:59 -0000 On Mon, 09 Apr 2012 14:16:47 -0500, Juan F. D=C3=ADaz y D=C3=ADaz =20 wrote: > Mark, you can just run a jail with the setfib utility so you don't = need =20 > to modify all your scripts. I don't think anyone here is understanding the issue and forcing a = routing =20 table will not help. root@jailhost:/# jls -v JID Hostname Path Name State CPUSetID IP Address(es) 3 xymon.xxxxxx.net /usr/jails/xymon.xxxxxx.net 3 ACTIVE 2 66.xxx.xxx.xxx 192.168.89.xxx <-- different vlans for each 192.168.93.xxx 192.168.94.xxx 192.168.95.xxx 192.168.96.xxx 192.168.97.xxx root@jailhost:/# ifconfig (edited output) vlan989: flags=3D8843 metric 0 = mtu =20 1500 options=3D103 ether d4:ae:52:6a:ec:d9 inet 192.168.89.xxx netmask 0xffffff00 broadcast 192.168.89.255 inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan989 prefixlen 64 scopeid 0x6 nd6 options=3D21 media: Ethernet autoselect (1000baseT ) status: active vlan: 989 parent interface: bce1 vlan993: flags=3D8843 metric 0 = mtu =20 1500 options=3D103 ether d4:ae:52:6a:ec:d9 inet 192.168.93.xxx netmask 0xffffff00 broadcast 192.168.93.255 inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan993 prefixlen 64 scopeid 0x7 nd6 options=3D21 media: Ethernet autoselect (1000baseT ) status: active vlan: 993 parent interface: bce1 vlan994: flags=3D8843 metric 0 = mtu =20 1500 options=3D103 ether d4:ae:52:6a:ec:d9 inet 192.168.94.xxx netmask 0xffffff00 broadcast 192.168.94.255 inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan994 prefixlen 64 scopeid 0x8 nd6 options=3D21 media: Ethernet autoselect (1000baseT ) status: active vlan: 994 parent interface: bce1 vlan996: flags=3D8843 metric 0 = mtu =20 1500 options=3D103 ether d4:ae:52:6a:ec:d9 inet 192.168.96.xxx netmask 0xffffff00 broadcast 192.168.96.255 inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan996 prefixlen 64 scopeid 0x9 nd6 options=3D21 media: Ethernet autoselect (1000baseT ) status: active vlan: 996 parent interface: bce1 vlan997: flags=3D8843 metric 0 = mtu =20 1500 options=3D103 ether d4:ae:52:6a:ec:d9 inet 192.168.97.xxx netmask 0xffffff00 broadcast 192.168.97.255 inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan997 prefixlen 64 scopeid 0xa nd6 options=3D21 media: Ethernet autoselect (1000baseT ) status: active vlan: 997 parent interface: bce1 All of these vlan interfaces go into a SINGLE jail. Setting the fib will = =20 not help; the jail already has the default routing table. The problem is = =20 that you can't access these different VLANs with many network utilities =20 because it sets your source IP in the packet as the first IP the jail = has =20 bound to it: 66.xxx.xxx.xxx From owner-freebsd-jail@FreeBSD.ORG Mon Apr 9 20:27:37 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A2B15106564A for ; Mon, 9 Apr 2012 20:27:37 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id 2DD9B8FC16 for ; Mon, 9 Apr 2012 20:27:37 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 178E325D3A85; Mon, 9 Apr 2012 20:27:35 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id F0D6FBE47E2; Mon, 9 Apr 2012 20:27:34 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id pOONWeihxanc; Mon, 9 Apr 2012 20:27:33 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id B6951BE47E1; Mon, 9 Apr 2012 20:27:33 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: "Bjoern A. Zeeb" In-Reply-To: Date: Mon, 9 Apr 2012 20:27:33 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: References: To: Mark Felder X-Mailer: Apple Mail (2.1084) Cc: freebsd-jail@freebsd.org Subject: Re: Jail source address selection broken, patch for ping X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Apr 2012 20:27:37 -0000 On 9. Apr 2012, at 16:20 , Mark Felder wrote: Hi Mark, thanks a lot for posting the summary. > By pure chance I was able to contact bz@ and he provided me with a = patch for ping based on his recent work on a similar issue with = traceroute. This solved my problem with the system ping utility, but my = tests with fping and the ping utility included with our monitoring = software still exhibited the same issue. >=20 > bz informed me that he believes he knows where the bug is in the = kernel -- I believe he pointed me to the area of sys/netinet/ip_raw.c = around line 461. Jails are getting the first IP as a source no matter = what. And maybe to confirm - yes I have told a lot of people in the past to = try telnet or similar thing as "ping" was special, as it's raw sockets = etc. In case you have a PR open about this issue please email me the PR = number directly (not Cc:ing the list) or ask some FreeBSD committer to = assign it to me. As I had originally left the comment there when committed the multi-IP = jail source code (or follow-up) and the grief this seems to regularly = cause, I will try to get it fixed soon: = http://svnweb.freebsd.org/base/head/sys/netinet/raw_ip.c?annotate=3D229265= #l461 > Anyway, attached is the patch he asked me to post to the mailing list = for those that need a workaround for ping. I'm sure fixing this in the = kernel will probably require further discussion among those with actual = programming skills :-) It's also available here but it's considered a work-around and prove of = concept that this really was the issue: http://people.freebsd.org/~bz/20120407-01-ping-source-addr.diff /bz --=20 Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do! From owner-freebsd-jail@FreeBSD.ORG Mon Apr 9 20:29:03 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1EB0D106564A for ; Mon, 9 Apr 2012 20:29:03 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id C67D68FC14 for ; Mon, 9 Apr 2012 20:29:02 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 1182525D3A6E; Mon, 9 Apr 2012 20:29:02 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 84B2FBE47E2; Mon, 9 Apr 2012 20:29:01 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id n5dj+S0QMT10; Mon, 9 Apr 2012 20:29:00 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 7D300BE47E1; Mon, 9 Apr 2012 20:29:00 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=iso-8859-1 From: "Bjoern A. Zeeb" In-Reply-To: Date: Mon, 9 Apr 2012 20:29:00 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <4C505F2B-BB87-46EE-AEDF-549B0F0F4720@lists.zabbadoz.net> References: <493438014.49159.1333999007132.JavaMail.root@mrelmx09.mrec.ar> To: Mark Felder X-Mailer: Apple Mail (2.1084) Cc: freebsd-jail@freebsd.org Subject: Re: Jail source address selection broken, patch for ping X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Apr 2012 20:29:03 -0000 On 9. Apr 2012, at 20:11 , Mark Felder wrote: > On Mon, 09 Apr 2012 14:16:47 -0500, Juan F. D=EDaz y D=EDaz = wrote: >=20 >> Mark, you can just run a jail with the setfib utility so you don't = need to modify all your scripts. >=20 > I don't think anyone here is understanding the issue and forcing a = routing table will not help. yeah you would need a dedicated FIB per VLAN and then still have the = problem that a single program like fping would try to reach a node in = each VLAN and would have to switch FIBs in between and everything; that = would require more patching of code. It would be different if it was a = VLAN per jail in which case you'd probably not have the problem in first = place;) /bz --=20 Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do! From owner-freebsd-jail@FreeBSD.ORG Tue Apr 10 09:05:14 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D6A53106564A for ; Tue, 10 Apr 2012 09:05:14 +0000 (UTC) (envelope-from anders.hagman@netplex.se) Received: from smtp-out21.han.skanova.net (smtp-out21.han.skanova.net [195.67.226.208]) by mx1.freebsd.org (Postfix) with ESMTP id 311118FC12 for ; Tue, 10 Apr 2012 09:05:14 +0000 (UTC) Received: from [10.1.10.17] (31.210.252.116) by smtp-out21.han.skanova.net (8.5.133) (authenticated as u48002568) id 4F5CBA4E00AC8F54; Tue, 10 Apr 2012 11:03:26 +0200 Mime-Version: 1.0 (Apple Message framework v1257) Content-Type: text/plain; charset=iso-8859-1 From: Anders Hagman In-Reply-To: Date: Tue, 10 Apr 2012 11:03:22 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <903CBCF8-5096-4C5B-A5A9-F8495AA8751C@netplex.se> References: <493438014.49159.1333999007132.JavaMail.root@mrelmx09.mrec.ar> To: Mark Felder X-Mailer: Apple Mail (2.1257) Cc: freebsd-jail@freebsd.org Subject: Re: Jail source address selection broken, patch for ping X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Apr 2012 09:05:14 -0000 Hi I have done a test. My setup inside the jail: vlan102: flags=3D8843 metric 0 = mtu 1500 ether 00:19:db:d5:db:c5 inet 10.3.0.2 netmask 0xffffff00 broadcast 10.3.0.255 inet6 fe80::219:dbff:fed5:dbc5%vlan102 prefixlen 64 scopeid 0x3=20= nd6 options=3D21 media: Ethernet autoselect (100baseTX ) status: active vlan103: flags=3D8843 metric 0 = mtu 1500 ether 00:19:db:d5:db:c5 inet 10.4.0.2 netmask 0xffffff00 broadcast 10.4.0.255 inet6 fe80::219:dbff:fed5:dbc5%vlan103 prefixlen 64 scopeid 0x4=20= nd6 options=3D21 media: Ethernet autoselect (100baseTX ) status: active vlan104: flags=3D8843 metric 0 = mtu 1500 ether 00:19:db:d5:db:c5 inet 10.5.0.2 netmask 0xffffff00 broadcast 10.5.0.255 inet6 fe80::219:dbff:fed5:dbc5%vlan104 prefixlen 64 scopeid 0x5=20= nd6 options=3D21 media: Ethernet autoselect (100baseTX ) status: active My pings to the firewall. [root@webben ~]# ping -c 1 10.3.0.1 PING 10.3.0.1 (10.3.0.1): 56 data bytes 64 bytes from 10.3.0.1: icmp_seq=3D0 ttl=3D64 time=3D0.408 ms [root@webben ~]# ping -c 1 10.4.0.1 PING 10.4.0.1 (10.4.0.1): 56 data bytes 64 bytes from 10.4.0.1: icmp_seq=3D0 ttl=3D64 time=3D0.418 ms [root@webben ~]# ping -c 1 10.5.0.1 PING 10.5.0.1 (10.5.0.1): 56 data bytes 64 bytes from 10.5.0.1: icmp_seq=3D0 ttl=3D64 time=3D0.602 ms The log in the firewall saying the jail is using the right source = address. 10:45:54.250965 OPT5 10.5.0.2 10.5.0.1, type echo/0 ICMP 10:45:51.755278 OPT4 10.4.0.2 10.4.0.1, type echo/0 ICMP 10:45:48.931655 OPT3 10.3.0.2 10.3.0.1, type echo/0 ICMP I have used vnet jail to get your own IP stack. One strange thing is that tcpdump on the host can not see the packets. 9 apr 2012 kl. 22:11 skrev Mark Felder: > On Mon, 09 Apr 2012 14:16:47 -0500, Juan F. D=EDaz y D=EDaz = wrote: >=20 >> Mark, you can just run a jail with the setfib utility so you don't = need to modify all your scripts. >=20 > I don't think anyone here is understanding the issue and forcing a = routing table will not help. >=20 > root@jailhost:/# jls -v > JID Hostname Path > Name State > CPUSetID > IP Address(es) > 3 xymon.xxxxxx.net /usr/jails/xymon.xxxxxx.net > 3 ACTIVE > 2 > 66.xxx.xxx.xxx > 192.168.89.xxx <-- different vlans for each > 192.168.93.xxx > 192.168.94.xxx > 192.168.95.xxx > 192.168.96.xxx > 192.168.97.xxx >=20 >=20 > root@jailhost:/# ifconfig (edited output) > vlan989: flags=3D8843 metric 0 = mtu 1500 > options=3D103 > ether d4:ae:52:6a:ec:d9 > inet 192.168.89.xxx netmask 0xffffff00 broadcast 192.168.89.255 > inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan989 prefixlen 64 scopeid = 0x6 > nd6 options=3D21 > media: Ethernet autoselect (1000baseT ) > status: active > vlan: 989 parent interface: bce1 > vlan993: flags=3D8843 metric 0 = mtu 1500 > options=3D103 > ether d4:ae:52:6a:ec:d9 > inet 192.168.93.xxx netmask 0xffffff00 broadcast 192.168.93.255 > inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan993 prefixlen 64 scopeid = 0x7 > nd6 options=3D21 > media: Ethernet autoselect (1000baseT ) > status: active > vlan: 993 parent interface: bce1 > vlan994: flags=3D8843 metric 0 = mtu 1500 > options=3D103 > ether d4:ae:52:6a:ec:d9 > inet 192.168.94.xxx netmask 0xffffff00 broadcast 192.168.94.255 > inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan994 prefixlen 64 scopeid = 0x8 > nd6 options=3D21 > media: Ethernet autoselect (1000baseT ) > status: active > vlan: 994 parent interface: bce1 > vlan996: flags=3D8843 metric 0 = mtu 1500 > options=3D103 > ether d4:ae:52:6a:ec:d9 > inet 192.168.96.xxx netmask 0xffffff00 broadcast 192.168.96.255 > inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan996 prefixlen 64 scopeid = 0x9 > nd6 options=3D21 > media: Ethernet autoselect (1000baseT ) > status: active > vlan: 996 parent interface: bce1 > vlan997: flags=3D8843 metric 0 = mtu 1500 > options=3D103 > ether d4:ae:52:6a:ec:d9 > inet 192.168.97.xxx netmask 0xffffff00 broadcast 192.168.97.255 > inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan997 prefixlen 64 scopeid = 0xa > nd6 options=3D21 > media: Ethernet autoselect (1000baseT ) > status: active > vlan: 997 parent interface: bce1 >=20 >=20 >=20 >=20 >=20 > All of these vlan interfaces go into a SINGLE jail. Setting the fib = will not help; the jail already has the default routing table. The = problem is that you can't access these different VLANs with many network = utilities because it sets your source IP in the packet as the first IP = the jail has bound to it: 66.xxx.xxx.xxx > _______________________________________________ From owner-freebsd-jail@FreeBSD.ORG Tue Apr 10 22:14:37 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A288B10657BF for ; Tue, 10 Apr 2012 22:14:37 +0000 (UTC) (envelope-from feld@feld.me) Received: from feld.me (unknown [IPv6:2607:f4e0:100:300::2]) by mx1.freebsd.org (Postfix) with ESMTP id 775A08FC14 for ; Tue, 10 Apr 2012 22:14:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=feld.me; s=blargle; h=In-Reply-To:Message-Id:From:Mime-Version:Date:References:Subject:To:Content-Type; bh=KxFJWd/3/ou+uD2RkjTTiuMgclJaSrDflSfXhOF9QZw=; b=PrEfbaNnvZeysYyEKuRjeFx5t2QD8Tby5dZ2lDyT/hpnkek/VHYGotvdY+2RxT9sjqQT1cSM1qe/J8LY1kCqNGNh20EDvDFZTqXmSTVvEKoax3o0w9CksRpl1Bsug6qG; Received: from localhost ([127.0.0.1] helo=mwi1.coffeenet.org) by feld.me with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1SHjKe-0009M9-HP for freebsd-jail@freebsd.org; Tue, 10 Apr 2012 17:14:37 -0500 Received: from feld@feld.me by mwi1.coffeenet.org (Archiveopteryx 3.1.4) with esmtpa id 1334096070-23734-23733/5/11; Tue, 10 Apr 2012 22:14:30 +0000 Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes To: freebsd-jail@freebsd.org References: <493438014.49159.1333999007132.JavaMail.root@mrelmx09.mrec.ar> <903CBCF8-5096-4C5B-A5A9-F8495AA8751C@netplex.se> Date: Tue, 10 Apr 2012 17:14:29 -0500 Mime-Version: 1.0 From: Mark Felder Message-Id: In-Reply-To: <903CBCF8-5096-4C5B-A5A9-F8495AA8751C@netplex.se> User-Agent: Opera Mail/11.62 (FreeBSD) X-SA-Score: -1.5 Subject: Re: Jail source address selection broken, patch for ping X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Apr 2012 22:14:37 -0000 On Tue, 10 Apr 2012 04:03:22 -0500, Anders Hagman wrote: > I have used vnet jail to get your own IP stack. > One strange thing is that tcpdump on the host can not see the packets. Yes, vnet avoids this issue. You shouldn't be able to tcpdump on the host to see the packets; those interfaces are now entirely owned by the jail. Unfortunately we cannot use vnet because it is very experimental still and I have been able to cause it to panic many times. From owner-freebsd-jail@FreeBSD.ORG Wed Apr 11 05:12:42 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A1F2A106566B for ; Wed, 11 Apr 2012 05:12:42 +0000 (UTC) (envelope-from anders.hagman@netplex.se) Received: from smtp-out12.han.skanova.net (smtp-out12.han.skanova.net [195.67.226.212]) by mx1.freebsd.org (Postfix) with ESMTP id 0791A8FC15 for ; Wed, 11 Apr 2012 05:12:42 +0000 (UTC) Received: from [10.1.10.18] (31.210.252.116) by smtp-out12.han.skanova.net (8.5.133) (authenticated as u48002568) id 4F5CB81D00800DC4 for freebsd-jail@freebsd.org; Wed, 11 Apr 2012 07:11:51 +0200 References: <493438014.49159.1333999007132.JavaMail.root@mrelmx09.mrec.ar> <903CBCF8-5096-4C5B-A5A9-F8495AA8751C@netplex.se> From: Anders Hagman Content-Type: text/plain; charset=us-ascii X-Mailer: iPad Mail (9B176) In-Reply-To: Message-Id: Date: Wed, 11 Apr 2012 07:11:51 +0200 To: "freebsd-jail@freebsd.org" Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (1.0) Subject: Re: Jail source address selection broken, patch for ping X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Apr 2012 05:12:42 -0000 11 apr 2012 kl. 00:14 skrev Mark Felder : > On Tue, 10 Apr 2012 04:03:22 -0500, Anders Hagman wrote: >=20 >> I have used vnet jail to get your own IP stack. >> One strange thing is that tcpdump on the host can not see the packets. >=20 >=20 > Yes, vnet avoids this issue. You shouldn't be able to tcpdump on the host t= o see the packets; those interfaces are now entirely owned by the jail. I did tcpdump on the main vr0 interface and still no packets. > Unfortunately we cannot use vnet because it is very experimental still and= I have been able to cause it to panic many times. Just by running it or during start/stop?=