From owner-freebsd-net@freebsd.org Wed Apr 5 20:24:15 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 23C7FD303CA for ; Wed, 5 Apr 2017 20:24:15 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D8F65C8A for ; Wed, 5 Apr 2017 20:24:14 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id DFE4120C86 for ; Wed, 5 Apr 2017 16:24:12 -0400 (EDT) Received: from web6 ([10.202.2.216]) by compute7.internal (MEProxy); Wed, 05 Apr 2017 16:24:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at; h=content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= mesmtp; bh=fDGemI5v0ZvhWLPTDfRUSx/G4P4wJyKEXlp1wATcEIk=; b=lqqDv K5/6Ja5wfRi1RrDu/SpjuEALNZoKIa1qLzruZ7pAsPbYLw8Woq+3bFo3N+6jhGcb WoN9AANkmGTPDj3CEMQgoCSG8bgjQl2QI2GI9jPxaLXO5o+ULby6wDik68toD7ij nXlbflGjMJCAIXAH2iYXDCPj3IVxvft7mmPgdw= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=fDGemI5v0ZvhWLPTDfRUSx/G4P4wJ yKEXlp1wATcEIk=; b=LAAfo9IbnHfbPyKjaP4r7hr074hhoFKPevavBL1CpdrNu H2QSjtB5PHh0AFDEbBL5Pqjb1eOJeTKTsnjW8UWfgTfdZfhAbr9ER0A0rhzt1DhJ rFPo/KaMt4pBOnVnikhWLjM5UjE5Gi5a58fLKtknvV4Jo+zDO01Ole6OYKrMc1KA o1hIy0VDh/lLF3ThjnqSfKC8sflpubSyXMb0cz9fagFlNeBq6gzOIml69mwMbWrb BY5BehrbL5QXgb8mJBPcq2ge1MCUpltpu6CScagOALKrqnAg1VbeP9wOyDGqavl3 wnEKt6gEXnOr2F+zlAt7djxroEuLQvayNyXSM9YnA== X-ME-Sender: Received: by mailuser.nyi.internal (Postfix, from userid 99) id BC47348006; Wed, 5 Apr 2017 16:24:12 -0400 (EDT) Message-Id: <1491423852.756826.935508952.59809F07@webmail.messagingengine.com> From: Dave Cottlehuber To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="utf-8" X-Mailer: MessagingEngine.com Webmail Interface - ajax-8e6aa83c Date: Wed, 05 Apr 2017 22:24:12 +0200 Subject: ngrep/tcpdump and cloned interfaces X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2017 20:24:15 -0000 hi, I posted this a week ago to freebsd-questions but got nothing. I hope its suitable for asking here. Today I wanted to observe traffic that is proxied via haproxy between IP addresses both bound to a lo1 cloned interface. To my surprise ngrep & tcpdump showed no activity on lo1, but it did show the expected traffic on lo0. Now I'm not even sure I understand what a cloned interface is anymore..... Why does this traffic appear on the other interface at all? Most importantly, does a jail with a lo1-bound IP address have any ability outside firewall rules to receive or view traffic using a lo0-bound IP in a different subnet? # ngrep -texd lo0 port 1978 T 2017/03/29 19:45:17.838356 10.241.0.3:48176 -> 10.241.0.3:1978 [AP] 50 4f 53 54 20 2f 72 70 63 2f 73 65 74 20 48 54 POST /rpc/set HT 54 50 2f 31 2e 31 0d 0a 55 73 65 72 2d 41 67 65 TP/1.1..User-Age 6e 74 3a 20 46 75 72 6c 3a 3a 48 54 54 50 2f 33 nt: Furl::HTTP/3 2e 30 39 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 .09..Content-Typ 65 3a 20 74 65 78 74 2f 74 61 62 2d 73 65 70 61 e: text/tab-sepa # sockstat -46l # sockstat -46l |grep 1978 www haproxy 36440 8 tcp4 10.241.0.0:1978 *:* kyototycoon ktserver73187 6 tcp4 10.241.0.3:1978 *:* # ifconfig snippets lo0: flags=8049 metric 0 mtu 16384 options=600003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff000000 nd6 options=21 groups: lo lo1: flags=8049 metric 0 mtu 16384 options=600003 inet 10.241.0.0 netmask 0xffff0000 inet 10.241.0.3 netmask 0xffffffff inet 10.241.0.2 netmask 0xffffffff inet 10.241.0.1 netmask 0xffffffff inet 10.241.0.5 netmask 0xffffffff inet 10.241.0.4 netmask 0xffffffff nd6 options=29 groups: lo # /etc/pf.conf snippet protocols = "{ tcp, udp, icmp }" extl_if="lagg0" jail_if="lo1" jail_net = $jail_if:network nat on $extl_if proto $protocols from $jail_net to any -> ($extl_if) A+ Dave _______________________________________________ freebsd-questions@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"