From owner-freebsd-net@freebsd.org  Wed Mar 18 16:51:46 2020
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 24F582661EB;
 Wed, 18 Mar 2020 16:51:46 +0000 (UTC)
 (envelope-from bzeeb-lists@lists.zabbadoz.net)
Received: from mx1.sbone.de (cross.sbone.de [195.201.62.131])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48jGKD2kvGz3HcG;
 Wed, 18 Mar 2020 16:51:43 +0000 (UTC)
 (envelope-from bzeeb-lists@lists.zabbadoz.net)
Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587])
 (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.sbone.de (Postfix) with ESMTPS id E5BDA8D4A165;
 Wed, 18 Mar 2020 16:51:35 +0000 (UTC)
Received: from content-filter.sbone.de (content-filter.sbone.de
 [IPv6:fde9:577b:c1a9:31::2013:2742])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mail.sbone.de (Postfix) with ESMTPS id 6A8D5E707FE;
 Wed, 18 Mar 2020 16:51:36 +0000 (UTC)
X-Virus-Scanned: amavisd-new at sbone.de
Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587])
 by content-filter.sbone.de (content-filter.sbone.de
 [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024)
 with ESMTP id 83VdzifvJAqm; Wed, 18 Mar 2020 16:51:35 +0000 (UTC)
Received: from [169.254.231.217] (unknown
 [IPv6:fde9:577b:c1a9:4902:d1ed:d97:f150:a4e5])
 (using TLSv1 with cipher AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mail.sbone.de (Postfix) with ESMTPSA id EAE6DE707C6;
 Wed, 18 Mar 2020 16:51:34 +0000 (UTC)
From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To: "Victor Sudakov" <vas@sibptus.ru>
Cc: "Miroslav Lachman" <000.fbsd@quip.cz>, freebsd-net@freebsd.org,
 freebsd-questions@freebsd.org
Subject: Re: IPv6 in jails
Date: Wed, 18 Mar 2020 16:51:32 +0000
X-Mailer: MailMate (2.0BETAr6146)
Message-ID: <4CA69535-0F6C-40FC-83CF-5000FD728C2D@lists.zabbadoz.net>
In-Reply-To: <20200318155046.GD65497@admin.sibptus.ru>
References: <20200318151556.GA64871@admin.sibptus.ru>
 <2dd539ed-0ee3-079b-27b2-28126056c69a@quip.cz>
 <20200318155046.GD65497@admin.sibptus.ru>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
X-Rspamd-Queue-Id: 48jGKD2kvGz3HcG
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of bzeeb-lists@lists.zabbadoz.net designates
 195.201.62.131 as permitted sender)
 smtp.mailfrom=bzeeb-lists@lists.zabbadoz.net
X-Spamd-Result: default: False [-4.82 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_FIVE(0.00)[5];
 NEURAL_HAM_MEDIUM(-0.80)[-0.803,0]; RCPT_COUNT_THREE(0.00)[4];
 TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:195.201.62.131];
 FROM_HAS_DN(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[zabbadoz.net];
 NEURAL_HAM_LONG(-1.00)[-0.998,0];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 IP_SCORE(-2.71)[ip: (-9.09), ipnet: 195.201.0.0/16(-2.91), asn: 24940(-1.56),
 country: DE(-0.02)]; FROM_EQ_ENVFROM(0.00)[];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:24940, ipnet:195.201.0.0/16, country:DE];
 MID_RHS_MATCH_FROM(0.00)[]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2020 16:51:46 -0000

On 18 Mar 2020, at 15:50, Victor Sudakov wrote:

>> If sshd in the host is configured to listen on all available 
>> interfaces and
>> addresses (the default) then it will catch your jails IP too.
>
> Why is it not catching the 192.168.4.204 address then?
>
>> You must configure sshd in the host to listen only on hosts IP and 
>> then you
>> will connect to the jails sshd.
>
> OK, I've stopped the sshd on the host entirely, and restarted the 
> jails.
> Why am I still not seeing the jailed sshd listening on tcp6?

Can you check the logfile inside the jail and see if it complains?

Can you then do a jexec test4 and run service sshd restart and see if it 
starts working?   If it does, can you add a

	exec.start += "sleep  2 ";

to your config and see if your problem goes away?  If it does, the 
reason is that you configure an IPv6 address to an interface and DUD has 
not yet completed by the time sshd or other daemons start.  Giving it 
the 2 seconds avoids this problem and the address is usable at that 
time.


> Your theory is probably incorrect.

The theory is incorrect.   The jail will always take precedence (at 
least since the multi-IP jail patches in 2008).


/bz