From owner-freebsd-jail@FreeBSD.ORG  Wed Dec 17 20:53:35 2014
Return-Path: <owner-freebsd-jail@FreeBSD.ORG>
Delivered-To: freebsd-jail@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 567564CD
 for <freebsd-jail@freebsd.org>; Wed, 17 Dec 2014 20:53:35 +0000 (UTC)
Received: from mx1.scaleengine.net (beauharnois2.bhs1.scaleengine.net
 [142.4.218.15]) by mx1.freebsd.org (Postfix) with ESMTP id 2F0331B92
 for <freebsd-jail@freebsd.org>; Wed, 17 Dec 2014 20:53:34 +0000 (UTC)
Received: from [192.168.1.2] (Seawolf.HML3.ScaleEngine.net [209.51.186.28])
 (Authenticated sender: allanjude.freebsd@scaleengine.com)
 by mx1.scaleengine.net (Postfix) with ESMTPSA id 2B8C687629
 for <freebsd-jail@freebsd.org>; Wed, 17 Dec 2014 20:53:28 +0000 (UTC)
Message-ID: <5491ED4F.4040002@freebsd.org>
Date: Wed, 17 Dec 2014 15:53:35 -0500
From: Allan Jude <allanjude@freebsd.org>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: freebsd-jail@freebsd.org
Subject: Re: only lo0 interface inside jail, no default gw
References: <CABk4_A61y1m8hXXkOPEKSbzf74j64MNtYhfV59enVuJfPwQApQ@mail.gmail.com>
 <0096d1968fd2758df224a9dea6934ddb@gritton.org>
In-Reply-To: <0096d1968fd2758df224a9dea6934ddb@gritton.org>
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="pKOE5KDC1QecrgJooAu6x8nA49jNDPw3G"
X-BeenThere: freebsd-jail@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail/>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Dec 2014 20:53:35 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--pKOE5KDC1QecrgJooAu6x8nA49jNDPw3G
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 2014-12-17 15:48, James Gritton wrote:
> On 2014-12-16 10:35, Alexander Lunev wrote:
>> Hello everyone.
>>
>> I'm trying to build jail environment on a new server with 10.1-R. I've=

>> did
>> that before on 9.2-R, but now i'm stuck with strange network problem: =
no
>> matter how i configure jail (old way through rc.conf jail_* variables =
or
>> via /etc/jail.conf), i don't see default gateway in jail's routing tab=
le.
>> At first i started with more complex config using separate fib for jai=
l,
>> but it's not working even without fibs (or in fib 0). So, here's what =
i
>> have in the host system:
>>
>> # netstat -rn
>> Routing tables
>>
>> Internet:
>> Destination        Gateway            Flags      Netif Expire
>> default            10.1.1.1           UGS       em0.4
>> 10.1.1.0/24        link#4             U         em0.4
>> 10.1.1.205         link#4             UHS         lo0
>> 10.1.1.206         link#4             UHS         lo0
>> 127.0.0.1          link#3             UH          lo0
>> 127.0.0.2          link#3             UH          lo0
>>
>> # ifconfig
>> em0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu=
 1500
>>
>> options=3D4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4=
,WOL_MAGIC,VLAN_HWTSO>
>>
>>         ether 00:30:48:c1:e1:b4
>>         nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>>         media: Ethernet autoselect (1000baseT <full-duplex>)
>>         status: active
>> lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>>         options=3D600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
>>         inet6 ::1 prefixlen 128
>>         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
>>         inet 127.0.0.1 netmask 0xff000000
>>         inet 127.0.0.2 netmask 0xff000000
>>         nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
>> em0.4: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 m=
tu
>> 1500
>>         options=3D103<RXCSUM,TXCSUM,TSO4>
>>         ether 00:30:48:c1:e1:b4
>>         inet 10.1.1.205 netmask 0xffffff00 broadcast 10.1.1.255
>>         inet 10.1.1.206 netmask 0xffffff00 broadcast 10.1.1.255
>>         nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>>         media: Ethernet autoselect (1000baseT <full-duplex>)
>>         status: active
>>         vlan: 4 parent interface: em0
>>
>> I can ping internet from a host via gateway 10.1.1.1
>>
>> And here's what i have in jail:
>>
>> =3D=3D=3D=3D=3D=3D BOF /etc/jail.conf =3D=3D=3D=3D=3D=3D=3D=3D=3D
>> exec.start =3D "/bin/sh /etc/rc";
>> exec.stop =3D "/bin/sh /etc/rc.shutdown";
>> mount.devfs;
>> allow.raw_sockets;
>> path =3D "/usr/jails/$name";
>>
>> template {
>>     jid =3D 1;
>>     ip4.addr =3D "em0.4|10.1.1.206/24";
>>     ip4.addr +=3D "lo0|127.0.0.2/8";
>>     host.hostname =3D template;
>> }
>> =3D=3D=3D=3D=3D=3D EOF /etc/jail.conf =3D=3D=3D=3D=3D=3D=3D=3D=3D
>>
>> # jexec 1 netstat -rn
>> Routing tables
>>
>> Internet:
>> Destination        Gateway            Flags      Netif Expire
>> 10.1.1.206         link#4             UHS         lo0
>> 127.0.0.2          link#3             UH          lo0
>>
>> I can ping gateway from jail
>>
>> # jexec 1 ping 10.1.1.1
>> PING 10.1.1.1 (10.1.1.1): 56 data bytes
>> 64 bytes from 10.1.1.1: icmp_seq=3D0 ttl=3D64 time=3D0.366 ms
>> ^C
>>
>> But not the Internet or anything via routing.
>>
>> I have no default gateway in jail - why? What have i missed in this ne=
w
>> jail implementation since 9.2-R?
>=20
> The netstat output is no surprise.  I don't know if it was before or
> after 9.2, but jails don't see routes that don't involve their own IP
> addresses, and that includes the default route.
>=20
> But that doesn't mean the default route isn't there.  I have netstat
> output similar to yours, but packets still route as expected.  I don't
> see anything in your jail.conf that looks wrong, so I'm afraid I can't
> say anything more than "it looks like it *should* work."
>=20
> - Jamie
>=20
> _______________________________________________
> freebsd-jail@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"=


The subnet mask of an alias should always be /32, not the actual subnet m=
ask

Try that change in jail.conf, it should sort the issue.

--=20
Allan Jude


--pKOE5KDC1QecrgJooAu6x8nA49jNDPw3G
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJUke1SAAoJEJrBFpNRJZKfcPYP/0xLGeSZEpC/e0Kmp6bBBr9I
Dl6SZkJZXYB5SGJWADqJBTbLDXknLcMFwJBWIHLciXN+mZoSqMFM83/EooaRvwMr
4ZYKWOFEORQ4CZLor9UzvADLjCHvhxHzr25XaJxZGmaKt1CMAc78lo/C8Cq2/SpV
ZpEnl5DrBDnBtJ5EbugL/CAFg0wIuuqyhMSWxq/F63VSg8/jfo4xf9xjcgKoL2AO
sfv8A9gsr0J/Ne6bFTW0KWsMTQlFWqSRtkbg5sxqHMLylxfaynLPdWscGqtIzJQe
r8RoR/7NXkjoLqw0Xgs7jHLrlIJ5mtibHZJ2NurLvE7FrtzLExaXgq4Hri9VAVrE
FkcFbabyVaGvk6bz3Fa0oVYU4kuDxE7nDrhPHQUB2n3HR1LT1NbqeGBAB5rdmeY3
nwkn9GuK+krjuY0rnbUMtVio8raaSv3f+1/DtFalDE8PL55MUOefkvGi0Ecxwo93
4T0Hsw1qdZduDSdccOOKMlrTfovUQykyvpdrofwv3TiFDxEcuTUCYjUggX6DnrC5
7IURqsaZaOIL3QWMitCpfs3xwAK2f9vFjzrvuFQs+iAyZrEIckl9lLoS+XJ5crQ5
ctcZL42HXt6W2i/rC2Q2rnws2wKW5c2tsPrw3glKgupd8RYQTINHLhvmjzMgXxdE
39minP0N9pNSoMdi42wd
=SaqD
-----END PGP SIGNATURE-----

--pKOE5KDC1QecrgJooAu6x8nA49jNDPw3G--