From owner-freebsd-net@freebsd.org Wed Oct 18 03:04:51 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A479CE4DC53 for ; Wed, 18 Oct 2017 03:04:51 +0000 (UTC) (envelope-from julian@elischer.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 67A1B679CD for ; Wed, 18 Oct 2017 03:04:51 +0000 (UTC) (envelope-from julian@elischer.org) Received: from Julian-MBP3.local (124-148-79-216.dyn.iinet.net.au [124.148.79.216]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id v9I34hjk015447 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Tue, 17 Oct 2017 20:04:47 -0700 (PDT) (envelope-from julian@elischer.org) Subject: Re: setfib (ez)jails and wierd routing To: Marek Zarychta , =?UTF-8?Q?Marko_Cupa=c4=87?= Cc: freebsd-net@freebsd.org References: <20171016162204.5d01a1b1@efreet-freebsd.kappastar.com> <20171016180728.GA32726@plan-b.pwste.edu.pl> <20171017202816.66a1664d@efreet-freebsd.kappastar.com> <20171017193016.GA19784@plan-b.pwste.edu.pl> From: Julian Elischer Message-ID: Date: Wed, 18 Oct 2017 11:04:38 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <20171017193016.GA19784@plan-b.pwste.edu.pl> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Oct 2017 03:04:51 -0000 On 18/10/17 3:30 am, Marek Zarychta wrote: > On Tue, Oct 17, 2017 at 08:28:16PM +0200, Marko Cupać wrote: >> On Mon, 16 Oct 2017 20:07:28 +0200 >> Marek Zarychta wrote: >> >>> Hi, >>> >>> try after to set "ifconfig bce1 fib 2" after disabling PF. >>> This should do the work. >> Hi Marek, >> >> thank you for your advice, it seems to be getting me closer to the >> solution. >> >> PF is not enabled on this host. I've set `ifconfig bce1 fib 2' >> interactively, and packets with source address of DMZ net disappeared >> from LAN NIC (bce0 / fib 1). >> >> I wanted of course to have this automated, so I changed my rc.conf line >> for bce1: >> ifconfig_bce1="inet 193.53.106.7 netmask 255.255.255.0 fib 2" >> >> However, after restart I observed another undesirable situation - >> packets with source address 193.53.106.7 leaving bce0 interface. I >> found out those are generated by sysutils/py-salt master service >> running directly on host (fib 0), bound to 193.53.106.7 (on interface >> bce1, which is now set as fib 2 at boot time). >> >> Why is outcome different when bce1 is set with fib 2 at the boot time >> from rc.conf from setting it at runtime? >> >> If setting bce1 with fib2 at the boot time from rc.conf, should I also >> start services running directly on host and bound to bce1 in fib 2? >> Would this be the correct rc.conf syntax for starting services in other >> fibs (for salt): >> >> salt_master_enable="YES" >> salt_master_fib="2" >> salt_minion_enable="YES" >> salt_minion_fib="2" > Hi Marko, > > bounding interface with FIB applies only to packets received on that > interface (ifconfig(8)). IMHO py-salt works as expected and as before. > > If you wish to apply FIB to packets belonging to the connections > originating from the host, you should either start service with > setfib(1) or use appropriate firewall rules to assist this. With PF(4) > it could be route-to or rtable options, see pf.conf(5) > > Best regards, TO me it sounds a bit like what you want to do is better achieved using Vimage/Vnet on your jail. As for using Fibs, you can make sure that the jail is started with setfib, and that you always use setfib with jexec to ensure that all processes in hte jail inherit the correct fib setting.. The Fib on an interface just assignes that as a default fib for incoming packets. no more..  We did have a set of changes that allowd an incoming packet to attach to a  socket that had no fib and set its fib to that socket. Thet set was never really committed. (basically the server socket would take on the fib for the interface on which the packet had arrived) I still hope to get that change in one day. Julian