From owner-freebsd-net@FreeBSD.ORG Sat Mar 14 20:22:06 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BFFA4106564A for ; Sat, 14 Mar 2009 20:22:06 +0000 (UTC) (envelope-from stb@lassitu.de) Received: from koef.zs64.net (koef.zs64.net [212.12.50.230]) by mx1.freebsd.org (Postfix) with ESMTP id 55D2C8FC14 for ; Sat, 14 Mar 2009 20:22:06 +0000 (UTC) (envelope-from stb@lassitu.de) Received: from localhost by koef.zs64.net (8.14.3/8.14.3) with ESMTP id n2EKM4ph037646 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sat, 14 Mar 2009 21:22:04 +0100 (CET) (envelope-from stb@lassitu.de) (authenticated as stb) Message-Id: From: Stefan Bethke To: "Bjoern A. Zeeb" In-Reply-To: <20090314174526.E96785@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Sat, 14 Mar 2009 21:22:04 +0100 References: <20090314174526.E96785@maildrop.int.zabbadoz.net> X-Mailer: Apple Mail (2.930.3) Cc: freebsd-net@freebsd.org Subject: Re: Multi-homing, jails, and source address selection X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Mar 2009 20:22:06 -0000 Am 14.03.2009 um 19:01 schrieb Bjoern A. Zeeb: > On Thu, 12 Mar 2009, Stefan Bethke wrote: > >> I'm having some trouble configuring a dual-homed jail host, running >> -current from about 4 weeks ago. >> ... >> Is there any documentation on how source addresses are selected? I >> thought I remembered that on unbound sockets the destination route >> would be used to pick the first address of the outgoing interface >> as the source address; the same address would be picked on >> connecting a socket. > > sys/netinet/in_pcb.c:in_pcbladdr() is your friend - > http://fxr.watson.org/fxr/source/netinet/in_pcb.c#L546 > > This is the case you are running into: > http://fxr.watson.org/fxr/source/netinet/in_pcb.c#L628 > /* > * If the outgoing interface on the route found is not > * a loopback interface, use the address from that interface. > * In case of jails do those three steps: > * 1. check if the interface address belongs to the jail. If so use it. > * 2. check if we have any address on the outgoing interface > * belonging to this jail. If so use it. > * 3. as a last resort return the 'default' jail address. > */ > > so you are hitting "3." . > > I am not sure but I'd assume > ifconfig tun0 10.0.63.3 10.0.63.255 alias > would work, just not with the logic to create the IPs upon jail start > (and we will not accept patches to handle that;). This is what I figured is happening. For the time being, I've gone back to single-homed; I'm using pf binat rules to map public ips to the vpn ones for the jails. Not perfect, but works for most cases. (The only really missing option is to bind a service in the jail to VPN address only, so it's only accessible over the VPN, but I can enforce that through pf or hosts.allow.) Assigning aliases to tun0 appears to work too, but you need a distinct destination address for each alias. Annoying. Since I'm using "topology subnet" in OpenVPN, a point-to-point interface is conceptually slightly off; a broadcast interface would fit much nicer. This would also allow the standard rc.d/jail script to do it's magic, if the necessary tun seetings could be applied through ifconfig. Is there a specific reason this setting can only be done through an ioctl on the dev node, instead of thorugh ifconfig? (Specifically TUNSIFMODE.) Additionally, this open the way to run OpenVPN inside a jail, since all ifconfig and route setup would be done prior to OpenVPN starting up. (tun also down the interface if the dev node is closed, but I have a feeling that could be mediated somewhat easily as well.) Thanks, Stefan -- Stefan Bethke Fon +49 151 14070811