From owner-freebsd-net@FreeBSD.ORG  Sat Mar 14 21:35:16 2009
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EB0B1106564A
	for <freebsd-net@freebsd.org>; Sat, 14 Mar 2009 21:35:15 +0000 (UTC)
	(envelope-from julian@elischer.org)
Received: from outY.internet-mail-service.net (outy.internet-mail-service.net
	[216.240.47.248])
	by mx1.freebsd.org (Postfix) with ESMTP id CDD068FC0C
	for <freebsd-net@freebsd.org>; Sat, 14 Mar 2009 21:35:15 +0000 (UTC)
	(envelope-from julian@elischer.org)
Received: from idiom.com (mx0.idiom.com [216.240.32.160])
	by out.internet-mail-service.net (Postfix) with ESMTP id C212660793;
	Sat, 14 Mar 2009 14:35:17 -0700 (PDT)
X-Client-Authorized: MaGic Cook1e
X-Client-Authorized: MaGic Cook1e
X-Client-Authorized: MaGic Cook1e
Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38])
	by idiom.com (Postfix) with ESMTP id 0C1482D601D;
	Sat, 14 Mar 2009 14:35:14 -0700 (PDT)
Message-ID: <49BC2317.3050009@elischer.org>
Date: Sat, 14 Mar 2009 14:35:19 -0700
From: Julian Elischer <julian@elischer.org>
User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209)
MIME-Version: 1.0
To: Stefan Bethke <stb@lassitu.de>
References: <A7C6B7F3-ECB3-4151-81B9-8008C877B0B9@lassitu.de>	<20090314174526.E96785@maildrop.int.zabbadoz.net>
	<DCDAD46C-16FA-4F0D-95A8-D892B17BE470@lassitu.de>
In-Reply-To: <DCDAD46C-16FA-4F0D-95A8-D892B17BE470@lassitu.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>, freebsd-net@freebsd.org
Subject: Re: Multi-homing, jails, and source address selection
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Mar 2009 21:35:16 -0000

Stefan Bethke wrote:
> Am 14.03.2009 um 19:01 schrieb Bjoern A. Zeeb:
> 
>> On Thu, 12 Mar 2009, Stefan Bethke wrote:
>>
>>> I'm having some trouble configuring a dual-homed jail host, running 
>>> -current from about 4 weeks ago.
>>> ...
>>> Is there any documentation on how source addresses are selected? I 
>>> thought I remembered that on unbound sockets the destination route 
>>> would be used to pick the first address of the outgoing interface as 
>>> the source address; the same address would be picked on connecting a 
>>> socket.
>>
>> sys/netinet/in_pcb.c:in_pcbladdr() is your friend -
>> http://fxr.watson.org/fxr/source/netinet/in_pcb.c#L546
>>
>> This is the case you are running into:
>> http://fxr.watson.org/fxr/source/netinet/in_pcb.c#L628
>> /*
>> * If the outgoing interface on the route found is not
>> * a loopback interface, use the address from that interface.
>> * In case of jails do those three steps:
>> * 1. check if the interface address belongs to the jail. If so use it.
>> * 2. check if we have any address on the outgoing interface
>> *    belonging to this jail. If so use it.
>> * 3. as a last resort return the 'default' jail address.
>> */
>>
>> so you are hitting "3." .
>>
>> I am not sure but I'd assume
>>     ifconfig tun0 10.0.63.3 10.0.63.255 alias
>> would work, just not with the logic to create the IPs upon jail start
>> (and we will not accept patches to handle that;).
> 
> This is what I figured is happening.
> 
> For the time being, I've gone back to single-homed; I'm using pf binat 
> rules to map public ips to the vpn ones for the jails.  Not perfect, but 
> works for most cases.  (The only really missing option is to bind a 
> service in the jail to VPN address only, so it's only accessible over 
> the VPN, but I can enforce that through pf or hosts.allow.)
> 
> Assigning aliases to tun0 appears to work too, but you need a distinct 
> destination address for each alias.  Annoying.
> 
> Since I'm using "topology subnet" in OpenVPN, a point-to-point interface 
> is conceptually slightly off; a broadcast interface would fit much 
> nicer.  This would also allow the standard rc.d/jail script to do it's 
> magic, if the necessary tun seetings could be applied through ifconfig.  
> Is there a specific reason this setting can only be done through an 
> ioctl on the dev node, instead of thorugh ifconfig? (Specifically 
> TUNSIFMODE.)
> 
> Additionally, this open the way to run OpenVPN inside a jail, since all 
> ifconfig and route setup would be done prior to OpenVPN starting up.  
> (tun also down the interface if the dev node is closed, but I have a 
> feeling that could be mediated somewhat easily as well.)

One of the things you can do is assign different routing tabels to 
each jail. This means that tho can control which interface it will
select as the outgoing interface.

setfib -{0-15} jail (jail args)

> 
> 
> Thanks,
> Stefan
>