From owner-freebsd-jail@FreeBSD.ORG Fri May 1 00:00:12 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 89AA11065678 for ; Fri, 1 May 2009 00:00:12 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [195.88.108.3]) by mx1.freebsd.org (Postfix) with ESMTP id 187338FC0C for ; Fri, 1 May 2009 00:00:11 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id EC7AD41C76D; Fri, 1 May 2009 02:00:10 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([195.88.108.3]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id noYBQ-cpxFzu; Fri, 1 May 2009 02:00:08 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 6A4C841C690; Fri, 1 May 2009 02:00:08 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id E623C4448E6; Thu, 30 Apr 2009 23:58:59 +0000 (UTC) Date: Thu, 30 Apr 2009 23:58:59 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Stefan Lambrev In-Reply-To: <2FFE746D-9F46-4405-9CCE-01B3EF055EA0@moneybookers.com> Message-ID: <20090430234402.M15361@maildrop.int.zabbadoz.net> References: <20090207174104.Y93725@maildrop.int.zabbadoz.net> <49EF7D57.9010307@quip.cz> <2FFE746D-9F46-4405-9CCE-01B3EF055EA0@moneybookers.com> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@freebsd.org Subject: Re: HEADS UP: multi-IPv4/v6/no-IP jails now in 7-STABLE X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 May 2009 00:00:12 -0000 On Thu, 30 Apr 2009, Stefan Lambrev wrote: > Hi, > > On Apr 22, 2009, at 11:25 PM, Miroslav Lachman wrote: > >> Stefan Lambrev wrote: >>> Hi, >>> Does this allow multiple network interfaces to be used by a single jail >>> instance? >> >> Yes, I am using it. >> > - cut - > > Basically it works, but I found another problem. > I have created on two servers jails with 2 IPs on different interfaces. > First IP is on "external" interface and second IP is on internal interface. > As expected if I send packets from the host (outside jail) their source > address match the IP of the interface (from which they are leaving the > machine), > but if I send packets from jail they always go out with source address equal > to the first IP of the jail even when they are going out > through the second interface. > > I do not know if this matters but in my case, internal interface have few > vlans and the IP is set on the vlan not directly on the interface. > > Here is some output from the jail which can be useful: > > igb0: flags=8843 metric 0 mtu 1500 > options=19b > ether 00:30:48:9c:3a:0a > inet 192.168.3.100 netmask 0xffffffff broadcast 192.168.3.100 > media: Ethernet autoselect (100baseTX ) > status: active > > igb1.2: flags=8843 metric 0 mtu 1500 > options=3 > ether 00:30:48:9c:3a:0b > inet 10.35.1.1 netmask 0xffffff00 broadcast 10.35.1.255 > media: Ethernet autoselect (1000baseTX ) > status: active > vlan: 2 parent interface: igb1 > > And here is the tcpdump from igb1.2 when trying to ping 10.35.1.2 from inside > jail: > > 17:20:04.109972 IP 192.168.3.100 > 10.35.1.2: ICMP echo request, id 28421, > seq 0, length 64 > 17:20:05.110321 IP 192.168.3.100 > 10.35.1.2: ICMP echo request, id 28421, > seq 1, length 64 > > Any idea how this can be fixed? > > P.S. I know I can rewrite outgoing packets with firewall, but it's not > performance wise, > and I expect lot of udp multicast through igb1.2, that's why this doesn't > look like a proper solution for me. 1) you turned on a non-default feature permitting raw-ip-sockets from inside jails. You lost supp^Wpredicatability. Well not really but this is just the beware-of reminder. 2) you are using 1) with ping to test source address selection which will not work well. There is more magic involved. Does it work properly and as requested with ping -S ? 3) turn off 1) and/or use telnet, ssh, or nc to test outgoing connections in each direction. Does source address selection work here as expected? 4) jails do not support MC. You'll have to wait for full-blown network stack virtualization. -- Bjoern A. Zeeb The greatest risk is not taking one.