Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 26 Jun 2017 09:37:18 +1000
From:      Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au>
To:        Rick Macklem <rmacklem@uoguelph.ca>, "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>
Subject:   Re: Kernel panic in nfsv4_loadattr
Message-ID:  <41f2553c-a9a6-f997-4b0a-1fe6c7603835@heuristicsystems.com.au>
In-Reply-To: <YTXPR01MB0189AEFF9AE549885A1F1373DDDE0@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM>
References:  <118188c1-6507-fd83-9d6e-94e304521011@physik.tu-berlin.de> <YTXPR01MB0189AEFF9AE549885A1F1373DDDE0@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM>
next in thread | previous in thread | raw e-mail | index | archive | help 
Rick,
A minor point.  Jails don't break/disable 127.0.0.1, though it certainly
changes behaviour.
127.0.0.1 within a jail context is reassigned the first IP that is
defined in jail.conf (or passed to the jail during creation).

So for example during a ping from a jail with its first ip 10.0.7.96
defined for em1, when a ping occurs within the jail
# ping -c 1 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=42 time=0.039 ms

the tcpdump of lo0 (from the host system), becomes:
09:16:23.699627 IP 10.0.7.96 > 127.0.0.1: ICMP echo request, id 52014,
seq 0, length 64
09:16:23.699671 IP 127.0.0.1 > 10.0.7.96: ICMP echo reply, id 52014, seq
0, length 64

Even though the jail itself has lo0 defined as
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        groups: lo
(ie no explicit 127 subnet).

This has significant security issues and requires careful firewalling
attention.

As an aside, a reasonable approach is to define an ip to lo0 (for the
jail), then, from a jail with first ip 10.0.7.91 the
# ping -c 1 127.0.0.1
becomes
09:25:23.348288 IP 127.1.5.91 > 127.0.0.1: ICMP echo request, id 25647,
seq 0, length 64
09:25:23.348319 IP 127.0.0.1 > 127.1.5.91: ICMP echo reply, id 25647,
seq 0, length 64

A much better outcome - in terms of not needing to allow a possibly
external IP from accessing lo0 :)

This may provide further insight into jail/network issues?
Cheers.
PS Oh and the first IP of a jail also becomes the default route for it

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41f2553c-a9a6-f997-4b0a-1fe6c7603835>