From owner-freebsd-jail@FreeBSD.ORG  Thu Dec 18 06:18:40 2014
Return-Path: <owner-freebsd-jail@FreeBSD.ORG>
Delivered-To: freebsd-jail@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 27C139EF;
 Thu, 18 Dec 2014 06:18:40 +0000 (UTC)
Received: from mail-ie0-x22e.google.com (mail-ie0-x22e.google.com
 [IPv6:2607:f8b0:4001:c03::22e])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id E09931722;
 Thu, 18 Dec 2014 06:18:39 +0000 (UTC)
Received: by mail-ie0-f174.google.com with SMTP id rl12so542855iec.19;
 Wed, 17 Dec 2014 22:18:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc:content-type;
 bh=ERb4pCmNMKXos0fQ1mkJJJaxHZs4jZ50VRv6gONA3U8=;
 b=e6jjJeqJ17r4AJqta1A4Tq9ekZgSGzOnnOBD2MQ8wpRlyj7JVpnGVex9MV7b7FNSYL
 hBHKVFzqtMN7Qw8r/Vpm1wUohiEp3Jl/8t1yrWziV8/URtvawk4LD8pmgT3eBftLLhzt
 VbaQuhHWzm30UrpTkkk/2VtgWcREh7I5EoEDNr0YaDbbjGky3warkEDRPB9dIt8kXPmO
 55PW1Wvx3BImJuIHiJc14xm70rS9ZhYGFk5NK6Q/K8SjUQsSb4zca9QXrhelbABUNGqf
 wh2Jv2um/SSW/QUAJksLYA1p5q9J6xIljeUGn5c5s1DUJS9+2L1QfPre7SXHW2xRHSFL
 Qiiw==
X-Received: by 10.50.79.135 with SMTP id j7mr900290igx.14.1418883519264; Wed,
 17 Dec 2014 22:18:39 -0800 (PST)
MIME-Version: 1.0
Received: by 10.50.252.39 with HTTP; Wed, 17 Dec 2014 22:18:19 -0800 (PST)
In-Reply-To: <5491ED4F.4040002@freebsd.org>
References: <CABk4_A61y1m8hXXkOPEKSbzf74j64MNtYhfV59enVuJfPwQApQ@mail.gmail.com>
 <0096d1968fd2758df224a9dea6934ddb@gritton.org> <5491ED4F.4040002@freebsd.org>
From: Alexander Lunev <sol289@gmail.com>
Date: Thu, 18 Dec 2014 10:18:19 +0400
Message-ID: <CABk4_A5_=1+VNb-xvOx+faJwrA8VrhjUPhQKnK5FGM7FxY1Oaw@mail.gmail.com>
Subject: Re: only lo0 interface inside jail, no default gw
To: Allan Jude <allanjude@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
Cc: freebsd-jail@freebsd.org
X-BeenThere: freebsd-jail@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail/>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Dec 2014 06:18:40 -0000

As i said in message to Jamie Gritton, i found why jails couldn't ping
internet - i forget to add jail's address to table which permitted to NAT.

Why subnet mask should be /32? What harm could be done if subnet mask of an
alias is the same as for the other address of that interface?

On Wed, Dec 17, 2014 at 11:53 PM, Allan Jude <allanjude@freebsd.org> wrote:
>
> On 2014-12-17 15:48, James Gritton wrote:
> > On 2014-12-16 10:35, Alexander Lunev wrote:
> >> Hello everyone.
> >>
> >> I'm trying to build jail environment on a new server with 10.1-R. I've
> >> did
> >> that before on 9.2-R, but now i'm stuck with strange network problem: no
> >> matter how i configure jail (old way through rc.conf jail_* variables or
> >> via /etc/jail.conf), i don't see default gateway in jail's routing
> table.
> >> At first i started with more complex config using separate fib for jail,
> >> but it's not working even without fibs (or in fib 0). So, here's what i
> >> have in the host system:
> >>
> >> # netstat -rn
> >> Routing tables
> >>
> >> Internet:
> >> Destination        Gateway            Flags      Netif Expire
> >> default            10.1.1.1           UGS       em0.4
> >> 10.1.1.0/24        link#4             U         em0.4
> >> 10.1.1.205         link#4             UHS         lo0
> >> 10.1.1.206         link#4             UHS         lo0
> >> 127.0.0.1          link#3             UH          lo0
> >> 127.0.0.2          link#3             UH          lo0
> >>
> >> # ifconfig
> >> em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
> 1500
> >>
> >>
> options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
> >>
> >>         ether 00:30:48:c1:e1:b4
> >>         nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
> >>         media: Ethernet autoselect (1000baseT <full-duplex>)
> >>         status: active
> >> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> >>         options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
> >>         inet6 ::1 prefixlen 128
> >>         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
> >>         inet 127.0.0.1 netmask 0xff000000
> >>         inet 127.0.0.2 netmask 0xff000000
> >>         nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
> >> em0.4: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
> >> 1500
> >>         options=103<RXCSUM,TXCSUM,TSO4>
> >>         ether 00:30:48:c1:e1:b4
> >>         inet 10.1.1.205 netmask 0xffffff00 broadcast 10.1.1.255
> >>         inet 10.1.1.206 netmask 0xffffff00 broadcast 10.1.1.255
> >>         nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
> >>         media: Ethernet autoselect (1000baseT <full-duplex>)
> >>         status: active
> >>         vlan: 4 parent interface: em0
> >>
> >> I can ping internet from a host via gateway 10.1.1.1
> >>
> >> And here's what i have in jail:
> >>
> >> ====== BOF /etc/jail.conf =========
> >> exec.start = "/bin/sh /etc/rc";
> >> exec.stop = "/bin/sh /etc/rc.shutdown";
> >> mount.devfs;
> >> allow.raw_sockets;
> >> path = "/usr/jails/$name";
> >>
> >> template {
> >>     jid = 1;
> >>     ip4.addr = "em0.4|10.1.1.206/24";
> >>     ip4.addr += "lo0|127.0.0.2/8";
> >>     host.hostname = template;
> >> }
> >> ====== EOF /etc/jail.conf =========
> >>
> >> # jexec 1 netstat -rn
> >> Routing tables
> >>
> >> Internet:
> >> Destination        Gateway            Flags      Netif Expire
> >> 10.1.1.206         link#4             UHS         lo0
> >> 127.0.0.2          link#3             UH          lo0
> >>
> >> I can ping gateway from jail
> >>
> >> # jexec 1 ping 10.1.1.1
> >> PING 10.1.1.1 (10.1.1.1): 56 data bytes
> >> 64 bytes from 10.1.1.1: icmp_seq=0 ttl=64 time=0.366 ms
> >> ^C
> >>
> >> But not the Internet or anything via routing.
> >>
> >> I have no default gateway in jail - why? What have i missed in this new
> >> jail implementation since 9.2-R?
> >
> > The netstat output is no surprise.  I don't know if it was before or
> > after 9.2, but jails don't see routes that don't involve their own IP
> > addresses, and that includes the default route.
> >
> > But that doesn't mean the default route isn't there.  I have netstat
> > output similar to yours, but packets still route as expected.  I don't
> > see anything in your jail.conf that looks wrong, so I'm afraid I can't
> > say anything more than "it looks like it *should* work."
> >
> > - Jamie
> >
> > _______________________________________________
> > freebsd-jail@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-jail
> > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"
>
> The subnet mask of an alias should always be /32, not the actual subnet
> mask
>
> Try that change in jail.conf, it should sort the issue.
>
> --
> Allan Jude
>
>

-- 
your sweet isn't ready yet