From owner-freebsd-net@FreeBSD.ORG Tue Dec 16 21:47:05 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E3143F5F for ; Tue, 16 Dec 2014 21:47:04 +0000 (UTC) Received: from mail-ie0-x22c.google.com (mail-ie0-x22c.google.com [IPv6:2607:f8b0:4001:c03::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A6235812 for ; Tue, 16 Dec 2014 21:47:04 +0000 (UTC) Received: by mail-ie0-f172.google.com with SMTP id tr6so13838458ieb.17 for ; Tue, 16 Dec 2014 13:47:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=lCc4IVa7XpGIm1qZWTBPTFGTFu8Td+yNq2MKQPsV+Jg=; b=kSlClOLfjgTSzCE9Y0lHmaXciIKTYoecVZoqt7vh0ikDRd7G+oRpM7oHKL383caSNA 4IXiFy2YKQtfFS5SyWP392BfFm++tiiDGSfK3u9u4SCYkaClKUcpG+7ifF+VbJ2IZzsh YZZdRcZ/RY5L2fJgO8fEwRUKBJHLw95UhNElM2aoQybaca20/A1SxPEQneONXyYInfKD uFWpn9IsDH6LtLeFIop0xLGkrDhfP4XjFyUGdqUQVn82UUpuamRRMbZojjHdkK8NVBpo jL5Ayy9uXJImwuQMxkLXrIBVeW8QyUSN9T8yZp/WIqo9+JZ806+g+LZ7RE7ieVymGX0h AnFw== MIME-Version: 1.0 X-Received: by 10.50.29.107 with SMTP id j11mr5036791igh.32.1418766423196; Tue, 16 Dec 2014 13:47:03 -0800 (PST) Sender: kob6558@gmail.com Received: by 10.107.52.19 with HTTP; Tue, 16 Dec 2014 13:47:03 -0800 (PST) In-Reply-To: References: Date: Tue, 16 Dec 2014 13:47:03 -0800 X-Google-Sender-Auth: BRLx5OQ1HPG6c5mj_SrjqaQMT4E Message-ID: Subject: Re: only lo0 interface inside jail, no default gw From: Kevin Oberman To: Alexander Lunev Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "freebsd-net@freebsd.org" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Dec 2014 21:47:05 -0000 On Tue, Dec 16, 2014 at 9:39 AM, Alexander Lunev wrote: > Hello everyone. > > I'm trying to build jail environment on a new server with 10.1-R. I've did > that before on 9.2-R, but now i'm stuck with strange network problem: no > matter how i configure jail (old way through rc.conf jail_* variables or > via /etc/jail.conf), i don't see default gateway in jail's routing table. > At first i started with more complex config using separate fib for jail, > but it's not working even without fibs (or in fib 0). So, here's what i > have in the host system: > > # netstat -rn > Routing tables > > Internet: > Destination Gateway Flags Netif Expire > default 10.1.1.1 UGS em0.4 > 10.1.1.0/24 link#4 U em0.4 > 10.1.1.205 link#4 UHS lo0 > 10.1.1.206 link#4 UHS lo0 > 127.0.0.1 link#3 UH lo0 > 127.0.0.2 link#3 UH lo0 > > # ifconfig > em0: flags=8843 metric 0 mtu 1500 > > > options=4219b > ether 00:30:48:c1:e1:b4 > nd6 options=29 > media: Ethernet autoselect (1000baseT ) > status: active > lo0: flags=8049 metric 0 mtu 16384 > options=600003 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 > inet 127.0.0.1 netmask 0xff000000 > inet 127.0.0.2 netmask 0xff000000 > nd6 options=21 > em0.4: flags=8843 metric 0 mtu 1500 > options=103 > ether 00:30:48:c1:e1:b4 > inet 10.1.1.205 netmask 0xffffff00 broadcast 10.1.1.255 > inet 10.1.1.206 netmask 0xffffff00 broadcast 10.1.1.255 > nd6 options=29 > media: Ethernet autoselect (1000baseT ) > status: active > vlan: 4 parent interface: em0 > > I can ping internet from a host via gateway 10.1.1.1 > > And here's what i have in jail: > > ====== BOF /etc/jail.conf ========= > exec.start = "/bin/sh /etc/rc"; > exec.stop = "/bin/sh /etc/rc.shutdown"; > mount.devfs; > allow.raw_sockets; > path = "/usr/jails/$name"; > > template { > jid = 1; > ip4.addr = "em0.4|10.1.1.206/24"; > ip4.addr += "lo0|127.0.0.2/8"; > host.hostname = template; > } > ====== EOF /etc/jail.conf ========= > > # jexec 1 netstat -rn > Routing tables > > Internet: > Destination Gateway Flags Netif Expire > 10.1.1.206 link#4 UHS lo0 > 127.0.0.2 link#3 UH lo0 > > I can ping gateway from jail > > # jexec 1 ping 10.1.1.1 > PING 10.1.1.1 (10.1.1.1): 56 data bytes > 64 bytes from 10.1.1.1: icmp_seq=0 ttl=64 time=0.366 ms > ^C > > But not the Internet or anything via routing. > > I have no default gateway in jail - why? What have i missed in this new > jail implementation since 9.2-R? > > Crossposted to freebsd-jail@ > > You lack a default route, so nothing will be reachable other than 10.1.1.206 and 127.0.0.2. I just learned today that the handbook has a very nice tutorial on jailing BIND. It will probably save a lot of time if you check it out at https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-ezjail.html#jails-ezjail-example-bind As the handbook makes obvious, you really will find it a lot easier if you use ezjail. It massively simplified working with jails. -- R. Kevin Oberman, Network Engineer, Retired E-mail: rkoberman@gmail.com