From owner-freebsd-jail@FreeBSD.ORG  Mon Apr  9 20:11:59 2012
Return-Path: <owner-freebsd-jail@FreeBSD.ORG>
Delivered-To: freebsd-jail@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 9014B106564A
	for <freebsd-jail@freebsd.org>; Mon,  9 Apr 2012 20:11:59 +0000 (UTC)
	(envelope-from feld@feld.me)
Received: from feld.me (unknown [IPv6:2607:f4e0:100:300::2])
	by mx1.freebsd.org (Postfix) with ESMTP id 5369B8FC16
	for <freebsd-jail@freebsd.org>; Mon,  9 Apr 2012 20:11:59 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=feld.me;
	s=blargle; 
	h=In-Reply-To:Message-Id:From:Content-Transfer-Encoding:Mime-Version:Date:References:Subject:To:Content-Type;
	bh=3r81EjGwmNXpbPCliSlDSDAaaWtztZI4Vb9YojaZqiw=; 
	b=rVZtvuYktsHk0LIF22NyrVOoNleMM22pSouB40isLz962iASAE2W61qX2hA8HF8PMKtfpcP+jLkUhIfsnoTz+EfS3mpdk4ovzk0uiG6Uz2DeuAW7aAzN+qwau3hvcFJk;
Received: from localhost ([127.0.0.1] helo=mwi1.coffeenet.org)
	by feld.me with esmtp (Exim 4.77 (FreeBSD))
	(envelope-from <feld@feld.me>) id 1SHKwP-0009qi-Qc
	for freebsd-jail@freebsd.org; Mon, 09 Apr 2012 15:11:58 -0500
Received: from feld@feld.me by mwi1.coffeenet.org (Archiveopteryx 3.1.4)
	with esmtpa id 1334002311-23734-23733/5/7; Mon, 9 Apr 2012 20:11:51
	+0000
Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
To: freebsd-jail@freebsd.org
References: <493438014.49159.1333999007132.JavaMail.root@mrelmx09.mrec.ar>
Date: Mon, 9 Apr 2012 15:11:50 -0500
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable
From: Mark Felder <feld@feld.me>
Message-Id: <op.wcik10bo34t2sn@tech304>
In-Reply-To: <493438014.49159.1333999007132.JavaMail.root@mrelmx09.mrec.ar>
User-Agent: Opera Mail/11.62 (FreeBSD)
X-SA-Score: -1.5
Subject: Re: Jail source address selection broken, patch for ping
X-BeenThere: freebsd-jail@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
	<mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
	<mailto:freebsd-jail-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Apr 2012 20:11:59 -0000

On Mon, 09 Apr 2012 14:16:47 -0500, Juan F. D=C3=ADaz y D=C3=ADaz =20
<jfd@mrecic.gov.ar> wrote:

> Mark, you can just run a jail with the setfib utility so you don't =
need =20
> to modify all your scripts.

I don't think anyone here is understanding the issue and forcing a =
routing =20
table will not help.

root@jailhost:/# jls -v
    JID  Hostname                      Path
         Name                          State
         CPUSetID
         IP Address(es)
      3  xymon.xxxxxx.net            /usr/jails/xymon.xxxxxx.net
         3                             ACTIVE
         2
         66.xxx.xxx.xxx
         192.168.89.xxx  <-- different vlans for each
         192.168.93.xxx
         192.168.94.xxx
         192.168.95.xxx
         192.168.96.xxx
         192.168.97.xxx


root@jailhost:/# ifconfig   (edited output)
vlan989: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu =20
1500
         options=3D103<RXCSUM,TXCSUM,TSO4>
         ether d4:ae:52:6a:ec:d9
         inet 192.168.89.xxx netmask 0xffffff00 broadcast 192.168.89.255
         inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan989 prefixlen 64 scopeid 0x6
         nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
         media: Ethernet autoselect (1000baseT <full-duplex>)
         status: active
         vlan: 989 parent interface: bce1
vlan993: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu =20
1500
         options=3D103<RXCSUM,TXCSUM,TSO4>
         ether d4:ae:52:6a:ec:d9
         inet 192.168.93.xxx netmask 0xffffff00 broadcast 192.168.93.255
         inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan993 prefixlen 64 scopeid 0x7
         nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
         media: Ethernet autoselect (1000baseT <full-duplex>)
         status: active
         vlan: 993 parent interface: bce1
vlan994: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu =20
1500
         options=3D103<RXCSUM,TXCSUM,TSO4>
         ether d4:ae:52:6a:ec:d9
         inet 192.168.94.xxx netmask 0xffffff00 broadcast 192.168.94.255
         inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan994 prefixlen 64 scopeid 0x8
         nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
         media: Ethernet autoselect (1000baseT <full-duplex>)
         status: active
         vlan: 994 parent interface: bce1
vlan996: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu =20
1500
         options=3D103<RXCSUM,TXCSUM,TSO4>
         ether d4:ae:52:6a:ec:d9
         inet 192.168.96.xxx netmask 0xffffff00 broadcast 192.168.96.255
         inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan996 prefixlen 64 scopeid 0x9
         nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
         media: Ethernet autoselect (1000baseT <full-duplex>)
         status: active
         vlan: 996 parent interface: bce1
vlan997: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu =20
1500
         options=3D103<RXCSUM,TXCSUM,TSO4>
         ether d4:ae:52:6a:ec:d9
         inet 192.168.97.xxx netmask 0xffffff00 broadcast 192.168.97.255
         inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan997 prefixlen 64 scopeid 0xa
         nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
         media: Ethernet autoselect (1000baseT <full-duplex>)
         status: active
         vlan: 997 parent interface: bce1





All of these vlan interfaces go into a SINGLE jail. Setting the fib will =
=20
not help; the jail already has the default routing table. The problem is =
=20
that you can't access these different VLANs with many network utilities =20
because it sets your source IP in the packet as the first IP the jail =
has =20
bound to it: 66.xxx.xxx.xxx