From owner-freebsd-net@FreeBSD.ORG Thu Mar 3 12:20:44 2011 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7E2FA106566C for ; Thu, 3 Mar 2011 12:20:44 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) by mx1.freebsd.org (Postfix) with ESMTP id 0DA0B8FC17 for ; Thu, 3 Mar 2011 12:20:43 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id D31EC25D37C4; Thu, 3 Mar 2011 12:03:26 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 894061599D81; Thu, 3 Mar 2011 12:03:25 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id u6ev1hN1KcyT; Thu, 3 Mar 2011 12:03:24 +0000 (UTC) Received: from nv.sbone.de (nv.sbone.de [IPv6:fde9:577b:c1a9:31::2013:138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 3E9411599D96; Thu, 3 Mar 2011 12:03:24 +0000 (UTC) Date: Thu, 3 Mar 2011 12:03:23 +0000 (UTC) From: "Bjoern A. Zeeb" To: Alex Povolotsky In-Reply-To: <4D6F3581.6010906@webmail.sub.ru> Message-ID: References: <4D4FA3DA.7010004@webmail.sub.ru> <20110302214601.S13400@maildrop.int.zabbadoz.net> <4D6F3581.6010906@webmail.sub.ru> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-2061604774-1299153804=:6104" Cc: freebsd-net@FreeBSD.org Subject: Re: jail source address selection doesn't work? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2011 12:20:44 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-2061604774-1299153804=:6104 Content-Type: TEXT/PLAIN; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8BIT On Thu, 3 Mar 2011, Alex Povolotsky wrote: Hi, > 03.03.2011 0:48, Bjoern A. Zeeb пишет: >> On Mon, 7 Feb 2011, Alex Povolotsky wrote: >>> >>> Okay, yes? >>> >>> From jail: >>> ... >>> >>> What could I miss?... >> >> Don't use ping to test this. a) for ping inside the jail to work you >> need to enable raw sockets b) a) could give you a hint that ping does >> it's own thing. > Telnet did all the same thing. >> >> Try a telnet to a random port to the destination and verify with >> tcpdump whether things are still not working correctly, of if you >> establish the connection with netstat. > I used telnet to connect to specific ports. > > Ok, let's try again > > 104:tarkhil@box2.u.energodata.local:...local/etc/ezjail # jls > JID IP Address Hostname Path > 1 192.168.82.2 test /usr/jails/test > 107:tarkhil@box2.u.energodata.local:...local/etc/ezjail # jls -j 1 > ip4.saddrsel > true > 108:tarkhil@box2.u.energodata.local:...local/etc/ezjail # jls -j 1 ip4.addr > 192.168.82.2,192.168.75.2 > 114:tarkhil@box2.u.energodata.local:...local/etc/ezjail # tcpdump -l -n -i > bce0 host 192.168.82.2 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on bce0, link-type EN10MB (Ethernet), capture size 96 bytes > 09:27:54.492105 IP 192.168.82.2.50823 > 192.168.72.3.22: Flags [S], seq > 3819433473, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val > 1306232522 ecr 0], length 0 ... > inet 192.168.80.41 netmask 0xffffff00 broadcast 192.168.80.255 > inet 192.168.75.2 netmask 0xffffff00 broadcast 192.168.75.255 > inet 192.168.82.2 netmask 0xffffff00 broadcast 192.168.82.255 .. > In other words, source address is selected as primary IP, and packet runs out > on 100% improper interface. > > No specific routing, no firewall. Not sure what you expect. Your jail has an address out of 192.168.82.2/24 and 192.168.75.2/24 You are trying to connect to neither of those networks but 192.168.72.3. Given the destination network does not match any directly connected network and, based on your previous email, you don't have an route going out a gateway of either of those two networks to 192.168.72.3 it's doing the fallback to the "primary" jail IP, as expected. You would need to add a more specific route to the destination via a gateway of either connected network if you wanted a different source address to be picked; if you just want to limit that to the single jail but not the global system look at setfib for IPv4. /bz -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. --0-2061604774-1299153804=:6104--