Date: Sat, 10 Feb 2018 08:52:21 +0100 From: "O. Hartmann" <ohartmann@walstatt.org> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: "O. Hartmann" <ohartmann@walstatt.org>, freebsd-jail@freebsd.org, freebsd-current <freebsd-current@freebsd.org> Subject: Re: VIMAGE: vnet, epair and lots of jails on bridgeX - routing Message-ID: <20180210085248.7b9af104@thor.intern.walstatt.dynvpn.de> In-Reply-To: <2D57FE3A-744A-4A44-B572-5338AB9E187D@lists.zabbadoz.net> References: <20180208093052.7f5d7a98@freyja.zeit4.iv.bundesimmobilien.de> <20180209172259.1ec9b9f4@thor.intern.walstatt.dynvpn.de> <2D57FE3A-744A-4A44-B572-5338AB9E187D@lists.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_/iZ3C2Do29sYhN8rpa4JmBL/ Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Am Fri, 09 Feb 2018 16:43:17 +0000 "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> schrieb: > On 9 Feb 2018, at 16:22, O. Hartmann wrote: >=20 > > Am Thu, 8 Feb 2018 09:31:15 +0100 > > "O. Hartmann" <ohartmann@walstatt.org> schrieb: > > > > Is this problem to trivial? =20 >=20 > I read through it yesterday and found myself in the position that I need= =20 > a whiteboard or paper and pencil or an ASCII art of your situation. But= =20 > by the time I made it to the question I was basically lost. Could you=20 > massively simplify this and maybe produce the ASCII art? >=20 > /bz > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" All right. I'm not much of an artist and at this very moment, I haven't much experienc= e with neat ASCII art tools. But I'll provide a sketch later, but I also will simplify = the situation. Consider three "vswitches", basically based on the creation of bridges, bri= dge0, bridge1, bridge2. Create at least three individual vnet-jails attached to each vbrid= ge. Those jails have epair pseudo devices. The jail itself owns the "a-part" of the e= pair and the b-part is "member of the bridge". Each jail's epairXXXa has an IP assigned = of the network the vswitch is part of. I mention a- and b-part of the epair here, because = I thought it could matter, but I think for symmetry reasons it doesn't. Now consider a further, special jail. This jail is supposed to have three e= pair devices, each one is reaching into one of the vbridges. This jail is the router/rout= ing jail. Later, this jail should filter via IPFW the traffic between the three vbrid= ges according to rules, but this doesn't matter here, beacuase the basics are not working= as expected. Now the problems. It doesn't matter on which jail of the three vswitches I = login, the moment a vbridge has more than two member epairs (one is alway member of t= he routing jail, now consider a database jail and a webserver jail), pinging each jail= or the routing jail fails. It works sometimes for a couple of ICMP packets and the= n stops. If each vbridge has only one member jail, I have NO PROBLEMS traversing acc= ordingly to the static routing rules from one vbridge to any other, say from vbridge1 t= o vbridge0 or vbridge2 and any permutation of that. The moment any of the bridges gets an additional member epair interface (so= the bridge has at least three members including the on reaching into the virtual route= r jail) the vbridge seems to operate unpredictable (to me). Pinging jails memeber of th= at vbridge are unreachable. Technical information: The kernel has options IPFIREWALL, VIMAGE. The host's ipfw (kernel) decline= s packets by default. Each jail is configured to have ipfw "open". Thanks for the patience. Kind regards, O. Hartmann --Sig_/iZ3C2Do29sYhN8rpa4JmBL/ Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iLUEARMKAB0WIQQZVZMzAtwC2T/86TrS528fyFhYlAUCWn6k0AAKCRDS528fyFhY lNE+AgCbqIMTxE2O3ejPWmxVBxfd3Kh5NSZ+NPpHkuJ7Gh/U6yuZLbJWsbgpccGR degqacPcwWakbJAnqdQ9uXurJXSnAf9e76H89cTGqs9KCrWTKrUWUrH5fKFcLhO/ dN47cv6ZUn7xKCcqeudC2NKQA1C18DG+W6DqD22LL50xLIGHzDlm =ZIqA -----END PGP SIGNATURE----- --Sig_/iZ3C2Do29sYhN8rpa4JmBL/--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180210085248.7b9af104>