From owner-freebsd-jail@FreeBSD.ORG Thu Dec 18 17:04:00 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B3DFB943 for ; Thu, 18 Dec 2014 17:04:00 +0000 (UTC) Received: from mx1.scaleengine.net (beauharnois2.bhs1.scaleengine.net [142.4.218.15]) by mx1.freebsd.org (Postfix) with ESMTP id 8A5C41C89 for ; Thu, 18 Dec 2014 17:04:00 +0000 (UTC) Received: from [192.168.1.2] (Seawolf.HML3.ScaleEngine.net [209.51.186.28]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id 16EA6879A0 for ; Thu, 18 Dec 2014 17:03:59 +0000 (UTC) Message-ID: <5493090A.8090109@freebsd.org> Date: Thu, 18 Dec 2014 12:04:10 -0500 From: Allan Jude User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: Re: only lo0 interface inside jail, no default gw References: <0096d1968fd2758df224a9dea6934ddb@gritton.org> <5491ED4F.4040002@freebsd.org> In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="uF60p3OPBbOcQeTNMgJ2XCsbFdsVqNx8j" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 17:04:00 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --uF60p3OPBbOcQeTNMgJ2XCsbFdsVqNx8j Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2014-12-18 01:18, Alexander Lunev wrote: > As i said in message to Jamie Gritton, i found why jails couldn't ping > internet - i forget to add jail's address to table which permitted to N= AT. >=20 > Why subnet mask should be /32? What harm could be done if subnet mask o= f an > alias is the same as for the other address of that interface? >=20 > On Wed, Dec 17, 2014 at 11:53 PM, Allan Jude wr= ote: >> >> On 2014-12-17 15:48, James Gritton wrote: >>> On 2014-12-16 10:35, Alexander Lunev wrote: >>>> Hello everyone. >>>> >>>> I'm trying to build jail environment on a new server with 10.1-R. I'= ve >>>> did >>>> that before on 9.2-R, but now i'm stuck with strange network problem= : no >>>> matter how i configure jail (old way through rc.conf jail_* variable= s or >>>> via /etc/jail.conf), i don't see default gateway in jail's routing >> table. >>>> At first i started with more complex config using separate fib for j= ail, >>>> but it's not working even without fibs (or in fib 0). So, here's wha= t i >>>> have in the host system: >>>> >>>> # netstat -rn >>>> Routing tables >>>> >>>> Internet: >>>> Destination Gateway Flags Netif Expire >>>> default 10.1.1.1 UGS em0.4 >>>> 10.1.1.0/24 link#4 U em0.4 >>>> 10.1.1.205 link#4 UHS lo0 >>>> 10.1.1.206 link#4 UHS lo0 >>>> 127.0.0.1 link#3 UH lo0 >>>> 127.0.0.2 link#3 UH lo0 >>>> >>>> # ifconfig >>>> em0: flags=3D8843 metric 0 m= tu >> 1500 >>>> >>>> >> options=3D4219b >>>> >>>> ether 00:30:48:c1:e1:b4 >>>> nd6 options=3D29 >>>> media: Ethernet autoselect (1000baseT ) >>>> status: active >>>> lo0: flags=3D8049 metric 0 mtu 16384 >>>> options=3D600003 >>>> inet6 ::1 prefixlen 128 >>>> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 >>>> inet 127.0.0.1 netmask 0xff000000 >>>> inet 127.0.0.2 netmask 0xff000000 >>>> nd6 options=3D21 >>>> em0.4: flags=3D8843 metric 0= mtu >>>> 1500 >>>> options=3D103 >>>> ether 00:30:48:c1:e1:b4 >>>> inet 10.1.1.205 netmask 0xffffff00 broadcast 10.1.1.255 >>>> inet 10.1.1.206 netmask 0xffffff00 broadcast 10.1.1.255 >>>> nd6 options=3D29 >>>> media: Ethernet autoselect (1000baseT ) >>>> status: active >>>> vlan: 4 parent interface: em0 >>>> >>>> I can ping internet from a host via gateway 10.1.1.1 >>>> >>>> And here's what i have in jail: >>>> >>>> =3D=3D=3D=3D=3D=3D BOF /etc/jail.conf =3D=3D=3D=3D=3D=3D=3D=3D=3D >>>> exec.start =3D "/bin/sh /etc/rc"; >>>> exec.stop =3D "/bin/sh /etc/rc.shutdown"; >>>> mount.devfs; >>>> allow.raw_sockets; >>>> path =3D "/usr/jails/$name"; >>>> >>>> template { >>>> jid =3D 1; >>>> ip4.addr =3D "em0.4|10.1.1.206/24"; >>>> ip4.addr +=3D "lo0|127.0.0.2/8"; >>>> host.hostname =3D template; >>>> } >>>> =3D=3D=3D=3D=3D=3D EOF /etc/jail.conf =3D=3D=3D=3D=3D=3D=3D=3D=3D >>>> >>>> # jexec 1 netstat -rn >>>> Routing tables >>>> >>>> Internet: >>>> Destination Gateway Flags Netif Expire >>>> 10.1.1.206 link#4 UHS lo0 >>>> 127.0.0.2 link#3 UH lo0 >>>> >>>> I can ping gateway from jail >>>> >>>> # jexec 1 ping 10.1.1.1 >>>> PING 10.1.1.1 (10.1.1.1): 56 data bytes >>>> 64 bytes from 10.1.1.1: icmp_seq=3D0 ttl=3D64 time=3D0.366 ms >>>> ^C >>>> >>>> But not the Internet or anything via routing. >>>> >>>> I have no default gateway in jail - why? What have i missed in this = new >>>> jail implementation since 9.2-R? >>> >>> The netstat output is no surprise. I don't know if it was before or >>> after 9.2, but jails don't see routes that don't involve their own IP= >>> addresses, and that includes the default route. >>> >>> But that doesn't mean the default route isn't there. I have netstat >>> output similar to yours, but packets still route as expected. I don'= t >>> see anything in your jail.conf that looks wrong, so I'm afraid I can'= t >>> say anything more than "it looks like it *should* work." >>> >>> - Jamie >>> >>> _______________________________________________ >>> freebsd-jail@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.or= g" >> >> The subnet mask of an alias should always be /32, not the actual subne= t >> mask >> >> Try that change in jail.conf, it should sort the issue. >> >> -- >> Allan Jude >> >> >=20 If you have 2 ips in the same subnet, with the subnet mask, then the routing table may have trouble deciding which to use to access the default gateway --=20 Allan Jude --uF60p3OPBbOcQeTNMgJ2XCsbFdsVqNx8j Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJUkwkNAAoJEJrBFpNRJZKf4kwP/iYGd8MswY7SkM3gq7eSPwlJ J79ZhQPlgClhfy6tw5pLfCkiN+RQ08+9vRgOZ6MqW3Dqdmnha7Wg+UnI8VQYrGJg fUPvi2irhBVejQpCt/yX82AHktVfpt/50i4Z0kfHTIVM2mvz1XkL0nb4sPrfVDPs Cc3Q9jWQydJgf2bKiYT3EhzFaSZYHnC9f+Xby5ehZ5Pp0LKmC2zpYqibUq4YRrmj 0USXy1I6sAc83gNSyFfm8uKkLdlp8NhDK9YYMw6LVeSnncDGIPKx38hdrmPx1p1V Br3YNxZMnjpw22Dj8r70deTMSJol6rcTJoz9I27O4viycrYo2FjpZBwG5o/YsLUm nSGZbqa95Z9QBID0Ds7VWllSRPE7NWSYp71yxGvKFiP31kGKV58kOZtr1AfDcAEj tRBTgC/mLRND571v7b1ME1mfqyDoklq+QD4wQqmv8wr082RrysbXujBFnVTQ02Wt XNvJP5CBZ4Xfnj1CTX7l8/jFnOGwOoiI0UqRhgZ+EDn1l94iCE2sOqKQCc1jCyvv h/YfrOBAstmN7rlpCoRZ6iIBoTVn8R1Md4gj5LrF8NMjZAPXTdwQycqWUM3u5u69 gLTts+hnPewXLAUpIA20Q/tB7Bgf90Y8yQurvq/poQjNcRIOPOQBUrSYLddBkoEY I1X1LE7fAE2bAtAwGmT2 =10vj -----END PGP SIGNATURE----- --uF60p3OPBbOcQeTNMgJ2XCsbFdsVqNx8j--