Date: Wed, 13 Mar 2019 23:13:00 +0000 From: Grzegorz Junka <list1@gjunka.com> To: James Gritton <jamie@gritton.org> Cc: freebsd-jail@freebsd.org Subject: Re: exec.fib and a jail in two subnets Message-ID: <8fc3d6df-9f8f-f07c-4e13-1ced74f5c0ad@gjunka.com> In-Reply-To: <CAOq6oud5_q3Q3sxQXecoJus%2By3nr97Yia8N=_Ng0agqZi738iA@mail.gmail.com> References: <eae383df-72d4-0fe8-6613-cf34417e2260@gjunka.com> <6a245a1f51270c71d1da07c55ef51113@gritton.org> <e25f8982-2739-1622-0fac-c3548a7f2255@gjunka.com> <CAOq6oud5_q3Q3sxQXecoJus%2By3nr97Yia8N=_Ng0agqZi738iA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>> Many thanks for your response. The second example works with 10.0.0.1 >> but not with 172.16.0.1, otherwise there would be no post. Following on >> your response, lets assume that a process (e.g. nginx) listens on both >> IPs, 10.0.0.2,172.16.0.2. Is it possible to configure fibs or default >> routes or whatever so that when a packet arrives from 10.0.0.1 it is >> send back to 10.0.0.1 and if it arrives from 172.16.0.1 it is send back >> to 172.16.0.1 (thus using default routes from either fib0 or fib1 >> depending if the packet came from a router in one of those network)? If >> not, would it be possible to do this with some iptables/pf rules (which >> I understand in FreeBSD 12 should work in a jail with VNET)? > My understanding (which I admit is imperfect) is that it's not > possible with default routes alone. At the application level, it > would be possible if nginx was either fib-aware, or if it explicitly > bound the source address of its replies - but neither of those are > things typically done at the application level. > > It is possible however at the firewall level; At least I know it's > possible for ipfw (the small corner of the firewall world that I > use). A quick check of ipf and ipfilter man pages didn't show "fib" > anywhere, but don't take my word on those. It also may require a > VNET jail; I've never run a system with your exact setup so I'm > unsure whether the binding to the first (non-vnet) jail address > happens before or after the ipfilter rules. > > - Jamie I am just playing with this now and what I see is that a jail can't be in two fibs at the same time. It looks like the host is able to select the default route depending on the subnet in which is the IP I want to reach, but in the jail, telneting or otherwise trying to reach any IP that isn't in the same subnet as the fib specified in exec.fib, is not working. For example, in jail this works: telnet 172.16.0.1 80 but this doesn't telnet 10.0.0.1 80 On the host both works. And both, the host and the jail have an IP and an alias in both subnets.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8fc3d6df-9f8f-f07c-4e13-1ced74f5c0ad>