Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 10 Apr 2012 11:03:22 +0200
From:      Anders Hagman <anders.hagman@netplex.se>
To:        Mark Felder <feld@feld.me>
Cc:        freebsd-jail@freebsd.org
Subject:   Re: Jail source address selection broken, patch for ping
Message-ID:  <903CBCF8-5096-4C5B-A5A9-F8495AA8751C@netplex.se>
In-Reply-To: <op.wcik10bo34t2sn@tech304>
References:  <493438014.49159.1333999007132.JavaMail.root@mrelmx09.mrec.ar> <op.wcik10bo34t2sn@tech304>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi


I have done a test.
My setup inside the jail:

vlan102: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu 1500
	ether 00:19:db:d5:db:c5
	inet 10.3.0.2 netmask 0xffffff00 broadcast 10.3.0.255
	inet6 fe80::219:dbff:fed5:dbc5%vlan102 prefixlen 64 scopeid 0x3=20=

	nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
vlan103: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu 1500
	ether 00:19:db:d5:db:c5
	inet 10.4.0.2 netmask 0xffffff00 broadcast 10.4.0.255
	inet6 fe80::219:dbff:fed5:dbc5%vlan103 prefixlen 64 scopeid 0x4=20=

	nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
vlan104: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu 1500
	ether 00:19:db:d5:db:c5
	inet 10.5.0.2 netmask 0xffffff00 broadcast 10.5.0.255
	inet6 fe80::219:dbff:fed5:dbc5%vlan104 prefixlen 64 scopeid 0x5=20=

	nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active


My pings to the firewall.

[root@webben ~]# ping -c 1 10.3.0.1
PING 10.3.0.1 (10.3.0.1): 56 data bytes
64 bytes from 10.3.0.1: icmp_seq=3D0 ttl=3D64 time=3D0.408 ms

[root@webben ~]# ping -c 1 10.4.0.1
PING 10.4.0.1 (10.4.0.1): 56 data bytes
64 bytes from 10.4.0.1: icmp_seq=3D0 ttl=3D64 time=3D0.418 ms

[root@webben ~]# ping -c 1 10.5.0.1
PING 10.5.0.1 (10.5.0.1): 56 data bytes
64 bytes from 10.5.0.1: icmp_seq=3D0 ttl=3D64 time=3D0.602 ms


The log in the firewall saying the jail is using the right source =
address.

10:45:54.250965	OPT5	10.5.0.2	10.5.0.1, type echo/0	ICMP
10:45:51.755278	OPT4	10.4.0.2	10.4.0.1, type echo/0	ICMP
10:45:48.931655	OPT3	10.3.0.2	10.3.0.1, type echo/0	ICMP

I have used vnet jail to get your own IP stack.
One strange thing is that tcpdump on the host can not see the packets.

9 apr 2012 kl. 22:11 skrev Mark Felder:

> On Mon, 09 Apr 2012 14:16:47 -0500, Juan F. D=EDaz y D=EDaz =
<jfd@mrecic.gov.ar> wrote:
>=20
>> Mark, you can just run a jail with the setfib utility so you don't =
need to modify all your scripts.
>=20
> I don't think anyone here is understanding the issue and forcing a =
routing table will not help.
>=20
> root@jailhost:/# jls -v
>   JID  Hostname                      Path
>        Name                          State
>        CPUSetID
>        IP Address(es)
>     3  xymon.xxxxxx.net            /usr/jails/xymon.xxxxxx.net
>        3                             ACTIVE
>        2
>        66.xxx.xxx.xxx
>        192.168.89.xxx  <-- different vlans for each
>        192.168.93.xxx
>        192.168.94.xxx
>        192.168.95.xxx
>        192.168.96.xxx
>        192.168.97.xxx
>=20
>=20
> root@jailhost:/# ifconfig   (edited output)
> vlan989: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu 1500
>        options=3D103<RXCSUM,TXCSUM,TSO4>
>        ether d4:ae:52:6a:ec:d9
>        inet 192.168.89.xxx netmask 0xffffff00 broadcast 192.168.89.255
>        inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan989 prefixlen 64 scopeid =
0x6
>        nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
>        media: Ethernet autoselect (1000baseT <full-duplex>)
>        status: active
>        vlan: 989 parent interface: bce1
> vlan993: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu 1500
>        options=3D103<RXCSUM,TXCSUM,TSO4>
>        ether d4:ae:52:6a:ec:d9
>        inet 192.168.93.xxx netmask 0xffffff00 broadcast 192.168.93.255
>        inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan993 prefixlen 64 scopeid =
0x7
>        nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
>        media: Ethernet autoselect (1000baseT <full-duplex>)
>        status: active
>        vlan: 993 parent interface: bce1
> vlan994: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu 1500
>        options=3D103<RXCSUM,TXCSUM,TSO4>
>        ether d4:ae:52:6a:ec:d9
>        inet 192.168.94.xxx netmask 0xffffff00 broadcast 192.168.94.255
>        inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan994 prefixlen 64 scopeid =
0x8
>        nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
>        media: Ethernet autoselect (1000baseT <full-duplex>)
>        status: active
>        vlan: 994 parent interface: bce1
> vlan996: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu 1500
>        options=3D103<RXCSUM,TXCSUM,TSO4>
>        ether d4:ae:52:6a:ec:d9
>        inet 192.168.96.xxx netmask 0xffffff00 broadcast 192.168.96.255
>        inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan996 prefixlen 64 scopeid =
0x9
>        nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
>        media: Ethernet autoselect (1000baseT <full-duplex>)
>        status: active
>        vlan: 996 parent interface: bce1
> vlan997: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu 1500
>        options=3D103<RXCSUM,TXCSUM,TSO4>
>        ether d4:ae:52:6a:ec:d9
>        inet 192.168.97.xxx netmask 0xffffff00 broadcast 192.168.97.255
>        inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan997 prefixlen 64 scopeid =
0xa
>        nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
>        media: Ethernet autoselect (1000baseT <full-duplex>)
>        status: active
>        vlan: 997 parent interface: bce1
>=20
>=20
>=20
>=20
>=20
> All of these vlan interfaces go into a SINGLE jail. Setting the fib =
will not help; the jail already has the default routing table. The =
problem is that you can't access these different VLANs with many network =
utilities because it sets your source IP in the packet as the first IP =
the jail has bound to it: 66.xxx.xxx.xxx
> _______________________________________________






Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?903CBCF8-5096-4C5B-A5A9-F8495AA8751C>