From owner-freebsd-jail@FreeBSD.ORG  Tue Apr 10 09:05:14 2012
Return-Path: <owner-freebsd-jail@FreeBSD.ORG>
Delivered-To: freebsd-jail@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id D6A53106564A
	for <freebsd-jail@freebsd.org>; Tue, 10 Apr 2012 09:05:14 +0000 (UTC)
	(envelope-from anders.hagman@netplex.se)
Received: from smtp-out21.han.skanova.net (smtp-out21.han.skanova.net
	[195.67.226.208])
	by mx1.freebsd.org (Postfix) with ESMTP id 311118FC12
	for <freebsd-jail@freebsd.org>; Tue, 10 Apr 2012 09:05:14 +0000 (UTC)
Received: from [10.1.10.17] (31.210.252.116) by smtp-out21.han.skanova.net
	(8.5.133) (authenticated as u48002568)
	id 4F5CBA4E00AC8F54; Tue, 10 Apr 2012 11:03:26 +0200
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: text/plain; charset=iso-8859-1
From: Anders Hagman <anders.hagman@netplex.se>
In-Reply-To: <op.wcik10bo34t2sn@tech304>
Date: Tue, 10 Apr 2012 11:03:22 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <903CBCF8-5096-4C5B-A5A9-F8495AA8751C@netplex.se>
References: <493438014.49159.1333999007132.JavaMail.root@mrelmx09.mrec.ar>
	<op.wcik10bo34t2sn@tech304>
To: Mark Felder <feld@feld.me>
X-Mailer: Apple Mail (2.1257)
Cc: freebsd-jail@freebsd.org
Subject: Re: Jail source address selection broken, patch for ping
X-BeenThere: freebsd-jail@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
	<mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
	<mailto:freebsd-jail-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Apr 2012 09:05:14 -0000

Hi


I have done a test.
My setup inside the jail:

vlan102: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu 1500
	ether 00:19:db:d5:db:c5
	inet 10.3.0.2 netmask 0xffffff00 broadcast 10.3.0.255
	inet6 fe80::219:dbff:fed5:dbc5%vlan102 prefixlen 64 scopeid 0x3=20=

	nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
vlan103: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu 1500
	ether 00:19:db:d5:db:c5
	inet 10.4.0.2 netmask 0xffffff00 broadcast 10.4.0.255
	inet6 fe80::219:dbff:fed5:dbc5%vlan103 prefixlen 64 scopeid 0x4=20=

	nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
vlan104: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu 1500
	ether 00:19:db:d5:db:c5
	inet 10.5.0.2 netmask 0xffffff00 broadcast 10.5.0.255
	inet6 fe80::219:dbff:fed5:dbc5%vlan104 prefixlen 64 scopeid 0x5=20=

	nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active


My pings to the firewall.

[root@webben ~]# ping -c 1 10.3.0.1
PING 10.3.0.1 (10.3.0.1): 56 data bytes
64 bytes from 10.3.0.1: icmp_seq=3D0 ttl=3D64 time=3D0.408 ms

[root@webben ~]# ping -c 1 10.4.0.1
PING 10.4.0.1 (10.4.0.1): 56 data bytes
64 bytes from 10.4.0.1: icmp_seq=3D0 ttl=3D64 time=3D0.418 ms

[root@webben ~]# ping -c 1 10.5.0.1
PING 10.5.0.1 (10.5.0.1): 56 data bytes
64 bytes from 10.5.0.1: icmp_seq=3D0 ttl=3D64 time=3D0.602 ms


The log in the firewall saying the jail is using the right source =
address.

10:45:54.250965	OPT5	10.5.0.2	10.5.0.1, type echo/0	ICMP
10:45:51.755278	OPT4	10.4.0.2	10.4.0.1, type echo/0	ICMP
10:45:48.931655	OPT3	10.3.0.2	10.3.0.1, type echo/0	ICMP

I have used vnet jail to get your own IP stack.
One strange thing is that tcpdump on the host can not see the packets.

9 apr 2012 kl. 22:11 skrev Mark Felder:

> On Mon, 09 Apr 2012 14:16:47 -0500, Juan F. D=EDaz y D=EDaz =
<jfd@mrecic.gov.ar> wrote:
>=20
>> Mark, you can just run a jail with the setfib utility so you don't =
need to modify all your scripts.
>=20
> I don't think anyone here is understanding the issue and forcing a =
routing table will not help.
>=20
> root@jailhost:/# jls -v
>   JID  Hostname                      Path
>        Name                          State
>        CPUSetID
>        IP Address(es)
>     3  xymon.xxxxxx.net            /usr/jails/xymon.xxxxxx.net
>        3                             ACTIVE
>        2
>        66.xxx.xxx.xxx
>        192.168.89.xxx  <-- different vlans for each
>        192.168.93.xxx
>        192.168.94.xxx
>        192.168.95.xxx
>        192.168.96.xxx
>        192.168.97.xxx
>=20
>=20
> root@jailhost:/# ifconfig   (edited output)
> vlan989: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu 1500
>        options=3D103<RXCSUM,TXCSUM,TSO4>
>        ether d4:ae:52:6a:ec:d9
>        inet 192.168.89.xxx netmask 0xffffff00 broadcast 192.168.89.255
>        inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan989 prefixlen 64 scopeid =
0x6
>        nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
>        media: Ethernet autoselect (1000baseT <full-duplex>)
>        status: active
>        vlan: 989 parent interface: bce1
> vlan993: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu 1500
>        options=3D103<RXCSUM,TXCSUM,TSO4>
>        ether d4:ae:52:6a:ec:d9
>        inet 192.168.93.xxx netmask 0xffffff00 broadcast 192.168.93.255
>        inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan993 prefixlen 64 scopeid =
0x7
>        nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
>        media: Ethernet autoselect (1000baseT <full-duplex>)
>        status: active
>        vlan: 993 parent interface: bce1
> vlan994: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu 1500
>        options=3D103<RXCSUM,TXCSUM,TSO4>
>        ether d4:ae:52:6a:ec:d9
>        inet 192.168.94.xxx netmask 0xffffff00 broadcast 192.168.94.255
>        inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan994 prefixlen 64 scopeid =
0x8
>        nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
>        media: Ethernet autoselect (1000baseT <full-duplex>)
>        status: active
>        vlan: 994 parent interface: bce1
> vlan996: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu 1500
>        options=3D103<RXCSUM,TXCSUM,TSO4>
>        ether d4:ae:52:6a:ec:d9
>        inet 192.168.96.xxx netmask 0xffffff00 broadcast 192.168.96.255
>        inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan996 prefixlen 64 scopeid =
0x9
>        nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
>        media: Ethernet autoselect (1000baseT <full-duplex>)
>        status: active
>        vlan: 996 parent interface: bce1
> vlan997: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu 1500
>        options=3D103<RXCSUM,TXCSUM,TSO4>
>        ether d4:ae:52:6a:ec:d9
>        inet 192.168.97.xxx netmask 0xffffff00 broadcast 192.168.97.255
>        inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan997 prefixlen 64 scopeid =
0xa
>        nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
>        media: Ethernet autoselect (1000baseT <full-duplex>)
>        status: active
>        vlan: 997 parent interface: bce1
>=20
>=20
>=20
>=20
>=20
> All of these vlan interfaces go into a SINGLE jail. Setting the fib =
will not help; the jail already has the default routing table. The =
problem is that you can't access these different VLANs with many network =
utilities because it sets your source IP in the packet as the first IP =
the jail has bound to it: 66.xxx.xxx.xxx
> _______________________________________________