From owner-freebsd-jail@FreeBSD.ORG Fri Jan 29 09:25:07 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B4E02106568B for ; Fri, 29 Jan 2010 09:25:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [IPv6:2001:4068:10::3]) by mx1.freebsd.org (Postfix) with ESMTP id 4955A8FC18 for ; Fri, 29 Jan 2010 09:25:07 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 3B70F41C74D; Fri, 29 Jan 2010 10:25:06 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([192.168.74.103]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id xfYtyWdzxqkx; Fri, 29 Jan 2010 10:25:05 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id C490E41C759; Fri, 29 Jan 2010 10:25:05 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 554DE4448EC; Fri, 29 Jan 2010 09:24:16 +0000 (UTC) Date: Fri, 29 Jan 2010 09:24:16 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: "tom@diogunix.com" In-Reply-To: <201001282351.13267.tom@diogunix.com> Message-ID: <20100129091822.O50938@maildrop.int.zabbadoz.net> References: <201001270308.21674.tom@diogunix.com> <4B6211C7.6010404@beardz.net> <201001282351.13267.tom@diogunix.com> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@freebsd.org Subject: Re: configuration of multiple IPs for a jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jan 2010 09:25:07 -0000 On Thu, 28 Jan 2010, tom@diogunix.com wrote: Hi, > Jase, > >> This behaviour has been addressed in RELENG_7 recently with r202924 [1]. > > thank you very much. That's what I was watching out for :-). > I somehow could not find that hint in all the resources I used. > >> This commit allows you to set : sysctl security.jail.ip4_saddrsel 0 , >> which makes the kernel use the first IP passed to jail (8) as the >> default source address instead of the default behaviour which picks the >> first matching ip for that jail on the interface. That's not exactly true. Source address uses the first "matching" address for the destination on the outgoing interface if possible. There is a route lookup involved as well. So if you are serving more than one subnet it won't necessarily be the first IP of the interface seen within the jail. For the case given, it most likely will, though. > Just great. I run 7.2 stable on most machines and thanks to your information > it will be much easier than what I meanwhile did to fix things. > >> A workaround (if you're not able to update to a RELENG_7 following that >> commit) is to reorder your interface aliases in /etc/rc.conf ,so that >> your primary jail ip has a lower alias # than any secondary ips for that >> jail. > > Yes. I've meanwhile found exactly that out the hard way and by trial and > error. Works nice (or however, it works), even when the kernel setting method > of course is much more elegant. > >> Hope this helps, > > I did already. Though it might help, if you only need it for postfix, using the smtp_bind_address (and smtp_bind_address6) options might be more elegant rather than using the hammer of forcing things in the kernel. See man 5 postconf. If more services across all jails should be using the intended behavior using the sysctl and kernel is probably the right thing. /bz -- Bjoern A. Zeeb It will not break if you know what you are doing.