From owner-freebsd-jail@FreeBSD.ORG Wed Dec 17 20:48:53 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 79DA4308 for ; Wed, 17 Dec 2014 20:48:53 +0000 (UTC) Received: from m2.gritton.org (gritton.org [63.246.134.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3BEE01A6F for ; Wed, 17 Dec 2014 20:48:52 +0000 (UTC) Received: from m2.gritton.org (gritton.org [63.246.134.121]) by m2.gritton.org (8.14.9/8.14.9) with ESMTP id sBHKmk4Z070534; Wed, 17 Dec 2014 13:48:46 -0700 (MST) (envelope-from jamie@freebsd.org) Received: (from www@localhost) by m2.gritton.org (8.14.9/8.14.9/Submit) id sBHKmj0j070533; Wed, 17 Dec 2014 13:48:45 -0700 (MST) (envelope-from jamie@freebsd.org) X-Authentication-Warning: gritton.org: www set sender to jamie@freebsd.org using -f To: freebsd-jail@freebsd.org Subject: Re: only lo0 interface inside jail, no default gw X-PHP-Originating-Script: 0:rcube.php MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Wed, 17 Dec 2014 13:48:45 -0700 From: James Gritton In-Reply-To: References: Message-ID: <0096d1968fd2758df224a9dea6934ddb@gritton.org> X-Sender: jamie@freebsd.org User-Agent: Roundcube Webmail/1.0.3 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Dec 2014 20:48:53 -0000 On 2014-12-16 10:35, Alexander Lunev wrote: > Hello everyone. > > I'm trying to build jail environment on a new server with 10.1-R. I've > did > that before on 9.2-R, but now i'm stuck with strange network problem: > no > matter how i configure jail (old way through rc.conf jail_* variables > or > via /etc/jail.conf), i don't see default gateway in jail's routing > table. > At first i started with more complex config using separate fib for > jail, > but it's not working even without fibs (or in fib 0). So, here's what i > have in the host system: > > # netstat -rn > Routing tables > > Internet: > Destination Gateway Flags Netif Expire > default 10.1.1.1 UGS em0.4 > 10.1.1.0/24 link#4 U em0.4 > 10.1.1.205 link#4 UHS lo0 > 10.1.1.206 link#4 UHS lo0 > 127.0.0.1 link#3 UH lo0 > 127.0.0.2 link#3 UH lo0 > > # ifconfig > em0: flags=8843 metric 0 mtu > 1500 > > options=4219b > ether 00:30:48:c1:e1:b4 > nd6 options=29 > media: Ethernet autoselect (1000baseT ) > status: active > lo0: flags=8049 metric 0 mtu 16384 > options=600003 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 > inet 127.0.0.1 netmask 0xff000000 > inet 127.0.0.2 netmask 0xff000000 > nd6 options=21 > em0.4: flags=8843 metric 0 mtu > 1500 > options=103 > ether 00:30:48:c1:e1:b4 > inet 10.1.1.205 netmask 0xffffff00 broadcast 10.1.1.255 > inet 10.1.1.206 netmask 0xffffff00 broadcast 10.1.1.255 > nd6 options=29 > media: Ethernet autoselect (1000baseT ) > status: active > vlan: 4 parent interface: em0 > > I can ping internet from a host via gateway 10.1.1.1 > > And here's what i have in jail: > > ====== BOF /etc/jail.conf ========= > exec.start = "/bin/sh /etc/rc"; > exec.stop = "/bin/sh /etc/rc.shutdown"; > mount.devfs; > allow.raw_sockets; > path = "/usr/jails/$name"; > > template { > jid = 1; > ip4.addr = "em0.4|10.1.1.206/24"; > ip4.addr += "lo0|127.0.0.2/8"; > host.hostname = template; > } > ====== EOF /etc/jail.conf ========= > > # jexec 1 netstat -rn > Routing tables > > Internet: > Destination Gateway Flags Netif Expire > 10.1.1.206 link#4 UHS lo0 > 127.0.0.2 link#3 UH lo0 > > I can ping gateway from jail > > # jexec 1 ping 10.1.1.1 > PING 10.1.1.1 (10.1.1.1): 56 data bytes > 64 bytes from 10.1.1.1: icmp_seq=0 ttl=64 time=0.366 ms > ^C > > But not the Internet or anything via routing. > > I have no default gateway in jail - why? What have i missed in this new > jail implementation since 9.2-R? The netstat output is no surprise. I don't know if it was before or after 9.2, but jails don't see routes that don't involve their own IP addresses, and that includes the default route. But that doesn't mean the default route isn't there. I have netstat output similar to yours, but packets still route as expected. I don't see anything in your jail.conf that looks wrong, so I'm afraid I can't say anything more than "it looks like it *should* work." - Jamie