From owner-freebsd-questions@FreeBSD.ORG Sat Aug 17 16:58:10 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 4D3C59BD for ; Sat, 17 Aug 2013 16:58:10 +0000 (UTC) (envelope-from freebsd@qeng-ho.org) Received: from blue.qeng-ho.org (blue.qeng-ho.org [217.155.128.241]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id DAC1620BF for ; Sat, 17 Aug 2013 16:58:09 +0000 (UTC) Received: from fileserver.home.qeng-ho.org (localhost [127.0.0.1]) by fileserver.home.qeng-ho.org (8.14.5/8.14.5) with ESMTP id r7HGWIC1049134; Sat, 17 Aug 2013 17:32:18 +0100 (BST) (envelope-from freebsd@qeng-ho.org) Message-ID: <520FA592.7010305@qeng-ho.org> Date: Sat, 17 Aug 2013 17:32:18 +0100 From: Arthur Chance User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130810 Thunderbird/17.0.8 MIME-Version: 1.0 To: Karl Pielorz Subject: Re: jail.conf ignoring exec.fib? References: <98486B2D79D00F0898B7C9E6@Mail-PC.tdx.co.uk> <520B7F0F.7020006@a1poweruser.com> <1960A5B02323B4982B4C0320@Mail-PC.tdx.co.uk> In-Reply-To: <1960A5B02323B4982B4C0320@Mail-PC.tdx.co.uk> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Aug 2013 16:58:10 -0000 On 14/08/2013 16:49, Karl Pielorz wrote: > > > --On 14 August 2013 08:58 -0400 Fbsd8 wrote: > >> The jail(8) man page lacks details about how to use exec.fib. >> >> It requires either a new kernel (with "options ROUTETABLES=2" or however >> many you want), or a boot-time setting with "net.fibs=2" in >> /boot/loader.conf (requiring a reboot). > > Yup, done that :) > >> setfib 1 route add default 198.192.64.21 >> creates routing table number 1 with that IP address. >> >> In this example exec.fib="1" would be coded. >> >> See setfib(8) and setfib(2) for details. > > Yeah, I do that as well - but 'netstat -r -n' from within the jail shows > the systems default routing table. > > As opposed to 'setfib 1 netstat -r -n' (outside the jail) which shows > fib either has no default gateway, or the one I set (which is right). > > Just within the jail, it only every shows it's using the systems default > routing table :( > > Fib's work fine outside the jail (i.e. I can show them, set differing > default gateways) - but no matter what I do, the 'exec.fib=' line in > jail.conf seems to be ignored, when the jail is run up - it only ever > sees the default routing table :( What do you get in the jail from sysctl net.fibs sysctl net.my_fibnum ? You should be getting 2 and 1 respectively. If you are, what happens in the jail when you ping an address that's covered by the fib 0 default route but that should be unroutable in the jail? You will need to enable allow.raw_sockets for the jail temporarily to try that. -- In the dungeons of Mordor, Sauron bred Orcs with LOLcats to create a new race of servants. Called Uruk-Oh-Hai in the Black Speech, they were cruel and delighted in torturing spelling and grammar. _Lord of the Rings 2.0, the Web Edition_