From owner-freebsd-jail@FreeBSD.ORG Sat Jan 30 01:06:42 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E985E106566C for ; Sat, 30 Jan 2010 01:06:42 +0000 (UTC) (envelope-from bazerka@beardz.net) Received: from mx-2.btshosting.co.uk (mx-2.btshosting.co.uk [87.117.208.79]) by mx1.freebsd.org (Postfix) with ESMTP id ADAA78FC19 for ; Sat, 30 Jan 2010 01:06:42 +0000 (UTC) Received: from [192.168.1.65] (host86-148-118-227.range86-148.btcentralplus.com [86.148.118.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: bazerka@beardz.net) by mx-2.btshosting.co.uk (Postfix) with ESMTPSA id 082A36E5467 for ; Sat, 30 Jan 2010 01:06:40 +0000 (GMT) Message-ID: <4B63861B.1000907@beardz.net> Date: Sat, 30 Jan 2010 01:06:35 +0000 From: Jase Thew User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1 MIME-Version: 1.0 To: freebsd-jail@freebsd.org References: <201001270308.21674.tom@diogunix.com> <4B6211C7.6010404@beardz.net> <201001282351.13267.tom@diogunix.com> <20100129091822.O50938@maildrop.int.zabbadoz.net> In-Reply-To: <20100129091822.O50938@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.95.3 at mx-2.btshosting.co.uk X-Virus-Status: Clean Subject: Re: configuration of multiple IPs for a jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Jan 2010 01:06:43 -0000 On 29/01/2010 09:24, Bjoern A. Zeeb wrote: > On Thu, 28 Jan 2010, tom@diogunix.com wrote: > > Hi, > >> Jase, >> >>> This behaviour has been addressed in RELENG_7 recently with r202924 >>> [1]. >> >> thank you very much. That's what I was watching out for :-). >> I somehow could not find that hint in all the resources I used. >> >>> This commit allows you to set : sysctl security.jail.ip4_saddrsel 0 , >>> which makes the kernel use the first IP passed to jail (8) as the >>> default source address instead of the default behaviour which picks the >>> first matching ip for that jail on the interface. > > That's not exactly true. Source address uses the first "matching" > address for the destination on the outgoing interface if possible. > There is a route lookup involved as well. So if you are serving more > than one subnet it won't necessarily be the first IP of the interface > seen within the jail. > > For the case given, it most likely will, though. > Yes, indeed. My answer was based on the configuraton example presented and the assumption that all the IPs given were located in the same subnet. Regards, Jase.