From owner-freebsd-net@FreeBSD.ORG Tue Apr 7 07:30:00 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C1A117A3 for ; Tue, 7 Apr 2015 07:30:00 +0000 (UTC) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 326DFEB2 for ; Tue, 7 Apr 2015 07:30:00 +0000 (UTC) Received: from tom.home (kostik@localhost [127.0.0.1]) by kib.kiev.ua (8.14.9/8.14.9) with ESMTP id t377To4W080612 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 7 Apr 2015 10:29:51 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.9.2 kib.kiev.ua t377To4W080612 Received: (from kostik@localhost) by tom.home (8.14.9/8.14.9/Submit) id t377Tnxc080611; Tue, 7 Apr 2015 10:29:49 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Tue, 7 Apr 2015 10:29:49 +0300 From: Konstantin Belousov To: Anton Farber Subject: Re: FreeBSD sometimes uses the router for packets on the local network Message-ID: <20150407072949.GA2379@kib.kiev.ua> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on tom.home Cc: "freebsd-net@freebsd.org" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Apr 2015 07:30:00 -0000 On Tue, Apr 07, 2015 at 07:04:40AM +0000, Anton Farber wrote: > > On Mon, Apr 6, 2015 at 12:15 PM, Anton Farber > > wrote: > > > I've opened a thread on the FreeBSD networking forum (https://forums.freebsd.org/threads/jail-fails-to-connect-to-main-host.50833/) as sometime ago my FreeBSD server (initially running 10.1, now CURRENT) started to behave strangely after an upgrade from 10.0 to 10.1. I first noticed that a jail (192.168.1.5) wasn't able to contact the base system (192.168.1.1). Running a tcpdump revealed the following: the jail is using em0 instead of lo0 for communicating with the base system: > > > > You need to look at your routing tables. From inside the jail, run > > "netstat -rn -f inet". You probably won't see any entry for 127.0.0.1 > > or 127.0.0.0/8. Those are the entries that your jail needs in order > > to talk to the base system. You can add them, but think carefully. > > Many server processes, such as ntpd, have reduced security for > > connections coming over 127.0.0.1. Whether or not it is appropriate > > to add those routes depends on why you are using a jail. > > Ok, so the behaviour I'm seeing regarding the communication between jail and base system is to be expected then. My reason for posting it was, that I was unsure whether it might have anything to do with the main problem. I don't think that this is the case so the question remains, why is my FreeBSD server sometimes using the router for contacting hosts on the local network? This was very strange proposal to look at routing tables inside jail. Do you use VNET-enabled kernel ? If not, there is no separate instance of the network stack per jail. The netstat -rn output in jail for non-VNET kernels is simply not relevant to your problem. The same issues must be present when non-jailed process using the same source address selection.