From owner-freebsd-jail@FreeBSD.ORG Thu May 7 21:53:11 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 24D81106566C for ; Thu, 7 May 2009 21:53:11 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: from blah.sun-fish.com (blah.sun-fish.com [217.18.249.150]) by mx1.freebsd.org (Postfix) with ESMTP id 5392C8FC1B for ; Thu, 7 May 2009 21:53:10 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: by blah.sun-fish.com (Postfix, from userid 1002) id DBB251B13518; Thu, 7 May 2009 23:53:08 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on malcho.cmotd.com X-Spam-Level: X-Spam-Status: No, score=-10.6 required=5.0 tests=ALL_TRUSTED,BAYES_00, HTML_MESSAGE autolearn=ham version=3.2.5 Received: from postal.dev.moneybookers.net (postal.dev.moneybookers.net [192.168.3.200]) by blah.sun-fish.com (Postfix) with ESMTP id 248661B12BE0; Thu, 7 May 2009 23:53:06 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by postal.dev.moneybookers.net (Postfix) with ESMTP id 6AF70936938; Thu, 7 May 2009 23:52:04 +0200 (CEST) X-Virus-Scanned: amavisd-new at moneybookers.com Received: from postal.dev.moneybookers.net ([127.0.0.1]) by localhost (postal.dev.moneybookers.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 16E4mfCjacNM; Thu, 7 May 2009 23:52:01 +0200 (CEST) Received: from [10.1.1.3] (unknown [192.168.25.10]) by postal.dev.moneybookers.net (Postfix) with ESMTP id 808FD936937; Thu, 7 May 2009 23:52:01 +0200 (CEST) Message-Id: <208C381F-1E1A-4941-A511-6512FF61F044@moneybookers.com> From: Stefan Lambrev To: Bjoern A. Zeeb In-Reply-To: <20090430234402.M15361@maildrop.int.zabbadoz.net> Mime-Version: 1.0 (Apple Message framework v930.3) Date: Fri, 8 May 2009 00:53:03 +0300 References: <20090207174104.Y93725@maildrop.int.zabbadoz.net> <49EF7D57.9010307@quip.cz> <2FFE746D-9F46-4405-9CCE-01B3EF055EA0@moneybookers.com> <20090430234402.M15361@maildrop.int.zabbadoz.net> X-Mailer: Apple Mail (2.930.3) X-Virus-Scanned: ClamAV 0.94/9343/Thu May 7 21:59:38 2009 on blah.cmotd.com X-Virus-Status: Clean Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-jail@freebsd.org Subject: Re: HEADS UP: multi-IPv4/v6/no-IP jails now in 7-STABLE X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 May 2009 21:53:11 -0000 Hi, Sorry for late reply. On May 1, 2009, at 2:58 AM, Bjoern A. Zeeb wrote: > On Thu, 30 Apr 2009, Stefan Lambrev wrote: > >> Hi, >> >> On Apr 22, 2009, at 11:25 PM, Miroslav Lachman wrote: >> >>> Stefan Lambrev wrote: >>>> Hi, >>>> Does this allow multiple network interfaces to be used by a >>>> single jail instance? >>> Yes, I am using it. >> - cut - >> >> Basically it works, but I found another problem. >> I have created on two servers jails with 2 IPs on different >> interfaces. >> First IP is on "external" interface and second IP is on internal >> interface. >> As expected if I send packets from the host (outside jail) their >> source address match the IP of the interface (from which they are >> leaving the machine), >> but if I send packets from jail they always go out with source >> address equal to the first IP of the jail even when they are going >> out >> through the second interface. >> >> I do not know if this matters but in my case, internal interface >> have few vlans and the IP is set on the vlan not directly on the >> interface. >> >> Here is some output from the jail which can be useful: >> >> igb0: flags=8843 metric 0 >> mtu 1500 >> options=19b >> ether 00:30:48:9c:3a:0a >> inet 192.168.3.100 netmask 0xffffffff broadcast 192.168.3.100 >> media: Ethernet autoselect (100baseTX ) >> status: active >> >> igb1.2: flags=8843 metric 0 >> mtu 1500 >> options=3 >> ether 00:30:48:9c:3a:0b >> inet 10.35.1.1 netmask 0xffffff00 broadcast 10.35.1.255 >> media: Ethernet autoselect (1000baseTX ) >> status: active >> vlan: 2 parent interface: igb1 >> >> And here is the tcpdump from igb1.2 when trying to ping 10.35.1.2 >> from inside jail: >> >> 17:20:04.109972 IP 192.168.3.100 > 10.35.1.2: ICMP echo request, id >> 28421, seq 0, length 64 >> 17:20:05.110321 IP 192.168.3.100 > 10.35.1.2: ICMP echo request, id >> 28421, seq 1, length 64 >> >> Any idea how this can be fixed? >> >> P.S. I know I can rewrite outgoing packets with firewall, but it's >> not performance wise, >> and I expect lot of udp multicast through igb1.2, that's why this >> doesn't look like a proper solution for me. > > > 1) you turned on a non-default feature permitting raw-ip-sockets from > inside jails. You lost supp^Wpredicatability. Well not really but > this is just the beware-of reminder. Unfortunately this is the only way to get multicast working in jail. > 2) you are using 1) with ping to test source address selection which > will not work well. There is more magic involved. Does it work > properly and as requested with ping -S ? The only difference when using -S is that the "sender" does not recognize replies. > 3) turn off 1) and/or use telnet, ssh, or nc to test outgoing > connections > in each direction. Does source address selection work here as > expected? telnet works as expected even when raw-ip-sockets are enabled. > 4) jails do not support MC. You'll have to wait for full-blown network > stack virtualization. Is this planned to be part of 8.0 or ..? :) > > > > -- > Bjoern A. Zeeb The greatest risk is not taking > one. -- Best Wishes, Stefan Lambrev ICQ# 24134177