Date: Fri, 8 May 2009 00:53:03 +0300 From: Stefan Lambrev <stefan.lambrev@moneybookers.com> To: Bjoern A. Zeeb <bzeeb-lists@lists.zabbadoz.net> Cc: freebsd-jail@freebsd.org Subject: Re: HEADS UP: multi-IPv4/v6/no-IP jails now in 7-STABLE Message-ID: <208C381F-1E1A-4941-A511-6512FF61F044@moneybookers.com> In-Reply-To: <20090430234402.M15361@maildrop.int.zabbadoz.net> References: <20090207174104.Y93725@maildrop.int.zabbadoz.net> <C967B08C-6674-49EA-8ACD-172B3A2B830C@moneybookers.com> <49EF7D57.9010307@quip.cz> <2FFE746D-9F46-4405-9CCE-01B3EF055EA0@moneybookers.com> <20090430234402.M15361@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Sorry for late reply. On May 1, 2009, at 2:58 AM, Bjoern A. Zeeb wrote: > On Thu, 30 Apr 2009, Stefan Lambrev wrote: > >> Hi, >> >> On Apr 22, 2009, at 11:25 PM, Miroslav Lachman wrote: >> >>> Stefan Lambrev wrote: >>>> Hi, >>>> Does this allow multiple network interfaces to be used by a >>>> single jail instance? >>> Yes, I am using it. >> - cut - >> >> Basically it works, but I found another problem. >> I have created on two servers jails with 2 IPs on different >> interfaces. >> First IP is on "external" interface and second IP is on internal >> interface. >> As expected if I send packets from the host (outside jail) their >> source address match the IP of the interface (from which they are >> leaving the machine), >> but if I send packets from jail they always go out with source >> address equal to the first IP of the jail even when they are going >> out >> through the second interface. >> >> I do not know if this matters but in my case, internal interface >> have few vlans and the IP is set on the vlan not directly on the >> interface. >> >> Here is some output from the jail which can be useful: >> >> igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 >> mtu 1500 >> options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4> >> ether 00:30:48:9c:3a:0a >> inet 192.168.3.100 netmask 0xffffffff broadcast 192.168.3.100 >> media: Ethernet autoselect (100baseTX <full-duplex>) >> status: active >> >> igb1.2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 >> mtu 1500 >> options=3<RXCSUM,TXCSUM> >> ether 00:30:48:9c:3a:0b >> inet 10.35.1.1 netmask 0xffffff00 broadcast 10.35.1.255 >> media: Ethernet autoselect (1000baseTX <full-duplex>) >> status: active >> vlan: 2 parent interface: igb1 >> >> And here is the tcpdump from igb1.2 when trying to ping 10.35.1.2 >> from inside jail: >> >> 17:20:04.109972 IP 192.168.3.100 > 10.35.1.2: ICMP echo request, id >> 28421, seq 0, length 64 >> 17:20:05.110321 IP 192.168.3.100 > 10.35.1.2: ICMP echo request, id >> 28421, seq 1, length 64 >> >> Any idea how this can be fixed? >> >> P.S. I know I can rewrite outgoing packets with firewall, but it's >> not performance wise, >> and I expect lot of udp multicast through igb1.2, that's why this >> doesn't look like a proper solution for me. > > > 1) you turned on a non-default feature permitting raw-ip-sockets from > inside jails. You lost supp^Wpredicatability. Well not really but > this is just the beware-of reminder. Unfortunately this is the only way to get multicast working in jail. > 2) you are using 1) with ping to test source address selection which > will not work well. There is more magic involved. Does it work > properly and as requested with ping -S <src-ip-you-want> <dst>? The only difference when using -S is that the "sender" does not recognize replies. > 3) turn off 1) and/or use telnet, ssh, or nc to test outgoing > connections > in each direction. Does source address selection work here as > expected? telnet works as expected even when raw-ip-sockets are enabled. > 4) jails do not support MC. You'll have to wait for full-blown network > stack virtualization. Is this planned to be part of 8.0 or ..? :) > > > > -- > Bjoern A. Zeeb The greatest risk is not taking > one. -- Best Wishes, Stefan Lambrev ICQ# 24134177
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?208C381F-1E1A-4941-A511-6512FF61F044>