Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 17 Oct 2017 15:17:16 +0000
From:      Andrew Hotlab <andrew.hotlab@hotmail.com>
To:        =?iso-8859-2?Q?Marko_Cupa=E6?= <marko.cupac@mimar.rs>
Cc:        "freebsd-jail@freebsd.org" <freebsd-jail@freebsd.org>
Subject:   Re: setfib (ez)jails and wierd routing
Message-ID:  <AM5PR0201MB24675737A4E2E53560E765A6F64C0@AM5PR0201MB2467.eurprd02.prod.outlook.com>
In-Reply-To: <20171016161844.7ddb1fe7@efreet-freebsd.kappastar.com>
References:  <20170929103258.2f912308@efreet-freebsd.kappastar.com> <AM3PR02MB31250DCB6D22C712457C38EF67F0@AM3PR02MB312.eurprd02.prod.outlook.com>, <20171016161844.7ddb1fe7@efreet-freebsd.kappastar.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
________________________________________
From: Marko Cupa=E6 <marko.cupac@mimar.rs>
Sent: Monday, October 16, 2017 4:18 PM
To: Andrew Hotlab
Cc: freebsd-jail@freebsd.org
Subject: Re: setfib (ez)jails and wierd routing

> On Sat, 30 Sep 2017 10:38:58 +0000
> Andrew Hotlab <andrew.hotlab@hotmail.com> wrote:
>=20
> > I'm running releng/10.3. Which release are you working on?
>=20
> sorry for late reply. I'm running 11.1-RELEASE-p1. I am definitely
> seeing packets with source addresses of my DMZ jails (fib2) exiting
> through interface on local LAN. Those are mostly icmp echo replies that
> should be coming from jails but are not due to the fact that jails
> don't have raw sockets enables. So, echo replies are returned from
> host (and not jails), whose default gateway is on internal network.
>=20

I just setup a similar scenario on a FreeBSD 11.1 host. It seems that
all is working fine (172.21.10.0/24 is the DMZ, while 192.168.1.0/24
is the LAN). Please see the following transcript:

root@BSD11:~ # uname -msr
FreeBSD 11.1-RELEASE amd64

root@BSD11:~ # ifconfig | egrep '^[a-z]|inet '
em0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        inet 172.21.10.100 netmask 0xffffff00 broadcast 172.21.10.255=20
        inet 172.21.10.101 netmask 0xffffffff broadcast 172.21.10.101=20
em1: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255=20
lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        inet 127.0.0.1 netmask 0xff000000

root@BSD11:~ # netstat -rnfinet
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.1.254      UGS         em1
127.0.0.1          link#3             UH          lo0
172.21.10.0/24     link#1             U           em0
172.21.10.100      link#1             UHS         lo0
172.21.10.101      link#1             UHS         lo0
172.21.10.101/32   link#1             U           em0
192.168.1.0/24     link#2             U           em1
192.168.1.100      link#2             UHS         lo0

root@BSD11:~ # setfib 1 netstat -rfinet
Routing tables (fib: 1)

Internet:
Destination        Gateway            Flags     Netif Expire
default            172.21.10.254      UGS         em0
localhost          link#3             UH          lo0
172.21.10.0/24     link#1             U           em0
172.21.10.101/32   link#1             U           em0
192.168.1.0/24     link#2             U           em1

root@BSD11:~ # cat /etc/jail.conf=20
exec.start =3D "/bin/sh /etc/rc";
exec.stop =3D "/bin/sh /etc/rc.shutdown";
exec.clean;
mount.devfs;
jtest01 {
  host.hostname =3D "jtest01.test.lab";
  path =3D /usr/jails/jtest01;
  ip4.addr =3D "em0|172.21.10.101/32";
  persist;
  allow.raw_sockets;
  exec.fib =3D "1";
}

root@BSD11:~ # jls
   JID  IP Address      Hostname                      Path
     8  172.21.10.101   jtest01.test.lab          /usr/jails/jtest01

root@BSD11:~ # ssh 172.21.10.101 'sysctl net.my_fibnum'
Password for root@jtest01.test.lab:
net.my_fibnum: 1

root@BSD11:~ # tcpdump -i em0 -n -p icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:07:19.524839 IP 172.21.1.81 > 172.21.10.101: ICMP echo request, id 65315=
, seq 0, length 64
17:07:20.539686 IP 172.21.1.81 > 172.21.10.101: ICMP echo request, id 65315=
, seq 1, length 64
17:07:21.551653 IP 172.21.1.81 > 172.21.10.101: ICMP echo request, id 65315=
, seq 2, length 64
17:07:22.562764 IP 172.21.1.81 > 172.21.10.101: ICMP echo request, id 65315=
, seq 3, length 64
^C
4 packets captured
12 packets received by filter
0 packets dropped by kernel


> Would freebsd-net be more appropriate list for this problem?

Maybe, but I would double check your jail configuration before ask to that =
list.
My guess is that your jail might not be associated to the right fib.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AM5PR0201MB24675737A4E2E53560E765A6F64C0>