Date: Sat, 14 Mar 2009 21:22:04 +0100 From: Stefan Bethke <stb@lassitu.de> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: freebsd-net@freebsd.org Subject: Re: Multi-homing, jails, and source address selection Message-ID: <DCDAD46C-16FA-4F0D-95A8-D892B17BE470@lassitu.de> In-Reply-To: <20090314174526.E96785@maildrop.int.zabbadoz.net> References: <A7C6B7F3-ECB3-4151-81B9-8008C877B0B9@lassitu.de> <20090314174526.E96785@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 14.03.2009 um 19:01 schrieb Bjoern A. Zeeb: > On Thu, 12 Mar 2009, Stefan Bethke wrote: > >> I'm having some trouble configuring a dual-homed jail host, running >> -current from about 4 weeks ago. >> ... >> Is there any documentation on how source addresses are selected? I >> thought I remembered that on unbound sockets the destination route >> would be used to pick the first address of the outgoing interface >> as the source address; the same address would be picked on >> connecting a socket. > > sys/netinet/in_pcb.c:in_pcbladdr() is your friend - > http://fxr.watson.org/fxr/source/netinet/in_pcb.c#L546 > > This is the case you are running into: > http://fxr.watson.org/fxr/source/netinet/in_pcb.c#L628 > /* > * If the outgoing interface on the route found is not > * a loopback interface, use the address from that interface. > * In case of jails do those three steps: > * 1. check if the interface address belongs to the jail. If so use it. > * 2. check if we have any address on the outgoing interface > * belonging to this jail. If so use it. > * 3. as a last resort return the 'default' jail address. > */ > > so you are hitting "3." . > > I am not sure but I'd assume > ifconfig tun0 10.0.63.3 10.0.63.255 alias > would work, just not with the logic to create the IPs upon jail start > (and we will not accept patches to handle that;). This is what I figured is happening. For the time being, I've gone back to single-homed; I'm using pf binat rules to map public ips to the vpn ones for the jails. Not perfect, but works for most cases. (The only really missing option is to bind a service in the jail to VPN address only, so it's only accessible over the VPN, but I can enforce that through pf or hosts.allow.) Assigning aliases to tun0 appears to work too, but you need a distinct destination address for each alias. Annoying. Since I'm using "topology subnet" in OpenVPN, a point-to-point interface is conceptually slightly off; a broadcast interface would fit much nicer. This would also allow the standard rc.d/jail script to do it's magic, if the necessary tun seetings could be applied through ifconfig. Is there a specific reason this setting can only be done through an ioctl on the dev node, instead of thorugh ifconfig? (Specifically TUNSIFMODE.) Additionally, this open the way to run OpenVPN inside a jail, since all ifconfig and route setup would be done prior to OpenVPN starting up. (tun also down the interface if the dev node is closed, but I have a feeling that could be mediated somewhat easily as well.) Thanks, Stefan -- Stefan Bethke <stb@lassitu.de> Fon +49 151 14070811
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DCDAD46C-16FA-4F0D-95A8-D892B17BE470>