Date: Mon, 9 Apr 2012 15:11:50 -0500 From: Mark Felder <feld@feld.me> To: freebsd-jail@freebsd.org Subject: Re: Jail source address selection broken, patch for ping Message-ID: <op.wcik10bo34t2sn@tech304> In-Reply-To: <493438014.49159.1333999007132.JavaMail.root@mrelmx09.mrec.ar> References: <493438014.49159.1333999007132.JavaMail.root@mrelmx09.mrec.ar>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 09 Apr 2012 14:16:47 -0500, Juan F. D=C3=ADaz y D=C3=ADaz =20
<jfd@mrecic.gov.ar> wrote:
> Mark, you can just run a jail with the setfib utility so you don't =
need =20
> to modify all your scripts.
I don't think anyone here is understanding the issue and forcing a =
routing =20
table will not help.
root@jailhost:/# jls -v
JID Hostname Path
Name State
CPUSetID
IP Address(es)
3 xymon.xxxxxx.net /usr/jails/xymon.xxxxxx.net
3 ACTIVE
2
66.xxx.xxx.xxx
192.168.89.xxx <-- different vlans for each
192.168.93.xxx
192.168.94.xxx
192.168.95.xxx
192.168.96.xxx
192.168.97.xxx
root@jailhost:/# ifconfig (edited output)
vlan989: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu =20
1500
options=3D103<RXCSUM,TXCSUM,TSO4>
ether d4:ae:52:6a:ec:d9
inet 192.168.89.xxx netmask 0xffffff00 broadcast 192.168.89.255
inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan989 prefixlen 64 scopeid 0x6
nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 989 parent interface: bce1
vlan993: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu =20
1500
options=3D103<RXCSUM,TXCSUM,TSO4>
ether d4:ae:52:6a:ec:d9
inet 192.168.93.xxx netmask 0xffffff00 broadcast 192.168.93.255
inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan993 prefixlen 64 scopeid 0x7
nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 993 parent interface: bce1
vlan994: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu =20
1500
options=3D103<RXCSUM,TXCSUM,TSO4>
ether d4:ae:52:6a:ec:d9
inet 192.168.94.xxx netmask 0xffffff00 broadcast 192.168.94.255
inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan994 prefixlen 64 scopeid 0x8
nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 994 parent interface: bce1
vlan996: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu =20
1500
options=3D103<RXCSUM,TXCSUM,TSO4>
ether d4:ae:52:6a:ec:d9
inet 192.168.96.xxx netmask 0xffffff00 broadcast 192.168.96.255
inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan996 prefixlen 64 scopeid 0x9
nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 996 parent interface: bce1
vlan997: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 =
mtu =20
1500
options=3D103<RXCSUM,TXCSUM,TSO4>
ether d4:ae:52:6a:ec:d9
inet 192.168.97.xxx netmask 0xffffff00 broadcast 192.168.97.255
inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan997 prefixlen 64 scopeid 0xa
nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 997 parent interface: bce1
All of these vlan interfaces go into a SINGLE jail. Setting the fib will =
=20
not help; the jail already has the default routing table. The problem is =
=20
that you can't access these different VLANs with many network utilities =20
because it sets your source IP in the packet as the first IP the jail =
has =20
bound to it: 66.xxx.xxx.xxx
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.wcik10bo34t2sn>