Re: cannot resolve host in VNET jail with RSS enabled
Date: Tue, 12 Apr 2022 05:32:35 UTC
Hi,
Thanks for your kindly reply. I've never tried 'options rss' and 'options pcbgroup' before.
# uname -a
FreeBSD haproxy-a 13.1-STABLE FreeBSD 13.1-STABLE #12 local-ece90b520: Tue Apr 12 11:50:47 CST 2022 root@hp380:/usr/obj/usr/src/amd64.amd64/sys/fb13-stable-rss amd64
# more jail.conf
haproxy-a {
devfs_ruleset = 8;
enforce_statfs = 2;
exec.clean;
exec.consolelog = /var/log/bastille/haproxy-a_console.log;
exec.start = '/bin/sh /etc/rc';
exec.stop = '/bin/sh /etc/rc.shutdown';
host.hostname = haproxy-a;
mount.devfs;
mount.fstab = /usr/local/bastille/jails/haproxy-a/fstab;
path = /usr/local/bastille/jails/haproxy-a/root;
securelevel = 2;
vnet="new";
vnet.interface='epair10b';
exec.poststart='/usr/sbin/jexec haproxy-a /sbin/ifconfig epair10b 192.168.200.100 netmask 255.255.255.0 up';
exec.poststart+='/usr/sbin/jexec haproxy-a /sbin/route add default 192.168.200.1';
}
Then in the jail:
root@haproxy-a:/ # drill www.microsoft.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 14133
;; flags: qr rd ra ; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.microsoft.com. IN A
;; ANSWER SECTION:
www.microsoft.com. 3563 IN CNAME www.microsoft.com-c-3.edgekey.net.
www.microsoft.com-c-3.edgekey.net. 643 IN CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net.
www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net. 620 IN CNAME e13678.ca2.s.tl88.net.
e13678.ca2.s.tl88.net. 35 IN A 115.152.251.229
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 13 msec
;; SERVER: 114.114.114.114
;; WHEN: Tue Apr 12 13:15:58 2022
;; MSG SIZE rcvd: 197
root@haproxy-a:/ # ping -4 www.microsoft.com
^C
root@haproxy-a:/ # ping -4 115.152.251.229
PING 115.152.251.229 (115.152.251.229): 56 data bytes
64 bytes from 115.152.251.229: icmp_seq=0 ttl=52 time=16.094 ms
64 bytes from 115.152.251.229: icmp_seq=1 ttl=52 time=16.032 ms
64 bytes from 115.152.251.229: icmp_seq=2 ttl=52 time=22.042 ms
64 bytes from 115.152.251.229: icmp_seq=3 ttl=52 time=16.064 ms
64 bytes from 115.152.251.229: icmp_seq=4 ttl=52 time=16.242 ms
64 bytes from 115.152.251.229: icmp_seq=5 ttl=52 time=16.051 ms
^C
--- 115.152.251.229 ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 16.032/17.087/22.042/2.217 ms
And I capture these packets at the same time:
root@haproxy-a:/ # tcpdump -v -n -i epair10b
tcpdump: listening on epair10b, link-type EN10MB (Ethernet), capture size 262144 bytes
13:15:58.795103 IP (tos 0x0, ttl 64, id 63832, offset 0, flags [none], proto UDP (17), length 63)
192.168.200.100.61519 > 114.114.114.114.53: 14133+ A? www.microsoft.com. (35)
13:15:58.808548 IP (tos 0x0, ttl 149, id 0, offset 0, flags [none], proto UDP (17), length 225)
114.114.114.114.53 > 192.168.200.100.61519: 14133 4/0/0 www.microsoft.com. CNAME www.microsoft.com-c-3.edgekey.net., www.microsoft.com-c-3.edgekey.net. CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net., www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net. CNAME e13678.ca2.s.tl88.net., e13678.ca2.s.tl88.net. A 115.152.251.229 (197)
13:16:26.916890 IP (tos 0x0, ttl 64, id 24086, offset 0, flags [none], proto UDP (17), length 63)
192.168.200.100.13052 > 114.114.114.114.53: 44693+ A? www.microsoft.com. (35)
13:16:26.931768 IP (tos 0x0, ttl 149, id 0, offset 0, flags [none], proto UDP (17), length 225)
114.114.114.114.53 > 192.168.200.100.13052: 44693 4/0/0 www.microsoft.com. CNAME www.microsoft.com-c-3.edgekey.net., www.microsoft.com-c-3.edgekey.net. CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net., www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net. CNAME e13678.ca2.s.tl88.net., e13678.ca2.s.tl88.net. A 115.152.251.229 (197)
13:16:26.931813 IP (tos 0x0, ttl 64, id 63833, offset 0, flags [none], proto ICMP (1), length 253)
192.168.200.100 > 114.114.114.114: ICMP 192.168.200.100 udp port 13052 unreachable, length 233
IP (tos 0x0, ttl 149, id 0, offset 0, flags [none], proto UDP (17), length 225)
114.114.114.114.53 > 192.168.200.100.13052: 44693 4/0/0 www.microsoft.com. CNAME www.microsoft.com-c-3.edgekey.net., www.microsoft.com-c-3.edgekey.net. CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net., www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net. CNAME e13678.ca2.s.tl88.net., e13678.ca2.s.tl88.net. A 115.152.251.229 (197)
13:16:32.004844 IP (tos 0x0, ttl 64, id 23301, offset 0, flags [none], proto UDP (17), length 63)
192.168.200.100.13052 > 114.114.114.114.53: 44693+ A? www.microsoft.com. (35)
13:16:32.019973 IP (tos 0x0, ttl 149, id 0, offset 0, flags [none], proto UDP (17), length 225)
114.114.114.114.53 > 192.168.200.100.13052: 44693 4/0/0 www.microsoft.com. CNAME www.microsoft.com-c-3.edgekey.net., www.microsoft.com-c-3.edgekey.net. CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net., www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net. CNAME e13678.ca2.s.tl88.net., e13678.ca2.s.tl88.net. A 115.152.251.229 (197)
13:16:32.020011 IP (tos 0x0, ttl 64, id 63834, offset 0, flags [none], proto ICMP (1), length 253)
192.168.200.100 > 114.114.114.114: ICMP 192.168.200.100 udp port 13052 unreachable, length 233
IP (tos 0x0, ttl 149, id 0, offset 0, flags [none], proto UDP (17), length 225)
114.114.114.114.53 > 192.168.200.100.13052: 44693 4/0/0 www.microsoft.com. CNAME www.microsoft.com-c-3.edgekey.net., www.microsoft.com-c-3.edgekey.net. CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net., www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net. CNAME e13678.ca2.s.tl88.net., e13678.ca2.s.tl88.net. A 115.152.251.229 (197)
13:17:06.761628 IP (tos 0x0, ttl 64, id 54170, offset 0, flags [none], proto ICMP (1), length 84)
192.168.200.100 > 115.152.251.229: ICMP echo request, id 45603, seq 0, length 64
13:17:06.777676 IP (tos 0x0, ttl 52, id 46238, offset 0, flags [none], proto ICMP (1), length 84)
115.152.251.229 > 192.168.200.100: ICMP echo reply, id 45603, seq 0, length 64
13:17:07.785398 IP (tos 0x0, ttl 64, id 54171, offset 0, flags [none], proto ICMP (1), length 84)
192.168.200.100 > 115.152.251.229: ICMP echo request, id 45603, seq 1, length 64
13:17:07.801393 IP (tos 0x0, ttl 52, id 46335, offset 0, flags [none], proto ICMP (1), length 84)
115.152.251.229 > 192.168.200.100: ICMP echo reply, id 45603, seq 1, length 64
13:17:08.847866 IP (tos 0x0, ttl 64, id 54172, offset 0, flags [none], proto ICMP (1), length 84)
192.168.200.100 > 115.152.251.229: ICMP echo request, id 45603, seq 2, length 64
13:17:08.869870 IP (tos 0x0, ttl 52, id 46544, offset 0, flags [none], proto ICMP (1), length 84)
115.152.251.229 > 192.168.200.100: ICMP echo reply, id 45603, seq 2, length 64
13:17:09.909951 IP (tos 0x0, ttl 64, id 54173, offset 0, flags [none], proto ICMP (1), length 84)
192.168.200.100 > 115.152.251.229: ICMP echo request, id 45603, seq 3, length 64
13:17:09.925956 IP (tos 0x0, ttl 52, id 46614, offset 0, flags [none], proto ICMP (1), length 84)
115.152.251.229 > 192.168.200.100: ICMP echo reply, id 45603, seq 3, length 64
13:17:10.972385 IP (tos 0x0, ttl 64, id 3781, offset 0, flags [none], proto ICMP (1), length 84)
192.168.200.100 > 115.152.251.229: ICMP echo request, id 45603, seq 4, length 64
13:17:10.988580 IP (tos 0x0, ttl 52, id 47619, offset 0, flags [none], proto ICMP (1), length 84)
115.152.251.229 > 192.168.200.100: ICMP echo reply, id 45603, seq 4, length 64
13:17:12.018853 IP (tos 0x0, ttl 64, id 48853, offset 0, flags [none], proto ICMP (1), length 84)
192.168.200.100 > 115.152.251.229: ICMP echo request, id 45603, seq 5, length 64
13:17:12.034859 IP (tos 0x0, ttl 52, id 48564, offset 0, flags [none], proto ICMP (1), length 84)
115.152.251.229 > 192.168.200.100: ICMP echo reply, id 45603, seq 5, length 64
Simon
20220412