Jail source address selection broken, patch for ping
Mark Felder
feld at feld.me
Mon Apr 9 16:21:07 UTC 2012
Hello,
This weekend I was deploying our monitoring server into a 32bit FreeBSD
jail on a 64bit install. This was necessary because we needed the newer
hardware but couldn't migrate the RRDs to 64bit format without breaking
other machines that rely on the RRD files and are still 32bit. Our
monitoring server is fairly extensive and talks to many different VLANs
and subnets. As a result, IPs on these different VLAN interfaces were
passed through to the jail. I noticed pretty quickly that for some reason
PINGs were not able to reach many subnets even though I am allowing raw
sockets. After doing some traffic sniffing I was able to determine that
the source IP address was incorrect.
By pure chance I was able to contact bz@ and he provided me with a patch
for ping based on his recent work on a similar issue with traceroute. This
solved my problem with the system ping utility, but my tests with fping
and the ping utility included with our monitoring software still exhibited
the same issue.
bz informed me that he believes he knows where the bug is in the kernel --
I believe he pointed me to the area of sys/netinet/ip_raw.c around line
461. Jails are getting the first IP as a source no matter what.
Anyway, attached is the patch he asked me to post to the mailing list for
those that need a workaround for ping. I'm sure fixing this in the kernel
will probably require further discussion among those with actual
programming skills :-)
Cheers,
Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20120407-01-ping-source-addr.diff
Type: application/octet-stream
Size: 6163 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20120409/a601a1bf/20120407-01-ping-source-addr.obj
More information about the freebsd-jail
mailing list