Jail source address selection broken, patch for ping
Anders Hagman
anders.hagman at netplex.se
Tue Apr 10 09:05:14 UTC 2012
Hi
I have done a test.
My setup inside the jail:
vlan102: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 00:19:db:d5:db:c5
inet 10.3.0.2 netmask 0xffffff00 broadcast 10.3.0.255
inet6 fe80::219:dbff:fed5:dbc5%vlan102 prefixlen 64 scopeid 0x3
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vlan103: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 00:19:db:d5:db:c5
inet 10.4.0.2 netmask 0xffffff00 broadcast 10.4.0.255
inet6 fe80::219:dbff:fed5:dbc5%vlan103 prefixlen 64 scopeid 0x4
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vlan104: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 00:19:db:d5:db:c5
inet 10.5.0.2 netmask 0xffffff00 broadcast 10.5.0.255
inet6 fe80::219:dbff:fed5:dbc5%vlan104 prefixlen 64 scopeid 0x5
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
My pings to the firewall.
[root at webben ~]# ping -c 1 10.3.0.1
PING 10.3.0.1 (10.3.0.1): 56 data bytes
64 bytes from 10.3.0.1: icmp_seq=0 ttl=64 time=0.408 ms
[root at webben ~]# ping -c 1 10.4.0.1
PING 10.4.0.1 (10.4.0.1): 56 data bytes
64 bytes from 10.4.0.1: icmp_seq=0 ttl=64 time=0.418 ms
[root at webben ~]# ping -c 1 10.5.0.1
PING 10.5.0.1 (10.5.0.1): 56 data bytes
64 bytes from 10.5.0.1: icmp_seq=0 ttl=64 time=0.602 ms
The log in the firewall saying the jail is using the right source address.
10:45:54.250965 OPT5 10.5.0.2 10.5.0.1, type echo/0 ICMP
10:45:51.755278 OPT4 10.4.0.2 10.4.0.1, type echo/0 ICMP
10:45:48.931655 OPT3 10.3.0.2 10.3.0.1, type echo/0 ICMP
I have used vnet jail to get your own IP stack.
One strange thing is that tcpdump on the host can not see the packets.
9 apr 2012 kl. 22:11 skrev Mark Felder:
> On Mon, 09 Apr 2012 14:16:47 -0500, Juan F. Díaz y Díaz <jfd at mrecic.gov.ar> wrote:
>
>> Mark, you can just run a jail with the setfib utility so you don't need to modify all your scripts.
>
> I don't think anyone here is understanding the issue and forcing a routing table will not help.
>
> root at jailhost:/# jls -v
> JID Hostname Path
> Name State
> CPUSetID
> IP Address(es)
> 3 xymon.xxxxxx.net /usr/jails/xymon.xxxxxx.net
> 3 ACTIVE
> 2
> 66.xxx.xxx.xxx
> 192.168.89.xxx <-- different vlans for each
> 192.168.93.xxx
> 192.168.94.xxx
> 192.168.95.xxx
> 192.168.96.xxx
> 192.168.97.xxx
>
>
> root at jailhost:/# ifconfig (edited output)
> vlan989: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> options=103<RXCSUM,TXCSUM,TSO4>
> ether d4:ae:52:6a:ec:d9
> inet 192.168.89.xxx netmask 0xffffff00 broadcast 192.168.89.255
> inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan989 prefixlen 64 scopeid 0x6
> nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
> media: Ethernet autoselect (1000baseT <full-duplex>)
> status: active
> vlan: 989 parent interface: bce1
> vlan993: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> options=103<RXCSUM,TXCSUM,TSO4>
> ether d4:ae:52:6a:ec:d9
> inet 192.168.93.xxx netmask 0xffffff00 broadcast 192.168.93.255
> inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan993 prefixlen 64 scopeid 0x7
> nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
> media: Ethernet autoselect (1000baseT <full-duplex>)
> status: active
> vlan: 993 parent interface: bce1
> vlan994: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> options=103<RXCSUM,TXCSUM,TSO4>
> ether d4:ae:52:6a:ec:d9
> inet 192.168.94.xxx netmask 0xffffff00 broadcast 192.168.94.255
> inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan994 prefixlen 64 scopeid 0x8
> nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
> media: Ethernet autoselect (1000baseT <full-duplex>)
> status: active
> vlan: 994 parent interface: bce1
> vlan996: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> options=103<RXCSUM,TXCSUM,TSO4>
> ether d4:ae:52:6a:ec:d9
> inet 192.168.96.xxx netmask 0xffffff00 broadcast 192.168.96.255
> inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan996 prefixlen 64 scopeid 0x9
> nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
> media: Ethernet autoselect (1000baseT <full-duplex>)
> status: active
> vlan: 996 parent interface: bce1
> vlan997: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> options=103<RXCSUM,TXCSUM,TSO4>
> ether d4:ae:52:6a:ec:d9
> inet 192.168.97.xxx netmask 0xffffff00 broadcast 192.168.97.255
> inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan997 prefixlen 64 scopeid 0xa
> nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
> media: Ethernet autoselect (1000baseT <full-duplex>)
> status: active
> vlan: 997 parent interface: bce1
>
>
>
>
>
> All of these vlan interfaces go into a SINGLE jail. Setting the fib will not help; the jail already has the default routing table. The problem is that you can't access these different VLANs with many network utilities because it sets your source IP in the packet as the first IP the jail has bound to it: 66.xxx.xxx.xxx
> _______________________________________________
More information about the freebsd-jail
mailing list