Jail source address selection broken, patch for ping

Anders Hagman anders.hagman at netplex.se
Tue Apr 10 09:05:14 UTC 2012 

Hi


I have done a test.
My setup inside the jail:

vlan102: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	ether 00:19:db:d5:db:c5
	inet 10.3.0.2 netmask 0xffffff00 broadcast 10.3.0.255
	inet6 fe80::219:dbff:fed5:dbc5%vlan102 prefixlen 64 scopeid 0x3 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
vlan103: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	ether 00:19:db:d5:db:c5
	inet 10.4.0.2 netmask 0xffffff00 broadcast 10.4.0.255
	inet6 fe80::219:dbff:fed5:dbc5%vlan103 prefixlen 64 scopeid 0x4 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
vlan104: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	ether 00:19:db:d5:db:c5
	inet 10.5.0.2 netmask 0xffffff00 broadcast 10.5.0.255
	inet6 fe80::219:dbff:fed5:dbc5%vlan104 prefixlen 64 scopeid 0x5 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active


My pings to the firewall.

[root at webben ~]# ping -c 1 10.3.0.1
PING 10.3.0.1 (10.3.0.1): 56 data bytes
64 bytes from 10.3.0.1: icmp_seq=0 ttl=64 time=0.408 ms

[root at webben ~]# ping -c 1 10.4.0.1
PING 10.4.0.1 (10.4.0.1): 56 data bytes
64 bytes from 10.4.0.1: icmp_seq=0 ttl=64 time=0.418 ms

[root at webben ~]# ping -c 1 10.5.0.1
PING 10.5.0.1 (10.5.0.1): 56 data bytes
64 bytes from 10.5.0.1: icmp_seq=0 ttl=64 time=0.602 ms


The log in the firewall saying the jail is using the right source address.

10:45:54.250965	OPT5	10.5.0.2	10.5.0.1, type echo/0	ICMP
10:45:51.755278	OPT4	10.4.0.2	10.4.0.1, type echo/0	ICMP
10:45:48.931655	OPT3	10.3.0.2	10.3.0.1, type echo/0	ICMP

I have used vnet jail to get your own IP stack.
One strange thing is that tcpdump on the host can not see the packets.

9 apr 2012 kl. 22:11 skrev Mark Felder:

> On Mon, 09 Apr 2012 14:16:47 -0500, Juan F. Díaz y Díaz <jfd at mrecic.gov.ar> wrote:
> 
>> Mark, you can just run a jail with the setfib utility so you don't need to modify all your scripts.
> 
> I don't think anyone here is understanding the issue and forcing a routing table will not help.
> 
> root at jailhost:/# jls -v
>   JID  Hostname                      Path
>        Name                          State
>        CPUSetID
>        IP Address(es)
>     3  xymon.xxxxxx.net            /usr/jails/xymon.xxxxxx.net
>        3                             ACTIVE
>        2
>        66.xxx.xxx.xxx
>        192.168.89.xxx  <-- different vlans for each
>        192.168.93.xxx
>        192.168.94.xxx
>        192.168.95.xxx
>        192.168.96.xxx
>        192.168.97.xxx
> 
> 
> root at jailhost:/# ifconfig   (edited output)
> vlan989: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>        options=103<RXCSUM,TXCSUM,TSO4>
>        ether d4:ae:52:6a:ec:d9
>        inet 192.168.89.xxx netmask 0xffffff00 broadcast 192.168.89.255
>        inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan989 prefixlen 64 scopeid 0x6
>        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
>        media: Ethernet autoselect (1000baseT <full-duplex>)
>        status: active
>        vlan: 989 parent interface: bce1
> vlan993: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>        options=103<RXCSUM,TXCSUM,TSO4>
>        ether d4:ae:52:6a:ec:d9
>        inet 192.168.93.xxx netmask 0xffffff00 broadcast 192.168.93.255
>        inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan993 prefixlen 64 scopeid 0x7
>        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
>        media: Ethernet autoselect (1000baseT <full-duplex>)
>        status: active
>        vlan: 993 parent interface: bce1
> vlan994: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>        options=103<RXCSUM,TXCSUM,TSO4>
>        ether d4:ae:52:6a:ec:d9
>        inet 192.168.94.xxx netmask 0xffffff00 broadcast 192.168.94.255
>        inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan994 prefixlen 64 scopeid 0x8
>        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
>        media: Ethernet autoselect (1000baseT <full-duplex>)
>        status: active
>        vlan: 994 parent interface: bce1
> vlan996: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>        options=103<RXCSUM,TXCSUM,TSO4>
>        ether d4:ae:52:6a:ec:d9
>        inet 192.168.96.xxx netmask 0xffffff00 broadcast 192.168.96.255
>        inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan996 prefixlen 64 scopeid 0x9
>        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
>        media: Ethernet autoselect (1000baseT <full-duplex>)
>        status: active
>        vlan: 996 parent interface: bce1
> vlan997: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>        options=103<RXCSUM,TXCSUM,TSO4>
>        ether d4:ae:52:6a:ec:d9
>        inet 192.168.97.xxx netmask 0xffffff00 broadcast 192.168.97.255
>        inet6 fe80::d6ae:52ff:fe6a:ecd9%vlan997 prefixlen 64 scopeid 0xa
>        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
>        media: Ethernet autoselect (1000baseT <full-duplex>)
>        status: active
>        vlan: 997 parent interface: bce1
> 
> 
> 
> 
> 
> All of these vlan interfaces go into a SINGLE jail. Setting the fib will not help; the jail already has the default routing table. The problem is that you can't access these different VLANs with many network utilities because it sets your source IP in the packet as the first IP the jail has bound to it: 66.xxx.xxx.xxx
> _______________________________________________

More information about the freebsd-jail mailing list