only lo0 interface inside jail, no default gw

Allan Jude allanjude at freebsd.org
Thu Dec 18 17:04:00 UTC 2014 

On 2014-12-18 01:18, Alexander Lunev wrote:
> As i said in message to Jamie Gritton, i found why jails couldn't ping
> internet - i forget to add jail's address to table which permitted to NAT.
> 
> Why subnet mask should be /32? What harm could be done if subnet mask of an
> alias is the same as for the other address of that interface?
> 
> On Wed, Dec 17, 2014 at 11:53 PM, Allan Jude <allanjude at freebsd.org> wrote:
>>
>> On 2014-12-17 15:48, James Gritton wrote:
>>> On 2014-12-16 10:35, Alexander Lunev wrote:
>>>> Hello everyone.
>>>>
>>>> I'm trying to build jail environment on a new server with 10.1-R. I've
>>>> did
>>>> that before on 9.2-R, but now i'm stuck with strange network problem: no
>>>> matter how i configure jail (old way through rc.conf jail_* variables or
>>>> via /etc/jail.conf), i don't see default gateway in jail's routing
>> table.
>>>> At first i started with more complex config using separate fib for jail,
>>>> but it's not working even without fibs (or in fib 0). So, here's what i
>>>> have in the host system:
>>>>
>>>> # netstat -rn
>>>> Routing tables
>>>>
>>>> Internet:
>>>> Destination        Gateway            Flags      Netif Expire
>>>> default            10.1.1.1           UGS       em0.4
>>>> 10.1.1.0/24        link#4             U         em0.4
>>>> 10.1.1.205         link#4             UHS         lo0
>>>> 10.1.1.206         link#4             UHS         lo0
>>>> 127.0.0.1          link#3             UH          lo0
>>>> 127.0.0.2          link#3             UH          lo0
>>>>
>>>> # ifconfig
>>>> em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
>> 1500
>>>>
>>>>
>> options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
>>>>
>>>>         ether 00:30:48:c1:e1:b4
>>>>         nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>>>>         media: Ethernet autoselect (1000baseT <full-duplex>)
>>>>         status: active
>>>> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>>>>         options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
>>>>         inet6 ::1 prefixlen 128
>>>>         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
>>>>         inet 127.0.0.1 netmask 0xff000000
>>>>         inet 127.0.0.2 netmask 0xff000000
>>>>         nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
>>>> em0.4: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
>>>> 1500
>>>>         options=103<RXCSUM,TXCSUM,TSO4>
>>>>         ether 00:30:48:c1:e1:b4
>>>>         inet 10.1.1.205 netmask 0xffffff00 broadcast 10.1.1.255
>>>>         inet 10.1.1.206 netmask 0xffffff00 broadcast 10.1.1.255
>>>>         nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>>>>         media: Ethernet autoselect (1000baseT <full-duplex>)
>>>>         status: active
>>>>         vlan: 4 parent interface: em0
>>>>
>>>> I can ping internet from a host via gateway 10.1.1.1
>>>>
>>>> And here's what i have in jail:
>>>>
>>>> ====== BOF /etc/jail.conf =========
>>>> exec.start = "/bin/sh /etc/rc";
>>>> exec.stop = "/bin/sh /etc/rc.shutdown";
>>>> mount.devfs;
>>>> allow.raw_sockets;
>>>> path = "/usr/jails/$name";
>>>>
>>>> template {
>>>>     jid = 1;
>>>>     ip4.addr = "em0.4|10.1.1.206/24";
>>>>     ip4.addr += "lo0|127.0.0.2/8";
>>>>     host.hostname = template;
>>>> }
>>>> ====== EOF /etc/jail.conf =========
>>>>
>>>> # jexec 1 netstat -rn
>>>> Routing tables
>>>>
>>>> Internet:
>>>> Destination        Gateway            Flags      Netif Expire
>>>> 10.1.1.206         link#4             UHS         lo0
>>>> 127.0.0.2          link#3             UH          lo0
>>>>
>>>> I can ping gateway from jail
>>>>
>>>> # jexec 1 ping 10.1.1.1
>>>> PING 10.1.1.1 (10.1.1.1): 56 data bytes
>>>> 64 bytes from 10.1.1.1: icmp_seq=0 ttl=64 time=0.366 ms
>>>> ^C
>>>>
>>>> But not the Internet or anything via routing.
>>>>
>>>> I have no default gateway in jail - why? What have i missed in this new
>>>> jail implementation since 9.2-R?
>>>
>>> The netstat output is no surprise.  I don't know if it was before or
>>> after 9.2, but jails don't see routes that don't involve their own IP
>>> addresses, and that includes the default route.
>>>
>>> But that doesn't mean the default route isn't there.  I have netstat
>>> output similar to yours, but packets still route as expected.  I don't
>>> see anything in your jail.conf that looks wrong, so I'm afraid I can't
>>> say anything more than "it looks like it *should* work."
>>>
>>> - Jamie
>>>
>>> _______________________________________________
>>> freebsd-jail at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
>>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe at freebsd.org"
>>
>> The subnet mask of an alias should always be /32, not the actual subnet
>> mask
>>
>> Try that change in jail.conf, it should sort the issue.
>>
>> --
>> Allan Jude
>>
>>
> 

If you have 2 ips in the same subnet, with the subnet mask, then the
routing table may have trouble deciding which to use to access the
default gateway

-- 
Allan Jude

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20141218/ce3efccc/attachment.sig>

More information about the freebsd-jail mailing list