Allowing routing table visibility in jails to make multiple IPs work properly
Mark Felder
feld at FreeBSD.org
Fri Jan 3 13:10:31 UTC 2014
On Fri, Jan 3, 2014, at 2:00, Rudy (bulk) wrote:
>
> I'm having issues when putting multiple IPs on a jail... one external,
> one internal (on a different vlan). The source IP from the jail is
> always the first IP, so a solution is to use ipfw_nat to nat when using
> the internal vlan to the 'second ip'. Ugly hack. and it doesn't work
> when there is an MTU difference between the vlans:
>
>
> http://www.freebsd.org/cgi/query-pr.cgi?pr=184389
> Re: kern/184389: libalias fails to adjust MTU from jails
>
>
> The other solution is to let the jail 'see' the routing table:
> devfs -m /data/example.monkeybrains.net/dev rule apply path kmem unhide
> devfs -m /data/example.monkeybrains.net/dev rule apply path mem unhide
>
> Is there anyway (or plans for) a method to reveal the routing table but
> not all of mem and kmem to the jail?
>
>
Hi!
You've hit a bug I found a while back. Can you reconfirm the findings
that myself and bz had? The issue is not that the first IP is used for
*all* traffic, but only for traffic that uses raw sockets (like ICMP). I
actually have patches bz@ provided me for ping and fping which work
around this issue, but the fix should be done in the kernel instead.
Here's my PR, please take a look.
http://www.freebsd.org/cgi/query-pr.cgi?pr=168678
Your solution with the kmem/mem unhide is interesting. I do not have a
system that I could try that on at this time; my needs were
temporary/transitional (moving a monitoring server from 32bit to
64bit... architecture dependent RRDs, etc... )
Thanks!
More information about the freebsd-jail
mailing list