Multi-homing, jails, and source address selection

Stefan Bethke stb at lassitu.de
Sat Mar 14 13:22:06 PDT 2009 

Am 14.03.2009 um 19:01 schrieb Bjoern A. Zeeb:

> On Thu, 12 Mar 2009, Stefan Bethke wrote:
>
>> I'm having some trouble configuring a dual-homed jail host, running  
>> -current from about 4 weeks ago.
>> ...
>> Is there any documentation on how source addresses are selected? I  
>> thought I remembered that on unbound sockets the destination route  
>> would be used to pick the first address of the outgoing interface  
>> as the source address; the same address would be picked on  
>> connecting a socket.
>
> sys/netinet/in_pcb.c:in_pcbladdr() is your friend -
> http://fxr.watson.org/fxr/source/netinet/in_pcb.c#L546
>
> This is the case you are running into:
> http://fxr.watson.org/fxr/source/netinet/in_pcb.c#L628
> /*
> * If the outgoing interface on the route found is not
> * a loopback interface, use the address from that interface.
> * In case of jails do those three steps:
> * 1. check if the interface address belongs to the jail. If so use it.
> * 2. check if we have any address on the outgoing interface
> *    belonging to this jail. If so use it.
> * 3. as a last resort return the 'default' jail address.
> */
>
> so you are hitting "3." .
>
> I am not sure but I'd assume
> 	ifconfig tun0 10.0.63.3 10.0.63.255 alias
> would work, just not with the logic to create the IPs upon jail start
> (and we will not accept patches to handle that;).

This is what I figured is happening.

For the time being, I've gone back to single-homed; I'm using pf binat  
rules to map public ips to the vpn ones for the jails.  Not perfect,  
but works for most cases.  (The only really missing option is to bind  
a service in the jail to VPN address only, so it's only accessible  
over the VPN, but I can enforce that through pf or hosts.allow.)

Assigning aliases to tun0 appears to work too, but you need a distinct  
destination address for each alias.  Annoying.

Since I'm using "topology subnet" in OpenVPN, a point-to-point  
interface is conceptually slightly off; a broadcast interface would  
fit much nicer.  This would also allow the standard rc.d/jail script  
to do it's magic, if the necessary tun seetings could be applied  
through ifconfig.  Is there a specific reason this setting can only be  
done through an ioctl on the dev node, instead of thorugh ifconfig?  
(Specifically TUNSIFMODE.)

Additionally, this open the way to run OpenVPN inside a jail, since  
all ifconfig and route setup would be done prior to OpenVPN starting  
up.  (tun also down the interface if the dev node is closed, but I  
have a feeling that could be mediated somewhat easily as well.)


Thanks,
Stefan

-- 
Stefan Bethke <stb at lassitu.de>   Fon +49 151 14070811

More information about the freebsd-net mailing list