Date: Thu, 18 Dec 2014 10:15:44 +0400 From: Alexander Lunev <sol289@gmail.com> To: James Gritton <jamie@freebsd.org> Cc: freebsd-jail@freebsd.org Subject: Re: only lo0 interface inside jail, no default gw Message-ID: <CABk4_A7Sia3QG-ROTmZBkqK2--38LaL8puX5Sj4pnTPMHu1psw@mail.gmail.com> In-Reply-To: <0096d1968fd2758df224a9dea6934ddb@gritton.org> References: <CABk4_A61y1m8hXXkOPEKSbzf74j64MNtYhfV59enVuJfPwQApQ@mail.gmail.com> <0096d1968fd2758df224a9dea6934ddb@gritton.org>
next in thread | previous in thread | raw e-mail | index | archive | help
It's all my fault, i should sleep more: firewall on gateway 10.1.1.1 didn't
pass to NAT packets from 10.1.1.206 - i simply forget to add that address!
All is working, in fib 0 and in other fibs.
On Wed, Dec 17, 2014 at 11:48 PM, James Gritton <jamie@freebsd.org> wrote:
>
> On 2014-12-16 10:35, Alexander Lunev wrote:
>
>> Hello everyone.
>>
>> I'm trying to build jail environment on a new server with 10.1-R. I've did
>> that before on 9.2-R, but now i'm stuck with strange network problem: no
>> matter how i configure jail (old way through rc.conf jail_* variables or
>> via /etc/jail.conf), i don't see default gateway in jail's routing table.
>> At first i started with more complex config using separate fib for jail,
>> but it's not working even without fibs (or in fib 0). So, here's what i
>> have in the host system:
>>
>> # netstat -rn
>> Routing tables
>>
>> Internet:
>> Destination Gateway Flags Netif Expire
>> default 10.1.1.1 UGS em0.4
>> 10.1.1.0/24 link#4 U em0.4
>> 10.1.1.205 link#4 UHS lo0
>> 10.1.1.206 link#4 UHS lo0
>> 127.0.0.1 link#3 UH lo0
>> 127.0.0.2 link#3 UH lo0
>>
>> # ifconfig
>> em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>>
>> options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_
>> HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
>> ether 00:30:48:c1:e1:b4
>> nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>> media: Ethernet autoselect (1000baseT <full-duplex>)
>> status: active
>> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>> options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
>> inet6 ::1 prefixlen 128
>> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
>> inet 127.0.0.1 netmask 0xff000000
>> inet 127.0.0.2 netmask 0xff000000
>> nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
>> em0.4: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
>> 1500
>> options=103<RXCSUM,TXCSUM,TSO4>
>> ether 00:30:48:c1:e1:b4
>> inet 10.1.1.205 netmask 0xffffff00 broadcast 10.1.1.255
>> inet 10.1.1.206 netmask 0xffffff00 broadcast 10.1.1.255
>> nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>> media: Ethernet autoselect (1000baseT <full-duplex>)
>> status: active
>> vlan: 4 parent interface: em0
>>
>> I can ping internet from a host via gateway 10.1.1.1
>>
>> And here's what i have in jail:
>>
>> ====== BOF /etc/jail.conf =========
>> exec.start = "/bin/sh /etc/rc";
>> exec.stop = "/bin/sh /etc/rc.shutdown";
>> mount.devfs;
>> allow.raw_sockets;
>> path = "/usr/jails/$name";
>>
>> template {
>> jid = 1;
>> ip4.addr = "em0.4|10.1.1.206/24";
>> ip4.addr += "lo0|127.0.0.2/8";
>> host.hostname = template;
>> }
>> ====== EOF /etc/jail.conf =========
>>
>> # jexec 1 netstat -rn
>> Routing tables
>>
>> Internet:
>> Destination Gateway Flags Netif Expire
>> 10.1.1.206 link#4 UHS lo0
>> 127.0.0.2 link#3 UH lo0
>>
>> I can ping gateway from jail
>>
>> # jexec 1 ping 10.1.1.1
>> PING 10.1.1.1 (10.1.1.1): 56 data bytes
>> 64 bytes from 10.1.1.1: icmp_seq=0 ttl=64 time=0.366 ms
>> ^C
>>
>> But not the Internet or anything via routing.
>>
>> I have no default gateway in jail - why? What have i missed in this new
>> jail implementation since 9.2-R?
>>
>
> The netstat output is no surprise. I don't know if it was before or
> after 9.2, but jails don't see routes that don't involve their own IP
> addresses, and that includes the default route.
>
> But that doesn't mean the default route isn't there. I have netstat
> output similar to yours, but packets still route as expected. I don't
> see anything in your jail.conf that looks wrong, so I'm afraid I can't
> say anything more than "it looks like it *should* work."
>
> - Jamie
>
>
--
your sweet isn't ready yet
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABk4_A7Sia3QG-ROTmZBkqK2--38LaL8puX5Sj4pnTPMHu1psw>