Date: Thu, 20 Nov 2008 18:23:56 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Eugene Grosbein <eugen@grosbein.pp.ru> Cc: freebsd-jail@freebsd.org, net@freebsd.org Subject: Re: jail translates destination IP? Message-ID: <20081120182035.H61259@maildrop.int.zabbadoz.net> In-Reply-To: <20081120161440.GA3537@grosbein.pp.ru> References: <20081120161440.GA3537@grosbein.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 20 Nov 2008, Eugene Grosbein wrote: Hi, freebsd-jail@ is a good place to ask jail questiosn as well. > For some strange reason, RAW sockets (when allowed) and TCP beheave > very differently in jail (7.1-PRERELEASE). In host's rc.conf: > > jail_enable="YES" > jail_list="test" > jail_devfs_enable="YES" > jail_test_rootdir="/mnt/big/jail/test" > jail_test_hostname="myname.ru" > jail_test_ip="192.168.0.1" > jail_test_interface="lo0" > > "/etc/rc.d/jail start" does all right and I may rlogin into jail. > > In host environment I run tcpdump -np -i lo0. > Inside jail I ping 127.0.0.1, it succeedes and tcpdump shows that requests > go from 192.168.0.1 to 127.0.0.1 really. But when I try to telnet 127.0.0.1 25 > from jail, tcpdump shows that TCP SYN are sent to 192.168.0.1, so telnet fails. > > There is no NAT here. It it a bug? What happens with TCP is the expected behaviour. I wonder more about the raw socket case and am not sure this is correct. jails try to "simulate" the non-existing loopback by re-writing the IPs to the jail-IP, which obviously has other implications. You should never be able to connect from inside the jail to the base systems 127.0.0.1 loopback IP. This is a known "feature" (limitation) of jails. Full network stack virtualization will no longer have that problem. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081120182035.H61259>