Date: Thu, 18 Dec 2014 12:04:10 -0500 From: Allan Jude <allanjude@freebsd.org> To: freebsd-jail@freebsd.org Subject: Re: only lo0 interface inside jail, no default gw Message-ID: <5493090A.8090109@freebsd.org> In-Reply-To: <CABk4_A5_=1%2BVNb-xvOx%2BfaJwrA8VrhjUPhQKnK5FGM7FxY1Oaw@mail.gmail.com> References: <CABk4_A61y1m8hXXkOPEKSbzf74j64MNtYhfV59enVuJfPwQApQ@mail.gmail.com> <0096d1968fd2758df224a9dea6934ddb@gritton.org> <5491ED4F.4040002@freebsd.org> <CABk4_A5_=1%2BVNb-xvOx%2BfaJwrA8VrhjUPhQKnK5FGM7FxY1Oaw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--uF60p3OPBbOcQeTNMgJ2XCsbFdsVqNx8j
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
On 2014-12-18 01:18, Alexander Lunev wrote:
> As i said in message to Jamie Gritton, i found why jails couldn't ping
> internet - i forget to add jail's address to table which permitted to N=
AT.
>=20
> Why subnet mask should be /32? What harm could be done if subnet mask o=
f an
> alias is the same as for the other address of that interface?
>=20
> On Wed, Dec 17, 2014 at 11:53 PM, Allan Jude <allanjude@freebsd.org> wr=
ote:
>>
>> On 2014-12-17 15:48, James Gritton wrote:
>>> On 2014-12-16 10:35, Alexander Lunev wrote:
>>>> Hello everyone.
>>>>
>>>> I'm trying to build jail environment on a new server with 10.1-R. I'=
ve
>>>> did
>>>> that before on 9.2-R, but now i'm stuck with strange network problem=
: no
>>>> matter how i configure jail (old way through rc.conf jail_* variable=
s or
>>>> via /etc/jail.conf), i don't see default gateway in jail's routing
>> table.
>>>> At first i started with more complex config using separate fib for j=
ail,
>>>> but it's not working even without fibs (or in fib 0). So, here's wha=
t i
>>>> have in the host system:
>>>>
>>>> # netstat -rn
>>>> Routing tables
>>>>
>>>> Internet:
>>>> Destination Gateway Flags Netif Expire
>>>> default 10.1.1.1 UGS em0.4
>>>> 10.1.1.0/24 link#4 U em0.4
>>>> 10.1.1.205 link#4 UHS lo0
>>>> 10.1.1.206 link#4 UHS lo0
>>>> 127.0.0.1 link#3 UH lo0
>>>> 127.0.0.2 link#3 UH lo0
>>>>
>>>> # ifconfig
>>>> em0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 m=
tu
>> 1500
>>>>
>>>>
>> options=3D4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4=
,WOL_MAGIC,VLAN_HWTSO>
>>>>
>>>> ether 00:30:48:c1:e1:b4
>>>> nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>>>> media: Ethernet autoselect (1000baseT <full-duplex>)
>>>> status: active
>>>> lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>>>> options=3D600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
>>>> inet6 ::1 prefixlen 128
>>>> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
>>>> inet 127.0.0.1 netmask 0xff000000
>>>> inet 127.0.0.2 netmask 0xff000000
>>>> nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
>>>> em0.4: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0=
mtu
>>>> 1500
>>>> options=3D103<RXCSUM,TXCSUM,TSO4>
>>>> ether 00:30:48:c1:e1:b4
>>>> inet 10.1.1.205 netmask 0xffffff00 broadcast 10.1.1.255
>>>> inet 10.1.1.206 netmask 0xffffff00 broadcast 10.1.1.255
>>>> nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>>>> media: Ethernet autoselect (1000baseT <full-duplex>)
>>>> status: active
>>>> vlan: 4 parent interface: em0
>>>>
>>>> I can ping internet from a host via gateway 10.1.1.1
>>>>
>>>> And here's what i have in jail:
>>>>
>>>> =3D=3D=3D=3D=3D=3D BOF /etc/jail.conf =3D=3D=3D=3D=3D=3D=3D=3D=3D
>>>> exec.start =3D "/bin/sh /etc/rc";
>>>> exec.stop =3D "/bin/sh /etc/rc.shutdown";
>>>> mount.devfs;
>>>> allow.raw_sockets;
>>>> path =3D "/usr/jails/$name";
>>>>
>>>> template {
>>>> jid =3D 1;
>>>> ip4.addr =3D "em0.4|10.1.1.206/24";
>>>> ip4.addr +=3D "lo0|127.0.0.2/8";
>>>> host.hostname =3D template;
>>>> }
>>>> =3D=3D=3D=3D=3D=3D EOF /etc/jail.conf =3D=3D=3D=3D=3D=3D=3D=3D=3D
>>>>
>>>> # jexec 1 netstat -rn
>>>> Routing tables
>>>>
>>>> Internet:
>>>> Destination Gateway Flags Netif Expire
>>>> 10.1.1.206 link#4 UHS lo0
>>>> 127.0.0.2 link#3 UH lo0
>>>>
>>>> I can ping gateway from jail
>>>>
>>>> # jexec 1 ping 10.1.1.1
>>>> PING 10.1.1.1 (10.1.1.1): 56 data bytes
>>>> 64 bytes from 10.1.1.1: icmp_seq=3D0 ttl=3D64 time=3D0.366 ms
>>>> ^C
>>>>
>>>> But not the Internet or anything via routing.
>>>>
>>>> I have no default gateway in jail - why? What have i missed in this =
new
>>>> jail implementation since 9.2-R?
>>>
>>> The netstat output is no surprise. I don't know if it was before or
>>> after 9.2, but jails don't see routes that don't involve their own IP=
>>> addresses, and that includes the default route.
>>>
>>> But that doesn't mean the default route isn't there. I have netstat
>>> output similar to yours, but packets still route as expected. I don'=
t
>>> see anything in your jail.conf that looks wrong, so I'm afraid I can'=
t
>>> say anything more than "it looks like it *should* work."
>>>
>>> - Jamie
>>>
>>> _______________________________________________
>>> freebsd-jail@freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
>>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.or=
g"
>>
>> The subnet mask of an alias should always be /32, not the actual subne=
t
>> mask
>>
>> Try that change in jail.conf, it should sort the issue.
>>
>> --
>> Allan Jude
>>
>>
>=20
If you have 2 ips in the same subnet, with the subnet mask, then the
routing table may have trouble deciding which to use to access the
default gateway
--=20
Allan Jude
--uF60p3OPBbOcQeTNMgJ2XCsbFdsVqNx8j
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQIcBAEBAgAGBQJUkwkNAAoJEJrBFpNRJZKf4kwP/iYGd8MswY7SkM3gq7eSPwlJ
J79ZhQPlgClhfy6tw5pLfCkiN+RQ08+9vRgOZ6MqW3Dqdmnha7Wg+UnI8VQYrGJg
fUPvi2irhBVejQpCt/yX82AHktVfpt/50i4Z0kfHTIVM2mvz1XkL0nb4sPrfVDPs
Cc3Q9jWQydJgf2bKiYT3EhzFaSZYHnC9f+Xby5ehZ5Pp0LKmC2zpYqibUq4YRrmj
0USXy1I6sAc83gNSyFfm8uKkLdlp8NhDK9YYMw6LVeSnncDGIPKx38hdrmPx1p1V
Br3YNxZMnjpw22Dj8r70deTMSJol6rcTJoz9I27O4viycrYo2FjpZBwG5o/YsLUm
nSGZbqa95Z9QBID0Ds7VWllSRPE7NWSYp71yxGvKFiP31kGKV58kOZtr1AfDcAEj
tRBTgC/mLRND571v7b1ME1mfqyDoklq+QD4wQqmv8wr082RrysbXujBFnVTQ02Wt
XNvJP5CBZ4Xfnj1CTX7l8/jFnOGwOoiI0UqRhgZ+EDn1l94iCE2sOqKQCc1jCyvv
h/YfrOBAstmN7rlpCoRZ6iIBoTVn8R1Md4gj5LrF8NMjZAPXTdwQycqWUM3u5u69
gLTts+hnPewXLAUpIA20Q/tB7Bgf90Y8yQurvq/poQjNcRIOPOQBUrSYLddBkoEY
I1X1LE7fAE2bAtAwGmT2
=10vj
-----END PGP SIGNATURE-----
--uF60p3OPBbOcQeTNMgJ2XCsbFdsVqNx8j--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5493090A.8090109>