Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 13 Aug 2008 14:10:04 GMT
From:      Vedad KAJTAZ <vedad@kajtaz.net>
To:        freebsd-bugs@FreeBSD.org
Subject:   Re: kern/126493: Established connections from other IP's appear in jail's netstat output
Message-ID:  <200808131410.m7DEA4Ji088649@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The following reply was made to PR kern/126493; it has been noted by GNATS.

From: Vedad KAJTAZ <vedad@kajtaz.net>
To: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/126493: Established connections from other IP's appear in
 jail's netstat output
Date: Wed, 13 Aug 2008 15:46:18 +0200

 Bjoern A. Zeeb a écrit :
 > On Wed, 13 Aug 2008, Vedad KAJTAZ wrote:
 > 
 >>> Description:
 >> A jail running with IP1 can sometimes see established connections 
 >> between IP2 (used by an other jail) and a remote host, in it's netstat 
 >> output.
 >>
 >> In my case:
 >>
 >> wendy.osilex.net is a jail that was assigned IP 87.98.200.163
 >> ike.osilex.net is a jail that was assigned IP 87.98.200.164
 >>
 >> [root@ike /]$ netstat -n
 >> netstat: kvm not available: /dev/mem: No such file or directory
 >> Active Internet connections
 >> Proto Recv-Q Send-Q  Local Address          Foreign Address        
 >> (state)
 >> tcp4       0      0  87.98.200.163.25       85.237.44.155.4245     
 >> SYN_RCVD
 > 
 > Are you sure you are not inside wendy running your test?
 > 
 
 Hi,
 
 Yes, i'm totally sure. That is why I also pasted the shell prompt line 
 into the report.
 
 Here is an other example:
 
 [root@ike vhosts]$ netstat -n -a
 netstat: kvm not available: /dev/mem: No such file or directory
 Active Internet connections (including servers)
 Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
 tcp4       0      0  87.98.200.163.110      213.41.184.164.21138   SYN_RCVD
 tcp4       0      0  87.98.200.164.443      *.*                    LISTEN
 tcp4       0      0  87.98.200.164.80       *.*                    LISTEN
 tcp4       0      0  87.98.200.164.21       *.*                    LISTEN
 
 
 Above you can see both IP's in a single netstat output.
 
 And yes, ike (.164) is a jail:
 
 [root@ike vhosts]$ sysctl -a | grep jailed
 security.jail.jailed: 1
 
 
 Btw, after doing a lot of netstats on "ike", it appears that connections 
 from other IP's become visible only when they're *not* in 
 ESTABLISHED/LISTEN state (wendy, .163, is a smtp/imap server, it has 
 average 2+ connections per second).
 
 Also note that there was some kind of leak that made killing "wendy" 
 jail impossible some time ago, therefore wendy now appears twice in 
 "jls" output on the host (kenny) system. It might be somehow related:
 
 [root@kenny ~]$ jls
     JID  IP Address      Hostname                      Path
      31  87.98.200.164   ike.osilex.net                /usr/local/jails/ike
      25  87.98.200.163   wendy.osilex.net 
 /usr/local/jails/wendy
      22  87.98.200.163   wendy.osilex.net 
 /usr/local/jails/wendy
 
 (3 other jails snipped)
 
 Hope this helps,
 
 Best regards,
 
 -- 
 Vedad KAJTAZ
 Conseil en systèmes informatiques
 
 vedad@kajtaz.net
 http://vedad.kajtaz.net/
 8 Av. du Président Roosevelt
 94120 Fontenay-sous-bois, FRANCE
 GSM: +33 6 74 89 32 12

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200808131410.m7DEA4Ji088649>