From owner-freebsd-bugs@FreeBSD.ORG Wed Aug 13 14:10:04 2008 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C4826106567A for ; Wed, 13 Aug 2008 14:10:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id BC8E98FC08 for ; Wed, 13 Aug 2008 14:10:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m7DEA48H088650 for ; Wed, 13 Aug 2008 14:10:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m7DEA4Ji088649; Wed, 13 Aug 2008 14:10:04 GMT (envelope-from gnats) Date: Wed, 13 Aug 2008 14:10:04 GMT Message-Id: <200808131410.m7DEA4Ji088649@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Vedad KAJTAZ Cc: Subject: Re: kern/126493: Established connections from other IP's appear in jail's netstat output X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Vedad KAJTAZ List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Aug 2008 14:10:04 -0000 The following reply was made to PR kern/126493; it has been noted by GNATS. From: Vedad KAJTAZ To: "Bjoern A. Zeeb" Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: kern/126493: Established connections from other IP's appear in jail's netstat output Date: Wed, 13 Aug 2008 15:46:18 +0200 Bjoern A. Zeeb a écrit : > On Wed, 13 Aug 2008, Vedad KAJTAZ wrote: > >>> Description: >> A jail running with IP1 can sometimes see established connections >> between IP2 (used by an other jail) and a remote host, in it's netstat >> output. >> >> In my case: >> >> wendy.osilex.net is a jail that was assigned IP 87.98.200.163 >> ike.osilex.net is a jail that was assigned IP 87.98.200.164 >> >> [root@ike /]$ netstat -n >> netstat: kvm not available: /dev/mem: No such file or directory >> Active Internet connections >> Proto Recv-Q Send-Q Local Address Foreign Address >> (state) >> tcp4 0 0 87.98.200.163.25 85.237.44.155.4245 >> SYN_RCVD > > Are you sure you are not inside wendy running your test? > Hi, Yes, i'm totally sure. That is why I also pasted the shell prompt line into the report. Here is an other example: [root@ike vhosts]$ netstat -n -a netstat: kvm not available: /dev/mem: No such file or directory Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 87.98.200.163.110 213.41.184.164.21138 SYN_RCVD tcp4 0 0 87.98.200.164.443 *.* LISTEN tcp4 0 0 87.98.200.164.80 *.* LISTEN tcp4 0 0 87.98.200.164.21 *.* LISTEN Above you can see both IP's in a single netstat output. And yes, ike (.164) is a jail: [root@ike vhosts]$ sysctl -a | grep jailed security.jail.jailed: 1 Btw, after doing a lot of netstats on "ike", it appears that connections from other IP's become visible only when they're *not* in ESTABLISHED/LISTEN state (wendy, .163, is a smtp/imap server, it has average 2+ connections per second). Also note that there was some kind of leak that made killing "wendy" jail impossible some time ago, therefore wendy now appears twice in "jls" output on the host (kenny) system. It might be somehow related: [root@kenny ~]$ jls JID IP Address Hostname Path 31 87.98.200.164 ike.osilex.net /usr/local/jails/ike 25 87.98.200.163 wendy.osilex.net /usr/local/jails/wendy 22 87.98.200.163 wendy.osilex.net /usr/local/jails/wendy (3 other jails snipped) Hope this helps, Best regards, -- Vedad KAJTAZ Conseil en systèmes informatiques vedad@kajtaz.net http://vedad.kajtaz.net/ 8 Av. du Président Roosevelt 94120 Fontenay-sous-bois, FRANCE GSM: +33 6 74 89 32 12