From owner-freebsd-bugs@FreeBSD.ORG Fri Sep 22 00:40:25 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DF6116A5AE for ; Fri, 22 Sep 2006 00:40:25 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 163BA43D5A for ; Fri, 22 Sep 2006 00:40:22 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k8M0eLVg030298 for ; Fri, 22 Sep 2006 00:40:21 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k8M0eLKB030292; Fri, 22 Sep 2006 00:40:21 GMT (envelope-from gnats) Resent-Date: Fri, 22 Sep 2006 00:40:21 GMT Resent-Message-Id: <200609220040.k8M0eLKB030292@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Matt Simerson Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47DA416A403 for ; Fri, 22 Sep 2006 00:33:10 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id E638A43D45 for ; Fri, 22 Sep 2006 00:33:06 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k8M0X6lb036969 for ; Fri, 22 Sep 2006 00:33:06 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id k8M0X6GE036968; Fri, 22 Sep 2006 00:33:06 GMT (envelope-from nobody) Message-Id: <200609220033.k8M0X6GE036968@www.freebsd.org> Date: Fri, 22 Sep 2006 00:33:06 GMT From: Matt Simerson To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.3 Cc: Subject: kern/103464: jail networking failures to 127.0.0.1 only X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Sep 2006 00:40:25 -0000 >Number: 103464 >Category: kern >Synopsis: jail networking failures to 127.0.0.1 only >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Sep 22 00:40:21 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Matt Simerson >Release: FreeBSD 6.1-RELEASE-p6 >Organization: tnpi >Environment: FreeBSD jail11 6.1-RELEASE-p6 FreeBSD 6.1-RELEASE-p6 #1: Sun Sep 17 19:00:32 CDT 2006 root@jails.cadillac.net:/usr/obj/usr/src/sys/SMP i386 >Description: DNS requests sent from a jail to the host (which is running dnscache) fail. Details: The FreeBSD host has two interfaces of concern: em0: flags=8843 mtu 1500 options=b inet 10.0.1.219 netmask 0xffffff00 broadcast 10.0.1.255 inet 10.0.1.160 netmask 0xffffffff broadcast 10.0.1.160 inet 10.0.1.161 netmask 0xffffffff broadcast 10.0.1.161 media: Ethernet autoselect (1000baseTX ) status: active lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 inet 127.0.0.2 netmask 0xffffffff inet 127.0.0.3 netmask 0xffffffff I configured dnscache on 127.0.0.1 and permitted all hosts on the 127 network to access it. DNS queries from host OS work perfectly as expected: host-os# dig www.freebsd.org. @127.0.0.1 ;; ANSWER SECTION: www.freebsd.org. 3590 IN A 216.136.204.117 ..but queries from a jail running on 127.0.0.2, fail. mysql# dig www.freebsd.org. @127.0.0.1 ; <<>> DiG 9.3.2 <<>> www.freebsd.org. @127.0.0.1 ; (1 server found) ;; connection timed out; no servers could be reached ..so then I tried by creating another jail on one of the 10. addresses. I get exactly the same results, no DNS queries work. So I moved the DNS resolver from 127.0.0.1 to 10.0.1.219. Once listening on a 10 net address, all jails could resolve queries using it. Then, thinking it was something specific to the loopback interface, moved the resolver to 127.0.0.2, but it still works! So, the only address that causes this problem is the special 127.0.0.1. Then, just for grins, I decided to see what was happening to the requests. 10.0.1.161 is the jailed host sending the DNS request. host-os# tcpdump -i lo0 port 53 19:29:15.021769 IP localhost.cadillac.net.64402 > localhost.cadillac.net.domain: 34780+ PTR? 161.1.0.10.in-addr.arpa. (41) 19:29:15.022086 IP localhost.cadillac.net.domain > localhost.cadillac.net.64402: 34780 NXDomain* 0/0/0 (41) 19:29:19.204934 IP 10.0.1.161.51344 > 10.0.1.161.domain: 40192+ A? www.freebsd.org. (33) 19:29:24.205913 IP 10.0.1.161.51344 > 10.0.1.161.domain: 40192+ A? www.freebsd.org. (33) ...and dnscache actually gets the request 2006-09-21 19:29:15.021908500 query 9 7f000001:fb92:87dc 12 161.1.0.10.in-addr.arpa. 19:29:14.204174 IP 10.0.1.161.51344 > 10.0.1.161.domain: 40192+ A? www.freebsd.org. (33) 2006-09-21 19:29:15.022088500 cached nxdomain 161.1.0.10.in-addr.arpa. 2006-09-21 19:29:15.022211500 sent 9 41 ...but the DNS client never receives the answer. So, the request actually does make it from the jail to the host, but when I ran tcpdump on em0 (the interface the jail is on), there is no response going back to the jail. >How-To-Repeat: 1. Install FreeBSD 6.1 - std install 2. install a DNS resolver (BIND or dnscache) on 127.0.0.1 3. create a jail on any interface, using any IP on the box 4. log into the jail and attempt to resolve DNS queries using the DNS cache on 127.0.0.1: (dig www.freebsd.org. @127.0.0.1) 5. witness the failure. 6. Move the DNS cache to any other IP. 7. Witnenss it work. >Fix: Fix the code, or document the limitation. A workaround is not to run services (perhaps only DNS?) on 127.0.0.1 but on another IP, such as 127.0.0.2. >Release-Note: >Audit-Trail: >Unformatted: