From owner-freebsd-jail@FreeBSD.ORG Mon Apr 9 16:21:07 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 65DBC106566B for ; Mon, 9 Apr 2012 16:21:07 +0000 (UTC) (envelope-from feld@feld.me) Received: from feld.me (unknown [IPv6:2607:f4e0:100:300::2]) by mx1.freebsd.org (Postfix) with ESMTP id 3A0D48FC14 for ; Mon, 9 Apr 2012 16:21:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=feld.me; s=blargle; h=Message-Id:From:Mime-Version:Subject:Date:To:Content-Type; bh=wXXwkvq8V/GIR+jcmAyz2Eeoe8rKoopjvdc22NkjE1s=; b=sU8GpFvZ6OpVnEUQAGhdE5w/cGaO4xYPaebv5bD7APSyIjcpEaotxnKa3TqpX4D0kiGSoK0/K962IyC4eNNngxMUKK4vbgDH8tpJ97EUvmEf3xflbrW5f62eH3TZ8JqN; Received: from localhost ([127.0.0.1] helo=mwi1.coffeenet.org) by feld.me with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1SHHL0-00044a-8x for freebsd-jail@freebsd.org; Mon, 09 Apr 2012 11:21:06 -0500 Received: from feld@feld.me by mwi1.coffeenet.org (Archiveopteryx 3.1.4) with esmtpa id 1333988459-23734-23733/5/4; Mon, 9 Apr 2012 16:20:59 +0000 Content-Type: multipart/mixed; boundary=----------DZTV0lLpP6HX1689Xgs3wP To: freebsd-jail@freebsd.org Date: Mon, 9 Apr 2012 11:20:59 -0500 Mime-Version: 1.0 From: Mark Felder Message-Id: User-Agent: Opera Mail/11.62 (FreeBSD) X-SA-Score: -1.0 Subject: Jail source address selection broken, patch for ping X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Apr 2012 16:21:07 -0000 ------------DZTV0lLpP6HX1689Xgs3wP Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes Hello, This weekend I was deploying our monitoring server into a 32bit FreeBSD jail on a 64bit install. This was necessary because we needed the newer hardware but couldn't migrate the RRDs to 64bit format without breaking other machines that rely on the RRD files and are still 32bit. Our monitoring server is fairly extensive and talks to many different VLANs and subnets. As a result, IPs on these different VLAN interfaces were passed through to the jail. I noticed pretty quickly that for some reason PINGs were not able to reach many subnets even though I am allowing raw sockets. After doing some traffic sniffing I was able to determine that the source IP address was incorrect. By pure chance I was able to contact bz@ and he provided me with a patch for ping based on his recent work on a similar issue with traceroute. This solved my problem with the system ping utility, but my tests with fping and the ping utility included with our monitoring software still exhibited the same issue. bz informed me that he believes he knows where the bug is in the kernel -- I believe he pointed me to the area of sys/netinet/ip_raw.c around line 461. Jails are getting the first IP as a source no matter what. Anyway, attached is the patch he asked me to post to the mailing list for those that need a workaround for ping. I'm sure fixing this in the kernel will probably require further discussion among those with actual programming skills :-) Cheers, Mark ------------DZTV0lLpP6HX1689Xgs3wP Content-Disposition: attachment; filename=20120407-01-ping-source-addr.diff Content-Type: application/octet-stream; name=20120407-01-ping-source-addr.diff Content-Transfer-Encoding: base64 IQohIElmIG5vIHNvdXJjZSBhZGRyZXNzIGlzIGdpdmVuIHVzZSB0aGUgVURQIHNvY2tldCB0 cmljayB0byBnZXQgYW4KISBpZGVhIG9mIHdoYXQgdGhlIGtlcm5lbCB0aGlua3Mgb3VyIHNv dXJjZSBhZGRyZXNzIGZvciBhIGdpdmVuCiEgdGFyZ2V0IHNob3VsZCBiZS4gIEFuIGVxdWFs IGNoYW5nZSBoYXMgYmVlbiBjb21taXR0ZWQgdG8gdHJhY2Vyb3V0ZQohIGluIHIyMDE4MDYu ICBUaGlzIGlzIG5lZWRlZCBhcyBsb25nIGFzIHJpcF9vdXRwdXQoKSBpbiB0aGUKISAhSU5Q X0hEUklOQ0wgYWx3YXlzIHBpY2tzIHRoZSBwcmltYXJ5IGphaWwgYWRkcmVzcyBpZiBqYWls ZWQuCiEgVGhlIHByb3BlciBzb2x1dGlvbiB3b3VsZCBiZSB0byBkbyB3aGF0IHRoZSBjb21t ZW50IHRoZXJlIHN1Z2dlc3RzCiEgYW5kIGNhbGwgaW4ta2VybmVsIHNvdXJjZSBhZGRyZXNz IHNlbGVjdGlvbi4KIQohIFJlcXVlc3RlZCBieToJbWFueSAoYWxsIGZpbmRpbmcgcGluZyBk b2VzIG5vdCB3b3JrIChwcm9wZXJseSkgaW4gamFpbCkKISBUZXN0ZWQgYnk6CU1hcmsgRmVs ZGVyIChmZWxkIGZlbGQgbWUpCiEgVE9ETzoJCWJ6IHRvIGZpeCB0aGUga2VybmVsIGFzIHRo ZSBwcm9wZXIgZml4CiEKSW5kZXg6IHNiaW4vcGluZy9waW5nLmMKPT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQot LS0gc2Jpbi9waW5nL3BpbmcuYwkocmV2aXNpb24gMjMzODc2KQorKysgc2Jpbi9waW5nL3Bp bmcuYwkod29ya2luZyBjb3B5KQpAQCAtMjEyLDYgKzIxMiw3IEBAIHN0YXRpYyB2b2lkIHN0 YXR1cyhpbnQpOwogc3RhdGljIHZvaWQgc3RvcGl0KGludCk7CiBzdGF0aWMgdm9pZCB0dnN1 YihzdHJ1Y3QgdGltZXZhbCAqLCBjb25zdCBzdHJ1Y3QgdGltZXZhbCAqKTsKIHN0YXRpYyB2 b2lkIHVzYWdlKHZvaWQpIF9fZGVhZDI7CitzdGF0aWMgaW50IGdldHNhZGRyKHN0cnVjdCBz b2NrYWRkcl9pbiAqLCBzdHJ1Y3Qgc29ja2FkZHJfaW4gKik7CiAKIGludAogbWFpbihpbnQg YXJnYywgY2hhciAqY29uc3QgKmFyZ3YpCkBAIC01MjYsOSArNTI3LDMwIEBAIG1haW4oaW50 IGFyZ2MsIGNoYXIgKmNvbnN0ICphcmd2KQogCWlmIChvcHRpb25zICYgRl9QSU5HRklMTEVE KSB7CiAJCWZpbGwoKGNoYXIgKilkYXRhcCwgcGF5bG9hZCk7CiAJfQorCisJYnplcm8oJndo ZXJldG8sIHNpemVvZih3aGVyZXRvKSk7CisJdG8gPSAmd2hlcmV0bzsKKwl0by0+c2luX2Zh bWlseSA9IEFGX0lORVQ7CisJdG8tPnNpbl9sZW4gPSBzaXplb2YgKnRvOworCWlmIChpbmV0 X2F0b24odGFyZ2V0LCAmdG8tPnNpbl9hZGRyKSAhPSAwKSB7CisJCWhvc3RuYW1lID0gdGFy Z2V0OworCX0gZWxzZSB7CisJCWhwID0gZ2V0aG9zdGJ5bmFtZTIodGFyZ2V0LCBBRl9JTkVU KTsKKwkJaWYgKCFocCkKKwkJCWVycngoRVhfTk9IT1NULCAiY2Fubm90IHJlc29sdmUgJXM6 ICVzIiwKKwkJCSAgICB0YXJnZXQsIGhzdHJlcnJvcihoX2Vycm5vKSk7CisKKwkJaWYgKCh1 bnNpZ25lZClocC0+aF9sZW5ndGggPiBzaXplb2YodG8tPnNpbl9hZGRyKSkKKwkJCWVycngo MSwgImdldGhvc3RieW5hbWUyIHJldHVybmVkIGFuIGlsbGVnYWwgYWRkcmVzcyIpOworCQlt ZW1jcHkoJnRvLT5zaW5fYWRkciwgaHAtPmhfYWRkcl9saXN0WzBdLCBzaXplb2YgdG8tPnNp bl9hZGRyKTsKKwkJKHZvaWQpc3RybmNweShobmFtZWJ1ZiwgaHAtPmhfbmFtZSwgc2l6ZW9m KGhuYW1lYnVmKSAtIDEpOworCQlobmFtZWJ1ZltzaXplb2YoaG5hbWVidWYpIC0gMV0gPSAn XDAnOworCQlob3N0bmFtZSA9IGhuYW1lYnVmOworCX0KKworCWJ6ZXJvKChjaGFyICopJnNv Y2tfaW4sIHNpemVvZihzb2NrX2luKSk7CisJc29ja19pbi5zaW5fZmFtaWx5ID0gQUZfSU5F VDsKIAlpZiAoc291cmNlKSB7Ci0JCWJ6ZXJvKChjaGFyICopJnNvY2tfaW4sIHNpemVvZihz b2NrX2luKSk7Ci0JCXNvY2tfaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7CiAJCWlmIChpbmV0 X2F0b24oc291cmNlLCAmc29ja19pbi5zaW5fYWRkcikgIT0gMCkgewogCQkJc2hvc3RuYW1l ID0gc291cmNlOwogCQl9IGVsc2UgewpAQCAtNTQ4LDI5ICs1NzAsMTMgQEAgbWFpbihpbnQg YXJnYywgY2hhciAqY29uc3QgKmFyZ3YpCiAJCQlzbmFtZWJ1ZltzaXplb2Yoc25hbWVidWYp IC0gMV0gPSAnXDAnOwogCQkJc2hvc3RuYW1lID0gc25hbWVidWY7CiAJCX0KLQkJaWYgKGJp bmQocywgKHN0cnVjdCBzb2NrYWRkciAqKSZzb2NrX2luLCBzaXplb2Ygc29ja19pbikgPT0g LTEpCi0JCQllcnIoMSwgImJpbmQiKTsKLQl9Ci0KLQliemVybygmd2hlcmV0bywgc2l6ZW9m KHdoZXJldG8pKTsKLQl0byA9ICZ3aGVyZXRvOwotCXRvLT5zaW5fZmFtaWx5ID0gQUZfSU5F VDsKLQl0by0+c2luX2xlbiA9IHNpemVvZiAqdG87Ci0JaWYgKGluZXRfYXRvbih0YXJnZXQs ICZ0by0+c2luX2FkZHIpICE9IDApIHsKLQkJaG9zdG5hbWUgPSB0YXJnZXQ7CiAJfSBlbHNl IHsKLQkJaHAgPSBnZXRob3N0YnluYW1lMih0YXJnZXQsIEFGX0lORVQpOwotCQlpZiAoIWhw KQotCQkJZXJyeChFWF9OT0hPU1QsICJjYW5ub3QgcmVzb2x2ZSAlczogJXMiLAotCQkJICAg IHRhcmdldCwgaHN0cmVycm9yKGhfZXJybm8pKTsKLQotCQlpZiAoKHVuc2lnbmVkKWhwLT5o X2xlbmd0aCA+IHNpemVvZih0by0+c2luX2FkZHIpKQotCQkJZXJyeCgxLCAiZ2V0aG9zdGJ5 bmFtZTIgcmV0dXJuZWQgYW4gaWxsZWdhbCBhZGRyZXNzIik7Ci0JCW1lbWNweSgmdG8tPnNp bl9hZGRyLCBocC0+aF9hZGRyX2xpc3RbMF0sIHNpemVvZiB0by0+c2luX2FkZHIpOwotCQko dm9pZClzdHJuY3B5KGhuYW1lYnVmLCBocC0+aF9uYW1lLCBzaXplb2YoaG5hbWVidWYpIC0g MSk7Ci0JCWhuYW1lYnVmW3NpemVvZihobmFtZWJ1ZikgLSAxXSA9ICdcMCc7Ci0JCWhvc3Ru YW1lID0gaG5hbWVidWY7CisJCWlmIChnZXRzYWRkcih0bywgJnNvY2tfaW4pICE9IDApCisJ CQllcnIoMSwgImdldHNhZGRyIik7CisJCS8qIFhYWC1CWiBzZXQgc291cmNlPyAqLwogCX0K KwlpZiAoYmluZChzLCAoc3RydWN0IHNvY2thZGRyICopJnNvY2tfaW4sIHNpemVvZiBzb2Nr X2luKSA9PSAtMSkKKwkJZXJyKDEsICJiaW5kIik7CiAKIAlpZiAob3B0aW9ucyAmIEZfRkxP T0QgJiYgb3B0aW9ucyAmIEZfSU5URVJWQUwpCiAJCWVycngoRVhfVVNBR0UsICItZiBhbmQg LWk6IGluY29tcGF0aWJsZSBvcHRpb25zIik7CkBAIC0xNzAxLDMgKzE3MDcsNzcgQEAgdXNh Z2Uodm9pZCkKICIgICAgICAgICAgICBbLXogdG9zXSBtY2FzdC1ncm91cCIpOwogCWV4aXQo RVhfVVNBR0UpOwogfQorCisvKiBEZXJpdmVkIGZyb20gdXNyLnNiaW4vdHJhY2Vyb3V0ZS9m aW5kc2FkZHItdWRwLmMuICovCisvKi0KKyAqIENvcHlyaWdodCAoYykgMjAxMCwyMDEyIEJq b2VybiBBLiBaZWViIDxiekBGcmVlQlNELm9yZz4KKyAqIEFsbCByaWdodHMgcmVzZXJ2ZWQu CisgKgorICogUmVkaXN0cmlidXRpb24gYW5kIHVzZSBpbiBzb3VyY2UgYW5kIGJpbmFyeSBm b3Jtcywgd2l0aCBvciB3aXRob3V0CisgKiBtb2RpZmljYXRpb24sIGFyZSBwZXJtaXR0ZWQg cHJvdmlkZWQgdGhhdCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnMKKyAqIGFyZSBtZXQ6Cisg KiAxLiBSZWRpc3RyaWJ1dGlvbnMgb2Ygc291cmNlIGNvZGUgbXVzdCByZXRhaW4gdGhlIGFi b3ZlIGNvcHlyaWdodAorICogbm90aWNlLCB0aGlzIGxpc3Qgb2YgY29uZGl0aW9ucyBhbmQg dGhlIGZvbGxvd2luZyBkaXNjbGFpbWVyLgorICogMi4gUmVkaXN0cmlidXRpb25zIGluIGJp bmFyeSBmb3JtIG11c3QgcmVwcm9kdWNlIHRoZSBhYm92ZSBjb3B5cmlnaHQKKyAqIG5vdGlj ZSwgdGhpcyBsaXN0IG9mIGNvbmRpdGlvbnMgYW5kIHRoZSBmb2xsb3dpbmcgZGlzY2xhaW1l ciBpbiB0aGUKKyAqIGRvY3VtZW50YXRpb24gYW5kL29yIG90aGVyIG1hdGVyaWFscyBwcm92 aWRlZCB3aXRoIHRoZSBkaXN0cmlidXRpb24uCisgKgorICogVEhJUyBTT0ZUV0FSRSBJUyBQ Uk9WSURFRCBCWSBUSEUgQVVUSE9SIEFORCBDT05UUklCVVRPUlMgYGBBUyBJUycnIEFORAor ICogQU5ZIEVYUFJFU1MgT1IgSU1QTElFRCBXQVJSQU5USUVTLCBJTkNMVURJTkcsIEJVVCBO T1QgTElNSVRFRCBUTywgVEhFCisgKiBJTVBMSUVEIFdBUlJBTlRJRVMgT0YgTUVSQ0hBTlRB QklMSVRZIEFORCBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9TRQorICogQVJFIERJ U0NMQUlNRUQuIElOIE5PIEVWRU5UIFNIQUxMIFRIRSBBVVRIT1IgT1IgQ09OVFJJQlVUT1JT IEJFIExJQUJMRQorICogRk9SIEFOWSBESVJFQ1QsIElORElSRUNULCBJTkNJREVOVEFMLCBT UEVDSUFMLCBFWEVNUExBUlksIE9SIENPTlNFUVVFTlRJQUwKKyAqIERBTUFHRVMgKElOQ0xV RElORywgQlVUIE5PVCBMSU1JVEVEIFRPLCBQUk9DVVJFTUVOVCBPRiBTVUJTVElUVVRFIEdP T0RTCisgKiBPUiBTRVJWSUNFUzsgTE9TUyBPRiBVU0UsIERBVEEsIE9SIFBST0ZJVFM7IE9S IEJVU0lORVNTIElOVEVSUlVQVElPTikKKyAqIEhPV0VWRVIgQ0FVU0VEIEFORCBPTiBBTlkg VEhFT1JZIE9GIExJQUJJTElUWSwgV0hFVEhFUiBJTiBDT05UUkFDVCwgU1RSSUNUCisgKiBM SUFCSUxJVFksIE9SIFRPUlQgKElOQ0xVRElORyBORUdMSUdFTkNFIE9SIE9USEVSV0lTRSkg QVJJU0lORyBJTiBBTlkgV0FZCisgKiBPVVQgT0YgVEhFIFVTRSBPRiBUSElTIFNPRlRXQVJF LCBFVkVOIElGIEFEVklTRUQgT0YgVEhFIFBPU1NJQklMSVRZIE9GCisgKiBTVUNIIERBTUFH RS4KKyAqLworLyoKKyAqIFJldHVybiB0aGUgc291cmNlIGFkZHJlc3MgZm9yIHRoZSBnaXZl biBkZXN0aW5hdGlvbiBhZGRyZXNzLgorICoKKyAqIFRoaXMgbWFrZXMgdXNlIG9mIHByb3Bl ciBzb3VyY2UgYWRkcmVzcyBzZWxlY3Rpb24gaW4gdGhlIEZyZWVCU0Qga2VybmVsCisgKiBl dmVuIHRha2luZyBqYWlscyBpbnRvIGFjY291bnQgKHN5cy9uZXRpbmV0L2luX3BjYi5jOmlu X3BjYmxhZGRyKCkpLgorICogV2Ugb3BlbiBhIFVEUCBzb2NrZXQsIGFuZCBjb25uZWN0IHRv IHRoZSBkZXN0aW5hdGlvbiwgbGV0dGluZyB0aGUga2VybmVsCisgKiBkbyB0aGUgYmluZCBh bmQgdGhlbiByZWFkIHRoZSBzb3VyY2UgSVB2NCBhZGRyZXNzIHVzaW5nIGdldHNvY2tuYW1l KDIpLgorICogVGhpcyBoYXMgbXVsdGlwbGUgYWR2YW50YWdlczogbm8gbmVlZCB0byBkbyBQ Rl9ST1VURSBvcGVyYXRpb25zIHBvc3NpYmx5CisgKiBuZWVkaW5nIHNwZWNpYWwgcHJpdmls ZWdlcywgamFpbHMgcHJvcGVybHkgdGFrZW4gaW50byBhY2NvdW50IGFuZCBtb3N0CisgKiBp bXBvcnRhbnQgLSBnZXR0aW5nIHRoZSByZXN1bHQgdGhlIGtlcm5lbCB3b3VsZCBnaXZlIHVz IHJhdGhlciB0aGFuCisgKiBiZXN0LWd1ZXNzaW5nIG91cnNlbHZlcy4KKyAqLworc3RhdGlj IGludAorZ2V0c2FkZHIoc3RydWN0IHNvY2thZGRyX2luICp0bywgc3RydWN0IHNvY2thZGRy X2luICpmcm9tKQoreworCXN0cnVjdCBzb2NrYWRkcl9pbiBjdG8sIGNmcm9tOworCXNvY2ts ZW5fdCBsZW47CisJaW50IGVycm9yLCBzOworCisJcyA9IHNvY2tldChBRl9JTkVULCBTT0NL X0RHUkFNLCAwKTsKKwlpZiAocyA9PSAtMSkKKwkJcmV0dXJuIChzKTsKKworCWxlbiA9IHNp emVvZihzdHJ1Y3Qgc29ja2FkZHJfaW4pOworCW1lbWNweSgmY3RvLCB0bywgbGVuKTsKKwlj dG8uc2luX3BvcnQgPSBodG9ucyg2NTUzNSk7CS8qIER1bW15IHBvcnQgZm9yIGNvbm5lY3Qo MikuICovCisJZXJyb3IgPSBjb25uZWN0KHMsIChzdHJ1Y3Qgc29ja2FkZHIgKikmY3RvLCBs ZW4pOworCWlmIChlcnJvciA9PSAtMSkKKwkJZ290byBlcnI7CisKKwllcnJvciA9IGdldHNv Y2tuYW1lKHMsIChzdHJ1Y3Qgc29ja2FkZHIgKikmY2Zyb20sICZsZW4pOworCWlmIChlcnJv ciA9PSAtMSkKKwkJZ290byBlcnI7CisKKwlpZiAobGVuICE9IHNpemVvZihzdHJ1Y3Qgc29j a2FkZHJfaW4pIHx8IGNmcm9tLnNpbl9mYW1pbHkgIT0gQUZfSU5FVCkgeworCQllcnJvciA9 IC0yOworCQlnb3RvIGVycjsKKwl9CisKKwkvKiBVcGRhdGUgc291cmNlIGFkZHJlc3MgZm9y IHRyYWNlcm91dGUuICovCisJZnJvbS0+c2luX2FkZHIuc19hZGRyID0gY2Zyb20uc2luX2Fk ZHIuc19hZGRyOworCitlcnI6CisJKHZvaWQpIGNsb3NlKHMpOworCisJcmV0dXJuIChlcnJv cik7Cit9Cg== ------------DZTV0lLpP6HX1689Xgs3wP--