From owner-freebsd-jail@FreeBSD.ORG Tue Dec 16 17:35:30 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EC6EAD69 for ; Tue, 16 Dec 2014 17:35:29 +0000 (UTC) Received: from mail-ig0-x22e.google.com (mail-ig0-x22e.google.com [IPv6:2607:f8b0:4001:c05::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B5926100 for ; Tue, 16 Dec 2014 17:35:29 +0000 (UTC) Received: by mail-ig0-f174.google.com with SMTP id hn15so7284284igb.1 for ; Tue, 16 Dec 2014 09:35:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=MNJ0z9dsbJsnnPL8DwmHRSlzVqI0Q/rY4vWfLIEbP3Q=; b=in1rRw64XCJtyAEalUs6bWxnYRBui/eb0lc/l/wl922HPqJJt6LuKDSdLNgl49hAL9 FS5qMgmSURB2ycrrxrEwq1QQPNGYtz5TNlwVdis5L6j5e6FYIcqCpJo2RE88cOFwBHIX iTOfZoKlgB0aaDzZhSdeHecyfEBMyEJOVasD9B44PayxlMx3T6fFLEflSKoxfVti9pOR ocFxd9DjRvApBBGt47elP4vXu8ytAqwqI/cyihW3v3fuTh3Wi7kIxtdFOxw7hJX1uV7Z 0uAOpvSO3wBehC4a5+/D21BvsDCe4Cn7GXerUaEppMFLr7L7CcwiMJdllVpawphEnBFT X+Sg== X-Received: by 10.43.142.13 with SMTP id jg13mr32989735icc.93.1418751329057; Tue, 16 Dec 2014 09:35:29 -0800 (PST) MIME-Version: 1.0 Received: by 10.50.252.39 with HTTP; Tue, 16 Dec 2014 09:35:08 -0800 (PST) From: Alexander Lunev Date: Tue, 16 Dec 2014 20:35:08 +0300 Message-ID: Subject: only lo0 interface inside jail, no default gw To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Dec 2014 17:35:30 -0000 Hello everyone. I'm trying to build jail environment on a new server with 10.1-R. I've did that before on 9.2-R, but now i'm stuck with strange network problem: no matter how i configure jail (old way through rc.conf jail_* variables or via /etc/jail.conf), i don't see default gateway in jail's routing table. At first i started with more complex config using separate fib for jail, but it's not working even without fibs (or in fib 0). So, here's what i have in the host system: # netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire default 10.1.1.1 UGS em0.4 10.1.1.0/24 link#4 U em0.4 10.1.1.205 link#4 UHS lo0 10.1.1.206 link#4 UHS lo0 127.0.0.1 link#3 UH lo0 127.0.0.2 link#3 UH lo0 # ifconfig em0: flags=8843 metric 0 mtu 1500 options=4219b ether 00:30:48:c1:e1:b4 nd6 options=29 media: Ethernet autoselect (1000baseT ) status: active lo0: flags=8049 metric 0 mtu 16384 options=600003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff000000 inet 127.0.0.2 netmask 0xff000000 nd6 options=21 em0.4: flags=8843 metric 0 mtu 1500 options=103 ether 00:30:48:c1:e1:b4 inet 10.1.1.205 netmask 0xffffff00 broadcast 10.1.1.255 inet 10.1.1.206 netmask 0xffffff00 broadcast 10.1.1.255 nd6 options=29 media: Ethernet autoselect (1000baseT ) status: active vlan: 4 parent interface: em0 I can ping internet from a host via gateway 10.1.1.1 And here's what i have in jail: ====== BOF /etc/jail.conf ========= exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; mount.devfs; allow.raw_sockets; path = "/usr/jails/$name"; template { jid = 1; ip4.addr = "em0.4|10.1.1.206/24"; ip4.addr += "lo0|127.0.0.2/8"; host.hostname = template; } ====== EOF /etc/jail.conf ========= # jexec 1 netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire 10.1.1.206 link#4 UHS lo0 127.0.0.2 link#3 UH lo0 I can ping gateway from jail # jexec 1 ping 10.1.1.1 PING 10.1.1.1 (10.1.1.1): 56 data bytes 64 bytes from 10.1.1.1: icmp_seq=0 ttl=64 time=0.366 ms ^C But not the Internet or anything via routing. I have no default gateway in jail - why? What have i missed in this new jail implementation since 9.2-R? -- your sweet isn't ready yet From owner-freebsd-jail@FreeBSD.ORG Wed Dec 17 20:48:53 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 79DA4308 for ; Wed, 17 Dec 2014 20:48:53 +0000 (UTC) Received: from m2.gritton.org (gritton.org [63.246.134.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3BEE01A6F for ; Wed, 17 Dec 2014 20:48:52 +0000 (UTC) Received: from m2.gritton.org (gritton.org [63.246.134.121]) by m2.gritton.org (8.14.9/8.14.9) with ESMTP id sBHKmk4Z070534; Wed, 17 Dec 2014 13:48:46 -0700 (MST) (envelope-from jamie@freebsd.org) Received: (from www@localhost) by m2.gritton.org (8.14.9/8.14.9/Submit) id sBHKmj0j070533; Wed, 17 Dec 2014 13:48:45 -0700 (MST) (envelope-from jamie@freebsd.org) X-Authentication-Warning: gritton.org: www set sender to jamie@freebsd.org using -f To: freebsd-jail@freebsd.org Subject: Re: only lo0 interface inside jail, no default gw X-PHP-Originating-Script: 0:rcube.php MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Wed, 17 Dec 2014 13:48:45 -0700 From: James Gritton In-Reply-To: References: Message-ID: <0096d1968fd2758df224a9dea6934ddb@gritton.org> X-Sender: jamie@freebsd.org User-Agent: Roundcube Webmail/1.0.3 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Dec 2014 20:48:53 -0000 On 2014-12-16 10:35, Alexander Lunev wrote: > Hello everyone. > > I'm trying to build jail environment on a new server with 10.1-R. I've > did > that before on 9.2-R, but now i'm stuck with strange network problem: > no > matter how i configure jail (old way through rc.conf jail_* variables > or > via /etc/jail.conf), i don't see default gateway in jail's routing > table. > At first i started with more complex config using separate fib for > jail, > but it's not working even without fibs (or in fib 0). So, here's what i > have in the host system: > > # netstat -rn > Routing tables > > Internet: > Destination Gateway Flags Netif Expire > default 10.1.1.1 UGS em0.4 > 10.1.1.0/24 link#4 U em0.4 > 10.1.1.205 link#4 UHS lo0 > 10.1.1.206 link#4 UHS lo0 > 127.0.0.1 link#3 UH lo0 > 127.0.0.2 link#3 UH lo0 > > # ifconfig > em0: flags=8843 metric 0 mtu > 1500 > > options=4219b > ether 00:30:48:c1:e1:b4 > nd6 options=29 > media: Ethernet autoselect (1000baseT ) > status: active > lo0: flags=8049 metric 0 mtu 16384 > options=600003 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 > inet 127.0.0.1 netmask 0xff000000 > inet 127.0.0.2 netmask 0xff000000 > nd6 options=21 > em0.4: flags=8843 metric 0 mtu > 1500 > options=103 > ether 00:30:48:c1:e1:b4 > inet 10.1.1.205 netmask 0xffffff00 broadcast 10.1.1.255 > inet 10.1.1.206 netmask 0xffffff00 broadcast 10.1.1.255 > nd6 options=29 > media: Ethernet autoselect (1000baseT ) > status: active > vlan: 4 parent interface: em0 > > I can ping internet from a host via gateway 10.1.1.1 > > And here's what i have in jail: > > ====== BOF /etc/jail.conf ========= > exec.start = "/bin/sh /etc/rc"; > exec.stop = "/bin/sh /etc/rc.shutdown"; > mount.devfs; > allow.raw_sockets; > path = "/usr/jails/$name"; > > template { > jid = 1; > ip4.addr = "em0.4|10.1.1.206/24"; > ip4.addr += "lo0|127.0.0.2/8"; > host.hostname = template; > } > ====== EOF /etc/jail.conf ========= > > # jexec 1 netstat -rn > Routing tables > > Internet: > Destination Gateway Flags Netif Expire > 10.1.1.206 link#4 UHS lo0 > 127.0.0.2 link#3 UH lo0 > > I can ping gateway from jail > > # jexec 1 ping 10.1.1.1 > PING 10.1.1.1 (10.1.1.1): 56 data bytes > 64 bytes from 10.1.1.1: icmp_seq=0 ttl=64 time=0.366 ms > ^C > > But not the Internet or anything via routing. > > I have no default gateway in jail - why? What have i missed in this new > jail implementation since 9.2-R? The netstat output is no surprise. I don't know if it was before or after 9.2, but jails don't see routes that don't involve their own IP addresses, and that includes the default route. But that doesn't mean the default route isn't there. I have netstat output similar to yours, but packets still route as expected. I don't see anything in your jail.conf that looks wrong, so I'm afraid I can't say anything more than "it looks like it *should* work." - Jamie From owner-freebsd-jail@FreeBSD.ORG Wed Dec 17 20:53:35 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 567564CD for ; Wed, 17 Dec 2014 20:53:35 +0000 (UTC) Received: from mx1.scaleengine.net (beauharnois2.bhs1.scaleengine.net [142.4.218.15]) by mx1.freebsd.org (Postfix) with ESMTP id 2F0331B92 for ; Wed, 17 Dec 2014 20:53:34 +0000 (UTC) Received: from [192.168.1.2] (Seawolf.HML3.ScaleEngine.net [209.51.186.28]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id 2B8C687629 for ; Wed, 17 Dec 2014 20:53:28 +0000 (UTC) Message-ID: <5491ED4F.4040002@freebsd.org> Date: Wed, 17 Dec 2014 15:53:35 -0500 From: Allan Jude User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: Re: only lo0 interface inside jail, no default gw References: <0096d1968fd2758df224a9dea6934ddb@gritton.org> In-Reply-To: <0096d1968fd2758df224a9dea6934ddb@gritton.org> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pKOE5KDC1QecrgJooAu6x8nA49jNDPw3G" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Dec 2014 20:53:35 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --pKOE5KDC1QecrgJooAu6x8nA49jNDPw3G Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2014-12-17 15:48, James Gritton wrote: > On 2014-12-16 10:35, Alexander Lunev wrote: >> Hello everyone. >> >> I'm trying to build jail environment on a new server with 10.1-R. I've= >> did >> that before on 9.2-R, but now i'm stuck with strange network problem: = no >> matter how i configure jail (old way through rc.conf jail_* variables = or >> via /etc/jail.conf), i don't see default gateway in jail's routing tab= le. >> At first i started with more complex config using separate fib for jai= l, >> but it's not working even without fibs (or in fib 0). So, here's what = i >> have in the host system: >> >> # netstat -rn >> Routing tables >> >> Internet: >> Destination Gateway Flags Netif Expire >> default 10.1.1.1 UGS em0.4 >> 10.1.1.0/24 link#4 U em0.4 >> 10.1.1.205 link#4 UHS lo0 >> 10.1.1.206 link#4 UHS lo0 >> 127.0.0.1 link#3 UH lo0 >> 127.0.0.2 link#3 UH lo0 >> >> # ifconfig >> em0: flags=3D8843 metric 0 mtu= 1500 >> >> options=3D4219b >> >> ether 00:30:48:c1:e1:b4 >> nd6 options=3D29 >> media: Ethernet autoselect (1000baseT ) >> status: active >> lo0: flags=3D8049 metric 0 mtu 16384 >> options=3D600003 >> inet6 ::1 prefixlen 128 >> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 >> inet 127.0.0.1 netmask 0xff000000 >> inet 127.0.0.2 netmask 0xff000000 >> nd6 options=3D21 >> em0.4: flags=3D8843 metric 0 m= tu >> 1500 >> options=3D103 >> ether 00:30:48:c1:e1:b4 >> inet 10.1.1.205 netmask 0xffffff00 broadcast 10.1.1.255 >> inet 10.1.1.206 netmask 0xffffff00 broadcast 10.1.1.255 >> nd6 options=3D29 >> media: Ethernet autoselect (1000baseT ) >> status: active >> vlan: 4 parent interface: em0 >> >> I can ping internet from a host via gateway 10.1.1.1 >> >> And here's what i have in jail: >> >> =3D=3D=3D=3D=3D=3D BOF /etc/jail.conf =3D=3D=3D=3D=3D=3D=3D=3D=3D >> exec.start =3D "/bin/sh /etc/rc"; >> exec.stop =3D "/bin/sh /etc/rc.shutdown"; >> mount.devfs; >> allow.raw_sockets; >> path =3D "/usr/jails/$name"; >> >> template { >> jid =3D 1; >> ip4.addr =3D "em0.4|10.1.1.206/24"; >> ip4.addr +=3D "lo0|127.0.0.2/8"; >> host.hostname =3D template; >> } >> =3D=3D=3D=3D=3D=3D EOF /etc/jail.conf =3D=3D=3D=3D=3D=3D=3D=3D=3D >> >> # jexec 1 netstat -rn >> Routing tables >> >> Internet: >> Destination Gateway Flags Netif Expire >> 10.1.1.206 link#4 UHS lo0 >> 127.0.0.2 link#3 UH lo0 >> >> I can ping gateway from jail >> >> # jexec 1 ping 10.1.1.1 >> PING 10.1.1.1 (10.1.1.1): 56 data bytes >> 64 bytes from 10.1.1.1: icmp_seq=3D0 ttl=3D64 time=3D0.366 ms >> ^C >> >> But not the Internet or anything via routing. >> >> I have no default gateway in jail - why? What have i missed in this ne= w >> jail implementation since 9.2-R? >=20 > The netstat output is no surprise. I don't know if it was before or > after 9.2, but jails don't see routes that don't involve their own IP > addresses, and that includes the default route. >=20 > But that doesn't mean the default route isn't there. I have netstat > output similar to yours, but packets still route as expected. I don't > see anything in your jail.conf that looks wrong, so I'm afraid I can't > say anything more than "it looks like it *should* work." >=20 > - Jamie >=20 > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"= The subnet mask of an alias should always be /32, not the actual subnet m= ask Try that change in jail.conf, it should sort the issue. --=20 Allan Jude --pKOE5KDC1QecrgJooAu6x8nA49jNDPw3G Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJUke1SAAoJEJrBFpNRJZKfcPYP/0xLGeSZEpC/e0Kmp6bBBr9I Dl6SZkJZXYB5SGJWADqJBTbLDXknLcMFwJBWIHLciXN+mZoSqMFM83/EooaRvwMr 4ZYKWOFEORQ4CZLor9UzvADLjCHvhxHzr25XaJxZGmaKt1CMAc78lo/C8Cq2/SpV ZpEnl5DrBDnBtJ5EbugL/CAFg0wIuuqyhMSWxq/F63VSg8/jfo4xf9xjcgKoL2AO sfv8A9gsr0J/Ne6bFTW0KWsMTQlFWqSRtkbg5sxqHMLylxfaynLPdWscGqtIzJQe r8RoR/7NXkjoLqw0Xgs7jHLrlIJ5mtibHZJ2NurLvE7FrtzLExaXgq4Hri9VAVrE FkcFbabyVaGvk6bz3Fa0oVYU4kuDxE7nDrhPHQUB2n3HR1LT1NbqeGBAB5rdmeY3 nwkn9GuK+krjuY0rnbUMtVio8raaSv3f+1/DtFalDE8PL55MUOefkvGi0Ecxwo93 4T0Hsw1qdZduDSdccOOKMlrTfovUQykyvpdrofwv3TiFDxEcuTUCYjUggX6DnrC5 7IURqsaZaOIL3QWMitCpfs3xwAK2f9vFjzrvuFQs+iAyZrEIckl9lLoS+XJ5crQ5 ctcZL42HXt6W2i/rC2Q2rnws2wKW5c2tsPrw3glKgupd8RYQTINHLhvmjzMgXxdE 39minP0N9pNSoMdi42wd =SaqD -----END PGP SIGNATURE----- --pKOE5KDC1QecrgJooAu6x8nA49jNDPw3G-- From owner-freebsd-jail@FreeBSD.ORG Thu Dec 18 06:16:05 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B65419B3; Thu, 18 Dec 2014 06:16:05 +0000 (UTC) Received: from mail-ie0-x231.google.com (mail-ie0-x231.google.com [IPv6:2607:f8b0:4001:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7AA5D1715; Thu, 18 Dec 2014 06:16:05 +0000 (UTC) Received: by mail-ie0-f177.google.com with SMTP id rd18so538777iec.22; Wed, 17 Dec 2014 22:16:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=0bA4J3kNpSAoeSraRRYWorWku4ROHFnutzFo8FIvA5Q=; b=SXY4Y/0qk8+0ZH73uID4W5n2+XlvwC4XAF7E9JLv1mwVSFs0/5oLPY1AmprKvhjf4Z YM0f07zpXC8xb9+YFaUJ8AIWuyihqJaeg6qmVplhX510VI9QYGiKAd1WJUW1uqJPhSyC IaJ1lEq34ogUd2UI785h0PHObRjum6eUZE1mpri/i+Ahbu8Gxusro4wopTAxbqv2QiaD nKY9UxTKWkPktGN1qlmMycwlQtSfu4Zgi/cBSlVAHKXLL9TK0yRnZ/+46qIaC641qkO0 0rsy8gzeMVLRCfLwvr0d4NEe9T8ScixEgVTKZVS+7sXaafjKsoz3kuoRnq92uljG5oSP n98Q== X-Received: by 10.50.112.165 with SMTP id ir5mr868071igb.44.1418883364793; Wed, 17 Dec 2014 22:16:04 -0800 (PST) MIME-Version: 1.0 Received: by 10.50.252.39 with HTTP; Wed, 17 Dec 2014 22:15:44 -0800 (PST) In-Reply-To: <0096d1968fd2758df224a9dea6934ddb@gritton.org> References: <0096d1968fd2758df224a9dea6934ddb@gritton.org> From: Alexander Lunev Date: Thu, 18 Dec 2014 10:15:44 +0400 Message-ID: Subject: Re: only lo0 interface inside jail, no default gw To: James Gritton Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 06:16:05 -0000 It's all my fault, i should sleep more: firewall on gateway 10.1.1.1 didn't pass to NAT packets from 10.1.1.206 - i simply forget to add that address! All is working, in fib 0 and in other fibs. On Wed, Dec 17, 2014 at 11:48 PM, James Gritton wrote: > > On 2014-12-16 10:35, Alexander Lunev wrote: > >> Hello everyone. >> >> I'm trying to build jail environment on a new server with 10.1-R. I've did >> that before on 9.2-R, but now i'm stuck with strange network problem: no >> matter how i configure jail (old way through rc.conf jail_* variables or >> via /etc/jail.conf), i don't see default gateway in jail's routing table. >> At first i started with more complex config using separate fib for jail, >> but it's not working even without fibs (or in fib 0). So, here's what i >> have in the host system: >> >> # netstat -rn >> Routing tables >> >> Internet: >> Destination Gateway Flags Netif Expire >> default 10.1.1.1 UGS em0.4 >> 10.1.1.0/24 link#4 U em0.4 >> 10.1.1.205 link#4 UHS lo0 >> 10.1.1.206 link#4 UHS lo0 >> 127.0.0.1 link#3 UH lo0 >> 127.0.0.2 link#3 UH lo0 >> >> # ifconfig >> em0: flags=8843 metric 0 mtu 1500 >> >> options=4219b> HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO> >> ether 00:30:48:c1:e1:b4 >> nd6 options=29 >> media: Ethernet autoselect (1000baseT ) >> status: active >> lo0: flags=8049 metric 0 mtu 16384 >> options=600003 >> inet6 ::1 prefixlen 128 >> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 >> inet 127.0.0.1 netmask 0xff000000 >> inet 127.0.0.2 netmask 0xff000000 >> nd6 options=21 >> em0.4: flags=8843 metric 0 mtu >> 1500 >> options=103 >> ether 00:30:48:c1:e1:b4 >> inet 10.1.1.205 netmask 0xffffff00 broadcast 10.1.1.255 >> inet 10.1.1.206 netmask 0xffffff00 broadcast 10.1.1.255 >> nd6 options=29 >> media: Ethernet autoselect (1000baseT ) >> status: active >> vlan: 4 parent interface: em0 >> >> I can ping internet from a host via gateway 10.1.1.1 >> >> And here's what i have in jail: >> >> ====== BOF /etc/jail.conf ========= >> exec.start = "/bin/sh /etc/rc"; >> exec.stop = "/bin/sh /etc/rc.shutdown"; >> mount.devfs; >> allow.raw_sockets; >> path = "/usr/jails/$name"; >> >> template { >> jid = 1; >> ip4.addr = "em0.4|10.1.1.206/24"; >> ip4.addr += "lo0|127.0.0.2/8"; >> host.hostname = template; >> } >> ====== EOF /etc/jail.conf ========= >> >> # jexec 1 netstat -rn >> Routing tables >> >> Internet: >> Destination Gateway Flags Netif Expire >> 10.1.1.206 link#4 UHS lo0 >> 127.0.0.2 link#3 UH lo0 >> >> I can ping gateway from jail >> >> # jexec 1 ping 10.1.1.1 >> PING 10.1.1.1 (10.1.1.1): 56 data bytes >> 64 bytes from 10.1.1.1: icmp_seq=0 ttl=64 time=0.366 ms >> ^C >> >> But not the Internet or anything via routing. >> >> I have no default gateway in jail - why? What have i missed in this new >> jail implementation since 9.2-R? >> > > The netstat output is no surprise. I don't know if it was before or > after 9.2, but jails don't see routes that don't involve their own IP > addresses, and that includes the default route. > > But that doesn't mean the default route isn't there. I have netstat > output similar to yours, but packets still route as expected. I don't > see anything in your jail.conf that looks wrong, so I'm afraid I can't > say anything more than "it looks like it *should* work." > > - Jamie > > -- your sweet isn't ready yet From owner-freebsd-jail@FreeBSD.ORG Thu Dec 18 06:18:40 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 27C139EF; Thu, 18 Dec 2014 06:18:40 +0000 (UTC) Received: from mail-ie0-x22e.google.com (mail-ie0-x22e.google.com [IPv6:2607:f8b0:4001:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E09931722; Thu, 18 Dec 2014 06:18:39 +0000 (UTC) Received: by mail-ie0-f174.google.com with SMTP id rl12so542855iec.19; Wed, 17 Dec 2014 22:18:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=ERb4pCmNMKXos0fQ1mkJJJaxHZs4jZ50VRv6gONA3U8=; b=e6jjJeqJ17r4AJqta1A4Tq9ekZgSGzOnnOBD2MQ8wpRlyj7JVpnGVex9MV7b7FNSYL hBHKVFzqtMN7Qw8r/Vpm1wUohiEp3Jl/8t1yrWziV8/URtvawk4LD8pmgT3eBftLLhzt VbaQuhHWzm30UrpTkkk/2VtgWcREh7I5EoEDNr0YaDbbjGky3warkEDRPB9dIt8kXPmO 55PW1Wvx3BImJuIHiJc14xm70rS9ZhYGFk5NK6Q/K8SjUQsSb4zca9QXrhelbABUNGqf wh2Jv2um/SSW/QUAJksLYA1p5q9J6xIljeUGn5c5s1DUJS9+2L1QfPre7SXHW2xRHSFL Qiiw== X-Received: by 10.50.79.135 with SMTP id j7mr900290igx.14.1418883519264; Wed, 17 Dec 2014 22:18:39 -0800 (PST) MIME-Version: 1.0 Received: by 10.50.252.39 with HTTP; Wed, 17 Dec 2014 22:18:19 -0800 (PST) In-Reply-To: <5491ED4F.4040002@freebsd.org> References: <0096d1968fd2758df224a9dea6934ddb@gritton.org> <5491ED4F.4040002@freebsd.org> From: Alexander Lunev Date: Thu, 18 Dec 2014 10:18:19 +0400 Message-ID: Subject: Re: only lo0 interface inside jail, no default gw To: Allan Jude Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 06:18:40 -0000 As i said in message to Jamie Gritton, i found why jails couldn't ping internet - i forget to add jail's address to table which permitted to NAT. Why subnet mask should be /32? What harm could be done if subnet mask of an alias is the same as for the other address of that interface? On Wed, Dec 17, 2014 at 11:53 PM, Allan Jude wrote: > > On 2014-12-17 15:48, James Gritton wrote: > > On 2014-12-16 10:35, Alexander Lunev wrote: > >> Hello everyone. > >> > >> I'm trying to build jail environment on a new server with 10.1-R. I've > >> did > >> that before on 9.2-R, but now i'm stuck with strange network problem: no > >> matter how i configure jail (old way through rc.conf jail_* variables or > >> via /etc/jail.conf), i don't see default gateway in jail's routing > table. > >> At first i started with more complex config using separate fib for jail, > >> but it's not working even without fibs (or in fib 0). So, here's what i > >> have in the host system: > >> > >> # netstat -rn > >> Routing tables > >> > >> Internet: > >> Destination Gateway Flags Netif Expire > >> default 10.1.1.1 UGS em0.4 > >> 10.1.1.0/24 link#4 U em0.4 > >> 10.1.1.205 link#4 UHS lo0 > >> 10.1.1.206 link#4 UHS lo0 > >> 127.0.0.1 link#3 UH lo0 > >> 127.0.0.2 link#3 UH lo0 > >> > >> # ifconfig > >> em0: flags=8843 metric 0 mtu > 1500 > >> > >> > options=4219b > >> > >> ether 00:30:48:c1:e1:b4 > >> nd6 options=29 > >> media: Ethernet autoselect (1000baseT ) > >> status: active > >> lo0: flags=8049 metric 0 mtu 16384 > >> options=600003 > >> inet6 ::1 prefixlen 128 > >> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 > >> inet 127.0.0.1 netmask 0xff000000 > >> inet 127.0.0.2 netmask 0xff000000 > >> nd6 options=21 > >> em0.4: flags=8843 metric 0 mtu > >> 1500 > >> options=103 > >> ether 00:30:48:c1:e1:b4 > >> inet 10.1.1.205 netmask 0xffffff00 broadcast 10.1.1.255 > >> inet 10.1.1.206 netmask 0xffffff00 broadcast 10.1.1.255 > >> nd6 options=29 > >> media: Ethernet autoselect (1000baseT ) > >> status: active > >> vlan: 4 parent interface: em0 > >> > >> I can ping internet from a host via gateway 10.1.1.1 > >> > >> And here's what i have in jail: > >> > >> ====== BOF /etc/jail.conf ========= > >> exec.start = "/bin/sh /etc/rc"; > >> exec.stop = "/bin/sh /etc/rc.shutdown"; > >> mount.devfs; > >> allow.raw_sockets; > >> path = "/usr/jails/$name"; > >> > >> template { > >> jid = 1; > >> ip4.addr = "em0.4|10.1.1.206/24"; > >> ip4.addr += "lo0|127.0.0.2/8"; > >> host.hostname = template; > >> } > >> ====== EOF /etc/jail.conf ========= > >> > >> # jexec 1 netstat -rn > >> Routing tables > >> > >> Internet: > >> Destination Gateway Flags Netif Expire > >> 10.1.1.206 link#4 UHS lo0 > >> 127.0.0.2 link#3 UH lo0 > >> > >> I can ping gateway from jail > >> > >> # jexec 1 ping 10.1.1.1 > >> PING 10.1.1.1 (10.1.1.1): 56 data bytes > >> 64 bytes from 10.1.1.1: icmp_seq=0 ttl=64 time=0.366 ms > >> ^C > >> > >> But not the Internet or anything via routing. > >> > >> I have no default gateway in jail - why? What have i missed in this new > >> jail implementation since 9.2-R? > > > > The netstat output is no surprise. I don't know if it was before or > > after 9.2, but jails don't see routes that don't involve their own IP > > addresses, and that includes the default route. > > > > But that doesn't mean the default route isn't there. I have netstat > > output similar to yours, but packets still route as expected. I don't > > see anything in your jail.conf that looks wrong, so I'm afraid I can't > > say anything more than "it looks like it *should* work." > > > > - Jamie > > > > _______________________________________________ > > freebsd-jail@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > > The subnet mask of an alias should always be /32, not the actual subnet > mask > > Try that change in jail.conf, it should sort the issue. > > -- > Allan Jude > > -- your sweet isn't ready yet From owner-freebsd-jail@FreeBSD.ORG Thu Dec 18 17:04:00 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B3DFB943 for ; Thu, 18 Dec 2014 17:04:00 +0000 (UTC) Received: from mx1.scaleengine.net (beauharnois2.bhs1.scaleengine.net [142.4.218.15]) by mx1.freebsd.org (Postfix) with ESMTP id 8A5C41C89 for ; Thu, 18 Dec 2014 17:04:00 +0000 (UTC) Received: from [192.168.1.2] (Seawolf.HML3.ScaleEngine.net [209.51.186.28]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id 16EA6879A0 for ; Thu, 18 Dec 2014 17:03:59 +0000 (UTC) Message-ID: <5493090A.8090109@freebsd.org> Date: Thu, 18 Dec 2014 12:04:10 -0500 From: Allan Jude User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: Re: only lo0 interface inside jail, no default gw References: <0096d1968fd2758df224a9dea6934ddb@gritton.org> <5491ED4F.4040002@freebsd.org> In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="uF60p3OPBbOcQeTNMgJ2XCsbFdsVqNx8j" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2014 17:04:00 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --uF60p3OPBbOcQeTNMgJ2XCsbFdsVqNx8j Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2014-12-18 01:18, Alexander Lunev wrote: > As i said in message to Jamie Gritton, i found why jails couldn't ping > internet - i forget to add jail's address to table which permitted to N= AT. >=20 > Why subnet mask should be /32? What harm could be done if subnet mask o= f an > alias is the same as for the other address of that interface? >=20 > On Wed, Dec 17, 2014 at 11:53 PM, Allan Jude wr= ote: >> >> On 2014-12-17 15:48, James Gritton wrote: >>> On 2014-12-16 10:35, Alexander Lunev wrote: >>>> Hello everyone. >>>> >>>> I'm trying to build jail environment on a new server with 10.1-R. I'= ve >>>> did >>>> that before on 9.2-R, but now i'm stuck with strange network problem= : no >>>> matter how i configure jail (old way through rc.conf jail_* variable= s or >>>> via /etc/jail.conf), i don't see default gateway in jail's routing >> table. >>>> At first i started with more complex config using separate fib for j= ail, >>>> but it's not working even without fibs (or in fib 0). So, here's wha= t i >>>> have in the host system: >>>> >>>> # netstat -rn >>>> Routing tables >>>> >>>> Internet: >>>> Destination Gateway Flags Netif Expire >>>> default 10.1.1.1 UGS em0.4 >>>> 10.1.1.0/24 link#4 U em0.4 >>>> 10.1.1.205 link#4 UHS lo0 >>>> 10.1.1.206 link#4 UHS lo0 >>>> 127.0.0.1 link#3 UH lo0 >>>> 127.0.0.2 link#3 UH lo0 >>>> >>>> # ifconfig >>>> em0: flags=3D8843 metric 0 m= tu >> 1500 >>>> >>>> >> options=3D4219b >>>> >>>> ether 00:30:48:c1:e1:b4 >>>> nd6 options=3D29 >>>> media: Ethernet autoselect (1000baseT ) >>>> status: active >>>> lo0: flags=3D8049 metric 0 mtu 16384 >>>> options=3D600003 >>>> inet6 ::1 prefixlen 128 >>>> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 >>>> inet 127.0.0.1 netmask 0xff000000 >>>> inet 127.0.0.2 netmask 0xff000000 >>>> nd6 options=3D21 >>>> em0.4: flags=3D8843 metric 0= mtu >>>> 1500 >>>> options=3D103 >>>> ether 00:30:48:c1:e1:b4 >>>> inet 10.1.1.205 netmask 0xffffff00 broadcast 10.1.1.255 >>>> inet 10.1.1.206 netmask 0xffffff00 broadcast 10.1.1.255 >>>> nd6 options=3D29 >>>> media: Ethernet autoselect (1000baseT ) >>>> status: active >>>> vlan: 4 parent interface: em0 >>>> >>>> I can ping internet from a host via gateway 10.1.1.1 >>>> >>>> And here's what i have in jail: >>>> >>>> =3D=3D=3D=3D=3D=3D BOF /etc/jail.conf =3D=3D=3D=3D=3D=3D=3D=3D=3D >>>> exec.start =3D "/bin/sh /etc/rc"; >>>> exec.stop =3D "/bin/sh /etc/rc.shutdown"; >>>> mount.devfs; >>>> allow.raw_sockets; >>>> path =3D "/usr/jails/$name"; >>>> >>>> template { >>>> jid =3D 1; >>>> ip4.addr =3D "em0.4|10.1.1.206/24"; >>>> ip4.addr +=3D "lo0|127.0.0.2/8"; >>>> host.hostname =3D template; >>>> } >>>> =3D=3D=3D=3D=3D=3D EOF /etc/jail.conf =3D=3D=3D=3D=3D=3D=3D=3D=3D >>>> >>>> # jexec 1 netstat -rn >>>> Routing tables >>>> >>>> Internet: >>>> Destination Gateway Flags Netif Expire >>>> 10.1.1.206 link#4 UHS lo0 >>>> 127.0.0.2 link#3 UH lo0 >>>> >>>> I can ping gateway from jail >>>> >>>> # jexec 1 ping 10.1.1.1 >>>> PING 10.1.1.1 (10.1.1.1): 56 data bytes >>>> 64 bytes from 10.1.1.1: icmp_seq=3D0 ttl=3D64 time=3D0.366 ms >>>> ^C >>>> >>>> But not the Internet or anything via routing. >>>> >>>> I have no default gateway in jail - why? What have i missed in this = new >>>> jail implementation since 9.2-R? >>> >>> The netstat output is no surprise. I don't know if it was before or >>> after 9.2, but jails don't see routes that don't involve their own IP= >>> addresses, and that includes the default route. >>> >>> But that doesn't mean the default route isn't there. I have netstat >>> output similar to yours, but packets still route as expected. I don'= t >>> see anything in your jail.conf that looks wrong, so I'm afraid I can'= t >>> say anything more than "it looks like it *should* work." >>> >>> - Jamie >>> >>> _______________________________________________ >>> freebsd-jail@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.or= g" >> >> The subnet mask of an alias should always be /32, not the actual subne= t >> mask >> >> Try that change in jail.conf, it should sort the issue. >> >> -- >> Allan Jude >> >> >=20 If you have 2 ips in the same subnet, with the subnet mask, then the routing table may have trouble deciding which to use to access the default gateway --=20 Allan Jude --uF60p3OPBbOcQeTNMgJ2XCsbFdsVqNx8j Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJUkwkNAAoJEJrBFpNRJZKf4kwP/iYGd8MswY7SkM3gq7eSPwlJ J79ZhQPlgClhfy6tw5pLfCkiN+RQ08+9vRgOZ6MqW3Dqdmnha7Wg+UnI8VQYrGJg fUPvi2irhBVejQpCt/yX82AHktVfpt/50i4Z0kfHTIVM2mvz1XkL0nb4sPrfVDPs Cc3Q9jWQydJgf2bKiYT3EhzFaSZYHnC9f+Xby5ehZ5Pp0LKmC2zpYqibUq4YRrmj 0USXy1I6sAc83gNSyFfm8uKkLdlp8NhDK9YYMw6LVeSnncDGIPKx38hdrmPx1p1V Br3YNxZMnjpw22Dj8r70deTMSJol6rcTJoz9I27O4viycrYo2FjpZBwG5o/YsLUm nSGZbqa95Z9QBID0Ds7VWllSRPE7NWSYp71yxGvKFiP31kGKV58kOZtr1AfDcAEj tRBTgC/mLRND571v7b1ME1mfqyDoklq+QD4wQqmv8wr082RrysbXujBFnVTQ02Wt XNvJP5CBZ4Xfnj1CTX7l8/jFnOGwOoiI0UqRhgZ+EDn1l94iCE2sOqKQCc1jCyvv h/YfrOBAstmN7rlpCoRZ6iIBoTVn8R1Md4gj5LrF8NMjZAPXTdwQycqWUM3u5u69 gLTts+hnPewXLAUpIA20Q/tB7Bgf90Y8yQurvq/poQjNcRIOPOQBUrSYLddBkoEY I1X1LE7fAE2bAtAwGmT2 =10vj -----END PGP SIGNATURE----- --uF60p3OPBbOcQeTNMgJ2XCsbFdsVqNx8j--