Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 2 Mar 2011 21:48:00 +0000 (UTC)
From:      "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To:        Alex Povolotsky <tarkhil@webmail.sub.ru>
Cc:        freebsd-net@FreeBSD.org
Subject:   Re: jail source address selection doesn't work?
Message-ID:  <20110302214601.S13400@maildrop.int.zabbadoz.net>
In-Reply-To: <4D4FA3DA.7010004@webmail.sub.ru>
References:  <4D4FA3DA.7010004@webmail.sub.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 7 Feb 2011, Alex Povolotsky wrote:

> Hello!
>
> On a multihomed FreeBSD 8.1-RELEASE, in a multihomed jail, source IP 
> selection suddenly refused to work.
>
> ifconfig on a box:
...
> Seems reasonable, yes?
>
> Pinging from the box
>
> # ping 192.168.75.59
> PING 192.168.75.59 (192.168.75.59): 56 data bytes
> 64 bytes from 192.168.75.59: icmp_seq=0 ttl=64 time=0.993 ms
> 64 bytes from 192.168.75.59: icmp_seq=1 ttl=64 time=0.986 ms
> 64 bytes from 192.168.75.59: icmp_seq=2 ttl=64 time=0.988 ms
> ^C
> --- 192.168.75.59 ping statistics ---
> 3 packets transmitted, 3 packets received, 0.0% packet loss
> round-trip min/avg/max/stddev = 0.986/0.989/0.993/0.003 ms
>
> 10:45:31.425232 IP 192.168.75.4 > 192.168.75.59: ICMP echo request, id 12430, 
> seq 0, length 64
> 10:45:31.426283 IP 192.168.75.59 > 192.168.75.4: ICMP echo reply, id 12430, 
> seq 0, length 64
> 10:45:32.425415 IP 192.168.75.4 > 192.168.75.59: ICMP echo request, id 12430, 
> seq 1, length 64
> 10:45:32.426404 IP 192.168.75.59 > 192.168.75.4: ICMP echo reply, id 12430, 
> seq 1, length 64
>
> Okay, yes?
>
> From jail:
>
> # ping 192.168.75.59
> PING 192.168.75.59 (192.168.75.59): 56 data bytes
> ^C
> --- 192.168.75.59 ping statistics ---
> 2 packets transmitted, 0 packets received, 100.0% packet loss
>
> 10:45:52.146600 IP 83.69.203.1 > 192.168.75.59: ICMP echo request, id 14222, 
> seq 0, length 64
> 10:45:53.146702 IP 83.69.203.1 > 192.168.75.59: ICMP echo request, id 14222, 
> seq 1, length 64
>
> Setting ip.saddrsel to 1 or 0 did not change anything. Kernel is GENERIC+ALTQ
>
> What could I miss?...

Don't use ping to test this.  a) for ping inside the jail to work you
need to enable raw sockets b) a) could give you a hint that ping does
it's own thing.

Try a telnet to a random port to the destination and verify with
tcpdump whether things are still not working correctly, of if you
establish the connection with netstat.

If it still doesn't work let us know.

/bz

-- 
Bjoern A. Zeeb                                 You have to have visions!
          Stop bit received. Insert coin for new address family.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110302214601.S13400>