Date: Tue, 16 Dec 2014 13:47:03 -0800 From: Kevin Oberman <rkoberman@gmail.com> To: Alexander Lunev <sol289@gmail.com> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: only lo0 interface inside jail, no default gw Message-ID: <CAN6yY1tv3JPa20GLgEaqantHYfseKMKLbL9tQdEksxEh5Xku=A@mail.gmail.com> In-Reply-To: <CABk4_A6mQe-w-oSRBOw-yZyPc7tG7MOnvMUGEtZ7ePzcBK=kUQ@mail.gmail.com> References: <CABk4_A61y1m8hXXkOPEKSbzf74j64MNtYhfV59enVuJfPwQApQ@mail.gmail.com> <CABk4_A6mQe-w-oSRBOw-yZyPc7tG7MOnvMUGEtZ7ePzcBK=kUQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Dec 16, 2014 at 9:39 AM, Alexander Lunev <sol289@gmail.com> wrote:
> Hello everyone.
>
> I'm trying to build jail environment on a new server with 10.1-R. I've did
> that before on 9.2-R, but now i'm stuck with strange network problem: no
> matter how i configure jail (old way through rc.conf jail_* variables or
> via /etc/jail.conf), i don't see default gateway in jail's routing table.
> At first i started with more complex config using separate fib for jail,
> but it's not working even without fibs (or in fib 0). So, here's what i
> have in the host system:
>
> # netstat -rn
> Routing tables
>
> Internet:
> Destination Gateway Flags Netif Expire
> default 10.1.1.1 UGS em0.4
> 10.1.1.0/24 link#4 U em0.4
> 10.1.1.205 link#4 UHS lo0
> 10.1.1.206 link#4 UHS lo0
> 127.0.0.1 link#3 UH lo0
> 127.0.0.2 link#3 UH lo0
>
> # ifconfig
> em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>
>
> options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
> ether 00:30:48:c1:e1:b4
> nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
> media: Ethernet autoselect (1000baseT <full-duplex>)
> status: active
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
> inet 127.0.0.1 netmask 0xff000000
> inet 127.0.0.2 netmask 0xff000000
> nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
> em0.4: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> options=103<RXCSUM,TXCSUM,TSO4>
> ether 00:30:48:c1:e1:b4
> inet 10.1.1.205 netmask 0xffffff00 broadcast 10.1.1.255
> inet 10.1.1.206 netmask 0xffffff00 broadcast 10.1.1.255
> nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
> media: Ethernet autoselect (1000baseT <full-duplex>)
> status: active
> vlan: 4 parent interface: em0
>
> I can ping internet from a host via gateway 10.1.1.1
>
> And here's what i have in jail:
>
> ====== BOF /etc/jail.conf =========
> exec.start = "/bin/sh /etc/rc";
> exec.stop = "/bin/sh /etc/rc.shutdown";
> mount.devfs;
> allow.raw_sockets;
> path = "/usr/jails/$name";
>
> template {
> jid = 1;
> ip4.addr = "em0.4|10.1.1.206/24";
> ip4.addr += "lo0|127.0.0.2/8";
> host.hostname = template;
> }
> ====== EOF /etc/jail.conf =========
>
> # jexec 1 netstat -rn
> Routing tables
>
> Internet:
> Destination Gateway Flags Netif Expire
> 10.1.1.206 link#4 UHS lo0
> 127.0.0.2 link#3 UH lo0
>
> I can ping gateway from jail
>
> # jexec 1 ping 10.1.1.1
> PING 10.1.1.1 (10.1.1.1): 56 data bytes
> 64 bytes from 10.1.1.1: icmp_seq=0 ttl=64 time=0.366 ms
> ^C
>
> But not the Internet or anything via routing.
>
> I have no default gateway in jail - why? What have i missed in this new
> jail implementation since 9.2-R?
>
> Crossposted to freebsd-jail@
>
>
You lack a default route, so nothing will be reachable other than
10.1.1.206 and 127.0.0.2.
I just learned today that the handbook has a very nice tutorial on jailing
BIND. It will probably save a lot of time if you check it out at
https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-ezjail.html#jails-ezjail-example-bind
As the handbook makes obvious, you really will find it a lot easier if you
use ezjail. It massively simplified working with jails.
--
R. Kevin Oberman, Network Engineer, Retired
E-mail: rkoberman@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1tv3JPa20GLgEaqantHYfseKMKLbL9tQdEksxEh5Xku=A>