Re: jail source address selection doesn't work?
- From: "Bjoern A. Zeeb" <bzeeb-lists@xxxxxxxxxxxxxxxxxx>
- Date: Thu, 3 Mar 2011 12:03:23 +0000 (UTC)
On Thu, 3 Mar 2011, Alex Povolotsky wrote:
Hi,
03.03.2011 0:48, Bjoern A. Zeeb пишет:...On Mon, 7 Feb 2011, Alex Povolotsky wrote:
Okay, yes?
From jail:
...Telnet did all the same thing.
What could I miss?...
Don't use ping to test this. a) for ping inside the jail to work you
need to enable raw sockets b) a) could give you a hint that ping does
it's own thing.
I used telnet to connect to specific ports.
Try a telnet to a random port to the destination and verify with
tcpdump whether things are still not working correctly, of if you
establish the connection with netstat.
Ok, let's try again
104:tarkhil@xxxxxxxxxxxxxxxxxxxxxxx:...local/etc/ezjail # jls
JID IP Address Hostname Path
1 192.168.82.2 test /usr/jails/test
107:tarkhil@xxxxxxxxxxxxxxxxxxxxxxx:...local/etc/ezjail # jls -j 1 ip4.saddrsel
true
108:tarkhil@xxxxxxxxxxxxxxxxxxxxxxx:...local/etc/ezjail # jls -j 1 ip4.addr
192.168.82.2,192.168.75.2
114:tarkhil@xxxxxxxxxxxxxxxxxxxxxxx:...local/etc/ezjail # tcpdump -l -n -i bce0 host 192.168.82.2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bce0, link-type EN10MB (Ethernet), capture size 96 bytes
09:27:54.492105 IP 192.168.82.2.50823 > 192.168.72.3.22: Flags [S], seq 3819433473, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 1306232522 ecr 0], length 0
inet 192.168.80.41 netmask 0xffffff00 broadcast 192.168.80.255..
inet 192.168.75.2 netmask 0xffffff00 broadcast 192.168.75.255
inet 192.168.82.2 netmask 0xffffff00 broadcast 192.168.82.255
In other words, source address is selected as primary IP, and packet runs out on 100% improper interface.
No specific routing, no firewall.
Not sure what you expect. Your jail has an address out of
192.168.82.2/24 and
192.168.75.2/24
You are trying to connect to neither of those networks but 192.168.72.3.
Given the destination network does not match any directly connected
network and, based on your previous email, you don't have an route going out a gateway of either of those two networks to 192.168.72.3 it's doing
the fallback to the "primary" jail IP, as expected.
You would need to add a more specific route to the destination via a
gateway of either connected network if you wanted a different source
address to be picked; if you just want to limit that to the single
jail but not the global system look at setfib for IPv4.
/bz
--
Bjoern A. Zeeb You have to have visions!
Stop bit received. Insert coin for new address family._______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: jail source address selection doesn't work?
- From: Alex Povolotsky
- Re: jail source address selection doesn't work?
- References:
- Re: jail source address selection doesn't work?
- From: Bjoern A. Zeeb
- Re: jail source address selection doesn't work?
- From: Alex Povolotsky
- Re: jail source address selection doesn't work?
- Prev by Date: Re: kern/155177: [route] [panic] Panic when inject routes in kernel
- Next by Date: Re: jail source address selection doesn't work?
- Previous by thread: Re: jail source address selection doesn't work?
- Next by thread: Re: jail source address selection doesn't work?
- Index(es):
Relevant Pages
|
