Re: Jails and IP Aliasing

[David Allen]

On Tue, Jul 8, 2008 at 9:35 AM, Matthew Seaman
<[EMAIL PROTECTED]> wrote:
> David Allen wrote:
>
>> There was a post recently (Matthew Seaman's name comes to mind) that
>> suggested binding jails to addresses in the loopback range and then
>> using firewall rules to redirect the traffic accordingly.  There's a
>> possibility that may help in this case, but that layer of added
>> complexity isn't much of an improvement over seeing connections with
>> seemingly identical endpoints and interpreting the results in my head.
>
> Guilty as charged M'lud.

Stand up, fool, lest I be forced to lower my knee and acknowledge your presence
in a manner befitting a man as yourself.

> However what I recommended was a more-than-slightly hacky way to achieve
> three things:
>
>  * Something like a loopback address inside the jail.  It may be
>127.0.0.2 instead of 127.0.0.1 but most software can be persuaded
>to use it for loopback style things.
>
>  * The ability to map several IPs onto the jailed system by use of
>NAT and redirect within firewall rules
>
>  * The ability to have a jail with /no/ external IP for when the
>paranoia becomes unbearable[*].

It could be said that those three expand into more numerous
achievements.  I'm still debating the "more-than-slightly hacky" aspects
of such an arrangement, but undeniably it's interesting enough.

> Of course, all this will be immediately obsoleted by Marco Zec's work
> on virtualizing the IP stack.  http://imunes.tel.fer.hr/virtnet/

Promising, even exciting, but I'm having trouble deciding whether I
declare a victory for the  triumph of optimism over experience, or
offer the comment that the Real Soon Now schedule is a disappointment?
Seriously, though, jails can be seen as the greatest thing since slide bread,
but I have this nagging feeling I'm at work writing a small book that details
their niggly shortcomings, a book whose completion, I hope, will be cut
short by the addition of New and Improved features.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

[Mel]

On Tuesday 08 July 2008 11:24:33 Mel wrote:
> On Monday 07 July 2008 18:51:33 David Allen wrote:
> > Granted, everything is really happening over the loopback address, but a
> > connection originating from the jailhost to a jail should appear to be
> > using the jailhost's IP address, or so I'd like to think.  If it doesn't,
> > then the scenario is awkward at best when trying to understand or debug
> > issues.
>
> To debug this, you need to 'add jail support to sockstat'. This sounds
> hard, and it is

It's actually not that hard, though it stretches the output width. Diff 
inlined below sig, for RELENG_7. 

-- 
Mel

Problem with today's modular software: they start with the modules
and never get to the software part.

Index: sockstat.c
===
RCS file: /home/ncvs/src/usr.bin/sockstat/sockstat.c,v
retrieving revision 1.17
diff -u -r1.17 sockstat.c
--- sockstat.c  16 Jun 2007 20:24:55 -  1.17
+++ sockstat.c  8 Jul 2008 19:40:11 -
@@ -94,6 +94,11 @@
struct sock *next;
 };
 
+struct procinfo {
+   const char *procname;
+   int jid;
+};
+
 #define HASHSIZE 1009
 static struct sock *sockhash[HASHSIZE];
 
@@ -513,13 +518,16 @@
return xprintf("%s:%d", addrstr, port);
 }
 
-static const char *
-getprocname(pid_t pid)
+static int
+getprocinfo(pid_t pid, struct procinfo *pi_ptr)
 {
static struct kinfo_proc proc;
size_t len;
int mib[4];
 
+   if( pi_ptr == NULL )
+   return -1;
+
mib[0] = CTL_KERN;
mib[1] = KERN_PROC;
mib[2] = KERN_PROC_PID;
@@ -529,9 +537,12 @@
/* Do not warn if the process exits before we get its name. */
if (errno != ESRCH)
warn("sysctl()");
-   return ("??");
+   return -1;
}
-   return (proc.ki_comm);
+   pi_ptr->procname = proc.ki_comm;
+   pi_ptr->jid = proc.ki_jid;
+
+   return (0);
 }
 
 static int
@@ -564,11 +575,12 @@
struct passwd *pwd;
struct xfile *xf;
struct sock *s;
+   struct procinfo pi;
void *p;
int hash, n, pos;
 
-   printf("%-8s %-10s %-5s %-2s %-6s %-21s %-21s\n",
-   "USER", "COMMAND", "PID", "FD", "PROTO",
+   printf("%-8s %-10s %-5s %-5s %-2s %-6s %-21s %-21s\n",
+   "USER", "COMMAND", "PID", "JID", "FD", "PROTO",
"LOCAL ADDRESS", "FOREIGN ADDRESS");
setpassent(1);
for (xf = xfiles, n = 0; n < nxfiles; ++n, ++xf) {
@@ -583,33 +595,41 @@
if (!check_ports(s))
continue;
pos = 0;
+   if( -1 == getprocinfo(xf->xf_pid, &pi) )
+   {
+   pi.procname = "??";
+   pi.jid = -1;
+   }
if ((pwd = getpwuid(xf->xf_uid)) == NULL)
pos += xprintf("%lu", (u_long)xf->xf_uid);
else
pos += xprintf("%s", pwd->pw_name);
while (pos < 9)
pos += xprintf(" ");
-   pos += xprintf("%.10s", getprocname(xf->xf_pid));
+   pos += xprintf("%.10s", pi.procname);
while (pos < 20)
pos += xprintf(" ");
pos += xprintf("%lu", (u_long)xf->xf_pid);
while (pos < 26)
pos += xprintf(" ");
+   pos += xprintf("%u", pi.jid);
+   while (pos < 32)
+   pos += xprintf(" ");
pos += xprintf("%d", xf->xf_fd);
-   while (pos < 29)
+   while (pos < 35)
pos += xprintf(" ");
pos += xprintf("%s", s->protoname);
if (s->vflag & INP_IPV4)
pos += xprintf("4");
if (s->vflag & INP_IPV6)
pos += xprintf("6");
-   while (pos < 36)
+   while (pos < 42)
pos += xprintf(" ");
switch (s->family) {
case AF_INET:
case AF_INET6:
pos += printaddr(s->family, &s->laddr);
-   while (pos < 58)
+   while (pos < 64)
pos += xprintf(" ");
pos += printaddr(s->family, &s->faddr);
break;
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

[Chris St Denis]

Daniel Gerzo wrote:

Hello,

  

   * Something like a loopback address inside the jail.  It may be
 127.0.0.2 instead of 127.0.0.1 but most software can be persuaded
 to use it for loopback style things.

   * The ability to map several IPs onto the jailed system by use of
 NAT and redirect within firewall rules

   * The ability to have a jail with /no/ external IP for when the
 paranoia becomes unbearable[*].



Most of this is actually implemented by [EMAIL PROTECTED] You can find some 
patches
at http://sources.zabbadoz.net/freebsd/jail.html 
  
These patches (in various forms) have been around since version 4.x. Why 
has none of this functionality ever been committed to head?

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

[Daniel Gerzo]

Hello,

>* Something like a loopback address inside the jail.  It may be
>  127.0.0.2 instead of 127.0.0.1 but most software can be persuaded
>  to use it for loopback style things.
> 
>* The ability to map several IPs onto the jailed system by use of
>  NAT and redirect within firewall rules
> 
>* The ability to have a jail with /no/ external IP for when the
>  paranoia becomes unbearable[*].

Most of this is actually implemented by [EMAIL PROTECTED] You can find some 
patches
at http://sources.zabbadoz.net/freebsd/jail.html 

-- 
Best regards,
  Daniel Gerzo

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

[Matthew Seaman]

David Allen wrote:


There was a post recently (Matthew Seaman's name comes to mind) that
suggested binding jails to addresses in the loopback range and then
using firewall rules to redirect the traffic accordingly.  There's a
possibility that may help in this case, but that layer of added
complexity isn't much of an improvement over seeing connections with
seemingly identical endpoints and interpreting the results in my head.


Guilty as charged M'lud.

However what I recommended was a more-than-slightly hacky way to achieve 
three things:


  * Something like a loopback address inside the jail.  It may be
127.0.0.2 instead of 127.0.0.1 but most software can be persuaded
to use it for loopback style things.

  * The ability to map several IPs onto the jailed system by use of
NAT and redirect within firewall rules

  * The ability to have a jail with /no/ external IP for when the
paranoia becomes unbearable[*].

Of course, all this will be immediately obsoleted by Marco Zec's work
on virtualizing the IP stack.  http://imunes.tel.fer.hr/virtnet/

Cheers,

Matthew

[*] Combine this with a Hardware Load Balancer that does Direct Server
Return and you can have a publicly accessible jailed server with /no 
external IP address/.  


--
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
 Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature

Re: Jails and IP Aliasing

[David Allen]

On Tue, Jul 8, 2008 at 2:24 AM, Mel <[EMAIL PROTECTED]> wrote:
> On Monday 07 July 2008 18:51:33 David Allen wrote:
>
>> Granted, everything is really happening over the loopback address, but a
>> connection originating from the jailhost to a jail should appear to be
>> using the jailhost's IP address, or so I'd like to think.  If it doesn't,
>> then the scenario is awkward at best when trying to understand or debug
>> issues.
>
> To debug this, you need to 'add jail support to sockstat'. This sounds hard,
> and it is, but you can fake it, since sockstat gives you the PID. With a
> little creative scripting, you can call `ps -o state' for each PID in the
> list, look for the capital 'J' and if it is, add the 'J' to the line.

Been there and done that.  When I first stated working with jails, I
discovered that most standard utilities didn't offer any support for
jails, and chaining commands got to be really old fast.   I ended up
writing a few Perl scripts and routinely use those instead.  IIRC,
there's a jail-related port that offers a collection of something
similar.

Still, we're talking about a very limited subset of tools and
functionality.  What about tcpdump?  Or firewall rules?  Or any other
network tool?

There was a post recently (Matthew Seaman's name comes to mind) that
suggested binding jails to addresses in the loopback range and then
using firewall rules to redirect the traffic accordingly.  There's a
possibility that may help in this case, but that layer of added
complexity isn't much of an improvement over seeing connections with
seemingly identical endpoints and interpreting the results in my head.

>> The thought occurred to me, however, that I could add a new network card
>> and reserve that for the IP aliases needed by the jails.  But I'm not sure
>> whether that will work in telling me who's who, or whether I'll discover
>> another gotcha.  ;-)
>
> It will add more gotcha's, unless you put each network card in a different
> network. With the IP's given here, you tell the host that 10.0.1.0/24 is on
> fxp0, so it will never go to fxp1 for 10.0.1.4.

You're probably right.  I'm wondering, though, if by moving the jails
into their own network space and adding routing into the mix, the end
result may be more satisfactory?

Setting aside the fun of mental gymnastics, the conclusion seems to be
don't run anything on the jail host that would initiate a connection
to a service running inside a jail.  Unless, of course, you don't mind
being confused (at least from a networking perspective) by WTF you're
seeing.  ;-)

Either way, thanks very much for the input.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

[David Allen]

On Mon, Jul 7, 2008 at 2:01 PM, George Hartzell <[EMAIL PROTECTED]> wrote:
>
> Did you take the necessary steps to restrict the IP addresses on which
> sendmail on the host and the jail listen?  The jail man page only
> says:

I don't think anyone would get too far with jails in general if the
jail host wasn't properly configured beforehand.  To answer your
question, sendmail on the jail host is listening to the loopback
address only.  And to the extent it's not redundant or meaningless,
within each jail, sendmail is configured to listen to the jail's IP
address only.

Regrettably, the problem isn't specific to sendmail or any other
service, as an ssh connection would exhibit identical behaviour.  Put
simply, all connections from the jail host to any jail are reported as
using that jail's IP address only.  Doesn't matter if your viewing the
state from the perspective of the jail host, or from within the jail
itself.   Both ends of the connection have the same IP address.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

[Ivailo Tanusheff]

No, I am right.
Try it yourself and you will see that solves the issue. I have several 
jails on different machines and this way the system works without any 
error or problem.
Try it and see it :)

Regards,

Ivailo Tanusheff




Mel <[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED]
08.07.2008 12:38

To
freebsd-questions@freebsd.org
cc

Subject
Re: Jails and IP Aliasing






On Tuesday 08 July 2008 11:13:04 Ivailo Tanusheff wrote:
> Hi,
>
> I guess the problem is with your netmask and respectivly the broadcast
> adrresses for the jails.
> It should be:
>
> inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
> inet 10.0.1.3 netmask 0xff00 broadcast 10.0.1.255
> inet 10.0.1.4 netmask 0xff00 broadcast 10.0.1.255

You guess wrong. Aliases SHOULD (as in IETF RFC should) have 
255.255.255.255 
netmask.

-- 
Mel

Problem with today's modular software: they start with the modules
and never get to the software part.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
"[EMAIL PROTECTED]"

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

[Mel]

On Tuesday 08 July 2008 11:13:04 Ivailo Tanusheff wrote:
> Hi,
>
> I guess the problem is with your netmask and respectivly the broadcast
> adrresses for the jails.
> It should be:
>
> inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
> inet 10.0.1.3 netmask 0xff00 broadcast 10.0.1.255
> inet 10.0.1.4 netmask 0xff00 broadcast 10.0.1.255

You guess wrong. Aliases SHOULD (as in IETF RFC should) have 255.255.255.255 
netmask.

-- 
Mel

Problem with today's modular software: they start with the modules
and never get to the software part.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

[Mel]

On Monday 07 July 2008 18:51:33 David Allen wrote:

> Granted, everything is really happening over the loopback address, but a
> connection originating from the jailhost to a jail should appear to be
> using the jailhost's IP address, or so I'd like to think.  If it doesn't,
> then the scenario is awkward at best when trying to understand or debug
> issues.

To debug this, you need to 'add jail support to sockstat'. This sounds hard, 
and it is, but you can fake it, since sockstat gives you the PID. With a 
little creative scripting, you can call `ps -o state' for each PID in the 
list, look for the capital 'J' and if it is, add the 'J' to the line.

> The thought occurred to me, however, that I could add a new network card
> and reserve that for the IP aliases needed by the jails.  But I'm not sure
> whether that will work in telling me who's who, or whether I'll discover
> another gotcha.  ;-)

It will add more gotcha's, unless you put each network card in a different 
network. With the IP's given here, you tell the host that 10.0.1.0/24 is on 
fxp0, so it will never go to fxp1 for 10.0.1.4.

-- 
Mel

Problem with today's modular software: they start with the modules
and never get to the software part.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

[Ivailo Tanusheff]

Hi,

I guess the problem is with your netmask and respectivly the broadcast 
adrresses for the jails.
It should be:

inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
inet 10.0.1.3 netmask 0xff00 broadcast 10.0.1.255
inet 10.0.1.4 netmask 0xff00 broadcast 10.0.1.255

Regards,

Ivailo Tanusheff
Deputy Head of IT Department
ProCredit Bank (Bulgaria) AD




Jason Morgan <[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED]
07.07.2008 21:01

To
FreeBSD Questions 
cc

Subject
Re: Jails and IP Aliasing






Hello,

On 2008.07.07 09:51:33, David Allen wrote:
> Unless I'm losing my mind, I'm encountering what seems to yet another
> gotcha with jails.  The following has been dumbed down for clarity and
> brevity.
> 
> -
> # hostname
> jailhost.example.org
> 
> # host jailhost
> jailhost.example.org has address 10.0.1.2
> 
> # ifconfig fxp0
> fxp0: flags=8843 metric 0 mtu 
1500
> options=b
> ether 00:07:e9:c8:2e:32
> inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
> inet 10.0.1.3 netmask 0x broadcast 10.0.1.3
> inet 10.0.1.4 netmask 0x broadcast 10.0.1.4
> media: Ethernet autoselect (100baseTX )
> status: active

This is the output for my jail interface. Notice that your jail
aliases are broadcasting on the jail's IP. I don't know if this is an
issue or not (my jails run on i386 FBSD 6.3), but it's something to
look at. How are you setting the aliases?

sk0: flags=8843 mtu 1500
 options=b
 inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255
 inet 10.0.0.101 netmask 0xff00 broadcast 10.0.0.255
 inet 10.0.0.201 netmask 0xff00 broadcast 10.0.0.255
 ether xx:xx:xx:xx:xx:xx
 media: Ethernet autoselect (1000baseTX )
 status: active

Cheers,
~Jason
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
"[EMAIL PROTECTED]"

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

[Matthew Seaman]

Jason Morgan wrote:

On 2008.07.07 12:16:44, David Allen wrote:



# grep fxp0 /etc/rc.conf
ifconfig_fxp0="inet 10.0.1.2 netmask 0xff00"
ifconfig_fxp0_alias0="10.0.1.3 netmask 0x"
ifconfig_fxp0_alias1="10.0.1.4 netmask 0x"
ifconfig_fxp0_alias2="10.0.1.5 netmask 0x"

My understanding from the handbook is that the mask should be set to all
ones if the alias is for an address that's part of the same network.  For
a different segment, it's the first alias that should be set to the real
netmask, with any additional aliases using a netmask of all ones.

Granted, the broadcast addresses looks odd.  If I my programming skills
were better, I'd just read through the code and understand what's really
happening, but for now, I'm just taking the FreeBSD folks at their word at
following instructions.  That's a roundabout way of saying I think your
aliases are set up incorrectly.  ;-)


That it quite possible (I do notice the newer documentation calling
for netmask 0x). But I have never had any trouble over the
last three years so, you know how it is, if it ain't (too) broke ...


Using a /32 netmask for aliases in the same network as the primary
address used to be mandatory until sometime during the 6.x RELEASE
series.  It is still recommended in the various documentation, and
it does make it clear to the administrator which is the primary
address when looking at ifconfig output, when that distinction is
important[*].

Using the 'natural' netmask for the network the aliases are part of
has worked for several years: this seems to be what most new users
expect and it's familiar for users of other operating systems.  As
far as I know, there is no technical or performance reason to prefer
one style over the other -- just a matter of administrator preference.

Cheers,

Matthew

[*] ie. which is the source address used for connection /from/ the
server.  If all the aliases are used for jails, or all your software
is configured to bind to one or other of the addresses this doesn't
come into play.

--
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
 Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature

Re: Jails and IP Aliasing

[George Hartzell]

Did you take the necessary steps to restrict the IP addresses on which
sendmail on the host and the jail listen?  The jail man page only
says:

 To configure sendmail(8), it is necessary to modify
 /etc/mail/sendmail.cf.

but you'll probably end up adjusting the DAEMON_OPTIONS lines of your
sendmail.mc (freebsd.mc, freebsd.submit.mc) and recreating your cf
files.

g.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

[Jason Morgan]

On 2008.07.07 12:16:44, David Allen wrote:
> On Mon, Jul 7, 2008 at 10:54 AM, Jason Morgan
> <[EMAIL PROTECTED]> wrote:
> > On 2008.07.07 09:51:33, David Allen wrote:
> >> Unless I'm losing my mind, I'm encountering what seems to yet another
> >> gotcha with jails.  The following has been dumbed down for clarity and
> >> brevity.
> >>
> >> -
> >> # hostname
> >> jailhost.example.org
> >>
> >> # host jailhost
> >> jailhost.example.org has address 10.0.1.2
> >>
> >> # ifconfig fxp0
> >> fxp0: flags=8843 metric 0 mtu 1500
> >> options=b
> >> ether 00:07:e9:c8:2e:32
> >> inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
> >> inet 10.0.1.3 netmask 0x broadcast 10.0.1.3
> >> inet 10.0.1.4 netmask 0x broadcast 10.0.1.4
> >> media: Ethernet autoselect (100baseTX )
> >> status: active
> >
> > This is the output for my jail interface. Notice that your jail
> > aliases are broadcasting on the jail's IP. I don't know if this is an
> > issue or not (my jails run on i386 FBSD 6.3), but it's something to
> > look at. How are you setting the aliases?
> >
> > sk0: flags=8843 mtu 1500
> > options=b
> > inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255
> > inet 10.0.0.101 netmask 0xff00 broadcast 10.0.0.255
> > inet 10.0.0.201 netmask 0xff00 broadcast 10.0.0.255
> > ether xx:xx:xx:xx:xx:xx
> > media: Ethernet autoselect (1000baseTX )
> > status: active
> 
> My own aliases:
> 
> # grep fxp0 /etc/rc.conf
> ifconfig_fxp0="inet 10.0.1.2 netmask 0xff00"
> ifconfig_fxp0_alias0="10.0.1.3 netmask 0x"
> ifconfig_fxp0_alias1="10.0.1.4 netmask 0x"
> ifconfig_fxp0_alias2="10.0.1.5 netmask 0x"
> 
> My understanding from the handbook is that the mask should be set to all
> ones if the alias is for an address that's part of the same network.  For
> a different segment, it's the first alias that should be set to the real
> netmask, with any additional aliases using a netmask of all ones.
> 
> Granted, the broadcast addresses looks odd.  If I my programming skills
> were better, I'd just read through the code and understand what's really
> happening, but for now, I'm just taking the FreeBSD folks at their word at
> following instructions.  That's a roundabout way of saying I think your
> aliases are set up incorrectly.  ;-)

That it quite possible (I do notice the newer documentation calling
for netmask 0x). But I have never had any trouble over the
last three years so, you know how it is, if it ain't (too) broke ...

> If you're not seeing the behaviour I'm seeing, do let me know.  But to
> clarify with a concrete example, the following is what I see on the
> jailhost (10.0.1.2) when it connects to port 25 on one of the
> jails (10.0.1.5).
> 
> # tcpdump -nqti lo0 port 25
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes
> IP 10.0.1.5.62110 > 10.0.1.5.25: tcp 0
> IP 10.0.1.5.25 > 10.0.1.5.62110: tcp 0
> IP 10.0.1.5.62110 > 10.0.1.5.25: tcp 0
> IP 10.0.1.5.25 > 10.0.1.5.62110: tcp 89
> IP 10.0.1.5.62110 > 10.0.1.5.25: tcp 0
> 
> # netstat -nf inet
> Active Internet connections
> Proto Recv-Q Send-Q  Local Address  Foreign Address(state)
> tcp4   0  0  10.0.1.5.2510.0.1.5.62110 ESTABLISHED
> tcp4   0  0  10.0.1.5.62110 10.0.1.5.25ESTABLISHED
> 
> # sockstat -4 -p 25
> USER COMMANDPID   FD PROTO  LOCAL ADDRESS FOREIGN ADDRESS
> root sendmail   16594 1  tcp4   10.0.1.5:25   10.0.1.5:62110
> root sendmail   16594 4  tcp4   10.0.1.5:25   10.0.1.5:62110
> root sendmail   16594 7  tcp4   10.0.1.5:25   10.0.1.5:62110
> root telnet 16593 3  tcp4   10.0.1.5:6211010.0.1.5:25
> 
> Why the jailhost is suddenly using the jail's IP address is beyond me.

I am actually getting the same results when telnetting to port 25 on
my mailserver jail. Someone else here should be able to offer better
advice. Sorry, I couldn't help.

Good luck,
~Jason
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

[David Allen]

On Mon, Jul 7, 2008 at 10:54 AM, Jason Morgan
<[EMAIL PROTECTED]> wrote:
> On 2008.07.07 09:51:33, David Allen wrote:
>> Unless I'm losing my mind, I'm encountering what seems to yet another
>> gotcha with jails.  The following has been dumbed down for clarity and
>> brevity.
>>
>> -
>> # hostname
>> jailhost.example.org
>>
>> # host jailhost
>> jailhost.example.org has address 10.0.1.2
>>
>> # ifconfig fxp0
>> fxp0: flags=8843 metric 0 mtu 1500
>> options=b
>> ether 00:07:e9:c8:2e:32
>> inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
>> inet 10.0.1.3 netmask 0x broadcast 10.0.1.3
>> inet 10.0.1.4 netmask 0x broadcast 10.0.1.4
>> media: Ethernet autoselect (100baseTX )
>> status: active
>
> This is the output for my jail interface. Notice that your jail
> aliases are broadcasting on the jail's IP. I don't know if this is an
> issue or not (my jails run on i386 FBSD 6.3), but it's something to
> look at. How are you setting the aliases?
>
> sk0: flags=8843 mtu 1500
> options=b
> inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255
> inet 10.0.0.101 netmask 0xff00 broadcast 10.0.0.255
> inet 10.0.0.201 netmask 0xff00 broadcast 10.0.0.255
> ether xx:xx:xx:xx:xx:xx
> media: Ethernet autoselect (1000baseTX )
> status: active

My own aliases:

# grep fxp0 /etc/rc.conf
ifconfig_fxp0="inet 10.0.1.2 netmask 0xff00"
ifconfig_fxp0_alias0="10.0.1.3 netmask 0x"
ifconfig_fxp0_alias1="10.0.1.4 netmask 0x"
ifconfig_fxp0_alias2="10.0.1.5 netmask 0x"

My understanding from the handbook is that the mask should be set to all
ones if the alias is for an address that's part of the same network.  For
a different segment, it's the first alias that should be set to the real
netmask, with any additional aliases using a netmask of all ones.

Granted, the broadcast addresses looks odd.  If I my programming skills
were better, I'd just read through the code and understand what's really
happening, but for now, I'm just taking the FreeBSD folks at their word at
following instructions.  That's a roundabout way of saying I think your
aliases are set up incorrectly.  ;-)

If you're not seeing the behaviour I'm seeing, do let me know.  But to
clarify with a concrete example, the following is what I see on the
jailhost (10.0.1.2) when it connects to port 25 on one of the
jails (10.0.1.5).

# tcpdump -nqti lo0 port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes
IP 10.0.1.5.62110 > 10.0.1.5.25: tcp 0
IP 10.0.1.5.25 > 10.0.1.5.62110: tcp 0
IP 10.0.1.5.62110 > 10.0.1.5.25: tcp 0
IP 10.0.1.5.25 > 10.0.1.5.62110: tcp 89
IP 10.0.1.5.62110 > 10.0.1.5.25: tcp 0

# netstat -nf inet
Active Internet connections
Proto Recv-Q Send-Q  Local Address  Foreign Address(state)
tcp4   0  0  10.0.1.5.2510.0.1.5.62110 ESTABLISHED
tcp4   0  0  10.0.1.5.62110 10.0.1.5.25ESTABLISHED

# sockstat -4 -p 25
USER COMMANDPID   FD PROTO  LOCAL ADDRESS FOREIGN ADDRESS
root sendmail   16594 1  tcp4   10.0.1.5:25   10.0.1.5:62110
root sendmail   16594 4  tcp4   10.0.1.5:25   10.0.1.5:62110
root sendmail   16594 7  tcp4   10.0.1.5:25   10.0.1.5:62110
root telnet 16593 3  tcp4   10.0.1.5:6211010.0.1.5:25

Why the jailhost is suddenly using the jail's IP address is beyond me.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Jails and IP Aliasing

[Jason Morgan]

Hello,

On 2008.07.07 09:51:33, David Allen wrote:
> Unless I'm losing my mind, I'm encountering what seems to yet another
> gotcha with jails.  The following has been dumbed down for clarity and
> brevity.
> 
> -
> # hostname
> jailhost.example.org
> 
> # host jailhost
> jailhost.example.org has address 10.0.1.2
> 
> # ifconfig fxp0
> fxp0: flags=8843 metric 0 mtu 1500
> options=b
> ether 00:07:e9:c8:2e:32
> inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
> inet 10.0.1.3 netmask 0x broadcast 10.0.1.3
> inet 10.0.1.4 netmask 0x broadcast 10.0.1.4
> media: Ethernet autoselect (100baseTX )
> status: active

This is the output for my jail interface. Notice that your jail
aliases are broadcasting on the jail's IP. I don't know if this is an
issue or not (my jails run on i386 FBSD 6.3), but it's something to
look at. How are you setting the aliases?

sk0: flags=8843 mtu 1500
 options=b
 inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255
 inet 10.0.0.101 netmask 0xff00 broadcast 10.0.0.255
 inet 10.0.0.201 netmask 0xff00 broadcast 10.0.0.255
 ether xx:xx:xx:xx:xx:xx
 media: Ethernet autoselect (1000baseTX )
 status: active

Cheers,
~Jason
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Jails and IP Aliasing

[David Allen]

Unless I'm losing my mind, I'm encountering what seems to yet another
gotcha with jails.  The following has been dumbed down for clarity and
brevity.

-
# hostname
jailhost.example.org

# host jailhost
jailhost.example.org has address 10.0.1.2

# ifconfig fxp0
fxp0: flags=8843 metric 0 mtu 1500
options=b
ether 00:07:e9:c8:2e:32
inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
inet 10.0.1.3 netmask 0x broadcast 10.0.1.3
inet 10.0.1.4 netmask 0x broadcast 10.0.1.4
media: Ethernet autoselect (100baseTX )
status: active

# grep jail /etc/rc.conf
...
jail_ns_hostname="ns.example.org"
jail_ns_ip="10.0.1.3"
...
jail_mail_hostname="mail.example.org"
jail_mail_ip="10.0.1.4"

# sockstat -4l
USER COMMANDPID   FD PROTO  LOCAL ADDRESS FOREIGN ADDRESS
root sendmail   11556 4  tcp4   10.0.1.4:25   *:*
root syslogd10591 6  udp4   10.0.1.4:514  *:*
root sendmail   10438 4  tcp4   10.0.1.3:25   *:*
bind named  4011  20 udp4   10.0.1.3:53   *:*
bind named  4011  21 tcp4   10.0.1.3:53   *:*
bind named  4011  22 tcp4   10.0.1.3:953  *:*
root syslogd897   6  udp4   10.0.1.3:514  *:*
root sshd   715   3  tcp4   10.0.1.2:22   *:*
root syslogd563   6  udp4   127.0.0.1:514 *:*
root sendmail   489   4  tcp4   127.0.0.1:25  *:*

-

If I telnet from the jailhost to mail.example.org 25, for example, both
outgoing and incoming connections appear to sockstat, tcpdump, etc. on the
jailhost as using the jail's IP address!  Similarly, if I perform a DNS
lookup on the jailhost (using the ns.example.org jail for resolution),
both incoming and outgoing connections occur on the jail's IP address.

Granted, everything is really happening over the loopback address, but a
connection originating from the jailhost to a jail should appear to be
using the jailhost's IP address, or so I'd like to think.  If it doesn't,
then the scenario is awkward at best when trying to understand or debug
issues.

The thought occurred to me, however, that I could add a new network card
and reserve that for the IP aliases needed by the jails.  But I'm not sure
whether that will work in telling me who's who, or whether I'll discover
another gotcha.  ;-)

Comments, questions and complaints all welcomed.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"