Issues with Jails/Routes/FIBs

[Kevin Mai]

Hi folks! 

I'm facing an issue here while trying to define separate routing tables for 
each jail and host. 

Let me show you briefly how it's done: 

The server has 3 physical NICs, each one connected to a different network (say, 
public network A, public network B, and LAN). 

Currently, the default gateway is set to be the LAN gateway, even though the 
two jails can see their own public network subnet. 

Internet: 
Destination Gateway Flags Refs Use Netif Expire 
default 172.16.2.1 UGS 1 3935 bce2 
127.0.0.1 link#5 UH 0 0 lo0 
172.16.2.0/24 link#3 U 0 0 bce2 
172.16.2.127 link#3 UHS 0 0 lo0 
100.16.97.0/24 link#1 U 0 0 bce0 
100.16.97.5 link#1 UHS 0 0 lo0 
100.16.98.0/24 link#2 U 0 0 bce1 
100.16.98.5 link#2 UHS 0 0 lo0 

100.16.97.0/24 and 100.16.98.0/24 are the two public networks and 172.16.2.0/24 
is the LAN. 

I have already tried removing devfs rules from the jails, setting securelevel 
to -1 but I'm still out of luck.. 

I know setfib can define alternate routing tables, and I even created a default 
gateway for two fibs, 1 & 2: 

[r...@mrefns09 ~]# setfib 2 netstat -rn 
Routing tables 

Internet: 
Destination Gateway Flags Refs Use Netif Expire 
default 100.16.98.100 UGS 14 906 bce1 
127.0.0.1 link#5 UH 0 0 lo0 
172.16.2.0/24 link#3 U 0 0 bce2 
100.16.97.0/24 link#1 U 0 39 bce0 
100.16.98.0/24 link#2 U 0 0 bce1 

[r...@mrefns09 ~]# setfib 1 netstat -rn 
Routing tables 

Internet: 
Destination Gateway Flags Refs Use Netif Expire 
default 100.16.97.100 UGS 0 1758 bce0 
127.0.0.1 link#5 UH 0 0 lo0 
172.16.2.0/24 link#3 U 0 0 bce2 
100.16.97.0/24 link#1 U 0 44 bce0 
100.16.98.0/24 link#2 U 0 4 bce1 

And i've added the proper settings in rc.conf.. 

jail_athea97_ip="100.16.97.5 netmask 255.255.255.0" 
jail_athea97_fib=1 


jail_athea98_ip="100.16.98.5 netmask 255.255.255.0" 
jail_athea98_fib=2 

Am I missing something? because once I get into the jail the routing table is 
the same: 

[r...@athea97 /]# netstat -rn 
Routing tables 

Internet: 
Destination Gateway Flags Refs Use Netif Expire 
default 172.16.2.1 UGS 13 6175 bce2 
127.0.0.1 link#5 UH 0 0 lo0 
172.16.2.0/24 link#3 U 0 0 bce2 
172.16.2.127 link#3 UHS 0 0 lo0 
100.16.97.0/24 link#1 U 0 0 bce0 
100.16.97.5 link#1 UHS 0 0 lo0 
100.16.98.0/24 link#2 U 0 0 bce1 
100.16.98.5 link#2 UHS 0 0 lo0 

[r...@athea97 /]# setfib 1 netstat -rn 
Routing tables 

Internet: 
Destination Gateway Flags Refs Use Netif Expire 
default 100.16.97.100 UGS 15 1814 bce0 
127.0.0.1 link#5 UH 0 0 lo0 
172.16.2.0/24 link#3 U 0 0 bce2 
100.16.97.0/24 link#1 U 0 44 bce0 
100.16.98.0/24 link#2 U 0 4 bce1 

The other jail is acting the same way. I know that since I'm doing a jexec, the 
shell will have the host's route because, but, how can I know if it's getting 
the alternate routing table? 

Thanks, 

Kevin 

___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: Issues with Jails/Routes/FIBs

[Brandon Gooch]

On Nov 25, 2010, at 1:38 PM, Kevin Mai  wrote:

> Hi folks! 
> 
> I'm facing an issue here while trying to define separate routing tables for 
> each jail and host. 
> 
> Let me show you briefly how it's done: 
> 
> The server has 3 physical NICs, each one connected to a different network 
> (say, public network A, public network B, and LAN). 
> 
> Currently, the default gateway is set to be the LAN gateway, even though the 
> two jails can see their own public network subnet. 
> 
> Internet: 
> Destination Gateway Flags Refs Use Netif Expire 
> default 172.16.2.1 UGS 1 3935 bce2 
> 127.0.0.1 link#5 UH 0 0 lo0 
> 172.16.2.0/24 link#3 U 0 0 bce2 
> 172.16.2.127 link#3 UHS 0 0 lo0 
> 100.16.97.0/24 link#1 U 0 0 bce0 
> 100.16.97.5 link#1 UHS 0 0 lo0 
> 100.16.98.0/24 link#2 U 0 0 bce1 
> 100.16.98.5 link#2 UHS 0 0 lo0 
> 
> 100.16.97.0/24 and 100.16.98.0/24 are the two public networks and 
> 172.16.2.0/24 is the LAN. 
> 
> I have already tried removing devfs rules from the jails, setting securelevel 
> to -1 but I'm still out of luck.. 
> 
> I know setfib can define alternate routing tables, and I even created a 
> default gateway for two fibs, 1 & 2: 
> 
> [r...@mrefns09 ~]# setfib 2 netstat -rn 
> Routing tables 
> 
> Internet: 
> Destination Gateway Flags Refs Use Netif Expire 
> default 100.16.98.100 UGS 14 906 bce1 
> 127.0.0.1 link#5 UH 0 0 lo0 
> 172.16.2.0/24 link#3 U 0 0 bce2 
> 100.16.97.0/24 link#1 U 0 39 bce0 
> 100.16.98.0/24 link#2 U 0 0 bce1 
> 
> [r...@mrefns09 ~]# setfib 1 netstat -rn 
> Routing tables 
> 
> Internet: 
> Destination Gateway Flags Refs Use Netif Expire 
> default 100.16.97.100 UGS 0 1758 bce0 
> 127.0.0.1 link#5 UH 0 0 lo0 
> 172.16.2.0/24 link#3 U 0 0 bce2 
> 100.16.97.0/24 link#1 U 0 44 bce0 
> 100.16.98.0/24 link#2 U 0 4 bce1 
> 
> And i've added the proper settings in rc.conf.. 
> 
> jail_athea97_ip="100.16.97.5 netmask 255.255.255.0" 
> jail_athea97_fib=1 
> 
> 
> jail_athea98_ip="100.16.98.5 netmask 255.255.255.0" 
> jail_athea98_fib=2 
> 
> Am I missing something? because once I get into the jail the routing table is 
> the same: 
> 
> [r...@athea97 /]# netstat -rn 
> Routing tables 
> 
> Internet: 
> Destination Gateway Flags Refs Use Netif Expire 
> default 172.16.2.1 UGS 13 6175 bce2 
> 127.0.0.1 link#5 UH 0 0 lo0 
> 172.16.2.0/24 link#3 U 0 0 bce2 
> 172.16.2.127 link#3 UHS 0 0 lo0 
> 100.16.97.0/24 link#1 U 0 0 bce0 
> 100.16.97.5 link#1 UHS 0 0 lo0 
> 100.16.98.0/24 link#2 U 0 0 bce1 
> 100.16.98.5 link#2 UHS 0 0 lo0 
> 
> [r...@athea97 /]# setfib 1 netstat -rn 
> Routing tables 
> 
> Internet: 
> Destination Gateway Flags Refs Use Netif Expire 
> default 100.16.97.100 UGS 15 1814 bce0 
> 127.0.0.1 link#5 UH 0 0 lo0 
> 172.16.2.0/24 link#3 U 0 0 bce2 
> 100.16.97.0/24 link#1 U 0 44 bce0 
> 100.16.98.0/24 link#2 U 0 4 bce1 
> 
> The other jail is acting the same way. I know that since I'm doing a jexec, 
> the shell will have the host's route because, but, how can I know if it's 
> getting the alternate routing table? 
> 
> Thanks, 
> 
> Kevin

Try ssh'ing into one of the jails from the public side. The jail should honor 
the FIB configuration from that perspective. Are things behaving as you expect 
in the jail at that point?

As you've figured out, when jexec'ing into the jail from the host machine, you 
inherit the FIB of your current shell.

I think this due to the design of FreeBSD's multiple routing tables -- and not 
a bug :)

-Brandon___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

two issues with cdfs

[Alexander Best]

hi there,

i've tripped over two issues with the cdfs:

1) take a > 4 GB example.file
2) do `mkisofs -iso-level 4 -input-charset ISO-8859-15 -V "Test 1" -o new.iso 
example.file`
3) mdconfig -a -t vnode -f new.iso
4) mount -t cd9660 /dev/mdX /some/place

the resulting file size is only 3115015779 bytes, although it should be
7409981027 bytes (in my case).

the second issue:

1) take a > 4 GB file
2) do `mkisofs -iso-level 4 -J -r -input-charset ISO-8859-15 -V "Test 2" -o 
new.iso example.file`
3) mdconfig -a -t vnode -f new.iso
4) mount -t cd9660 /dev/mdX /some/place

there are 2 files with the same indode. the file size is 4294965248 bytes,
although it should be 7409981027 bytes (in my case).

cheers.
alex

ps: i'm running HEAD (r215432; amd64).

-- 
a13x
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

[CFR] a small change of ifconfig(8)

[Weongyo Jeong]

Hello all,

I'm sending this email to check whether my approach is reasonable that I
added 2 line into ifconfig(8) to skip IFT_USB interfaces as follows:

+   if (sdl != NULL && sdl->sdl_type == IFT_USB)
+   continue;

And as additionally I added two changes of USB pf to call if_up(ifp) /
if_down(ifp) explicitly to UP usbus interfaces though normally it always
should be called through user ioctl calls.

The reason why I make this patch is that I encountered a side-effect
output from ifconfig(8) after USB packet filter is committed.  Yes usbus
interfaces are printed.

Please give me some hints whether the patch is reasonable.  If it's
reasonable, is there other tools which I should make patches?

regards,
Weongyo Jeong

Index: sbin/ifconfig/ifconfig.c
===
--- sbin/ifconfig/ifconfig.c	(revision 215648)
+++ sbin/ifconfig/ifconfig.c	(working copy)
@@ -295,6 +295,8 @@
 			sdl = (const struct sockaddr_dl *) ifa->ifa_addr;
 		else
 			sdl = NULL;
+		if (sdl != NULL && sdl->sdl_type == IFT_USB)
+			continue;
 		if (cp != NULL && strcmp(cp, ifa->ifa_name) == 0 && !namesonly)
 			continue;
 		iflen = strlcpy(name, ifa->ifa_name, sizeof(name));
Index: sys/dev/usb/usb_pf.c
===
--- sys/dev/usb/usb_pf.c	(revision 215812)
+++ sys/dev/usb/usb_pf.c	(working copy)
@@ -65,6 +65,7 @@
 	ifp = ubus->ifp = if_alloc(IFT_USB);
 	if_initname(ifp, "usbus", device_get_unit(ubus->bdev));
 	if_attach(ifp);
+	if_up(ifp);
 
 	KASSERT(sizeof(struct usbpf_pkthdr) == USBPF_HDR_LEN,
 	("wrong USB pf header length (%zd)", sizeof(struct usbpf_pkthdr)));
@@ -86,6 +87,7 @@
 
 	if (ifp != NULL) {
 		bpfdetach(ifp);
+		if_down(ifp);
 		if_detach(ifp);
 		if_free(ifp);
 	}
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"