kern/126493: Established connections from other IP's appear in
jail's netstat output
Vedad KAJTAZ
vedad at kajtaz.net
Wed Aug 13 14:10:04 UTC 2008
The following reply was made to PR kern/126493; it has been noted by GNATS.
From: Vedad KAJTAZ <vedad at kajtaz.net>
To: "Bjoern A. Zeeb" <bz at FreeBSD.org>
Cc: freebsd-gnats-submit at FreeBSD.org
Subject: Re: kern/126493: Established connections from other IP's appear in
jail's netstat output
Date: Wed, 13 Aug 2008 15:46:18 +0200
Bjoern A. Zeeb a écrit :
> On Wed, 13 Aug 2008, Vedad KAJTAZ wrote:
>
>>> Description:
>> A jail running with IP1 can sometimes see established connections
>> between IP2 (used by an other jail) and a remote host, in it's netstat
>> output.
>>
>> In my case:
>>
>> wendy.osilex.net is a jail that was assigned IP 87.98.200.163
>> ike.osilex.net is a jail that was assigned IP 87.98.200.164
>>
>> [root at ike /]$ netstat -n
>> netstat: kvm not available: /dev/mem: No such file or directory
>> Active Internet connections
>> Proto Recv-Q Send-Q Local Address Foreign Address
>> (state)
>> tcp4 0 0 87.98.200.163.25 85.237.44.155.4245
>> SYN_RCVD
>
> Are you sure you are not inside wendy running your test?
>
Hi,
Yes, i'm totally sure. That is why I also pasted the shell prompt line
into the report.
Here is an other example:
[root at ike vhosts]$ netstat -n -a
netstat: kvm not available: /dev/mem: No such file or directory
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 87.98.200.163.110 213.41.184.164.21138 SYN_RCVD
tcp4 0 0 87.98.200.164.443 *.* LISTEN
tcp4 0 0 87.98.200.164.80 *.* LISTEN
tcp4 0 0 87.98.200.164.21 *.* LISTEN
Above you can see both IP's in a single netstat output.
And yes, ike (.164) is a jail:
[root at ike vhosts]$ sysctl -a | grep jailed
security.jail.jailed: 1
Btw, after doing a lot of netstats on "ike", it appears that connections
from other IP's become visible only when they're *not* in
ESTABLISHED/LISTEN state (wendy, .163, is a smtp/imap server, it has
average 2+ connections per second).
Also note that there was some kind of leak that made killing "wendy"
jail impossible some time ago, therefore wendy now appears twice in
"jls" output on the host (kenny) system. It might be somehow related:
[root at kenny ~]$ jls
JID IP Address Hostname Path
31 87.98.200.164 ike.osilex.net /usr/local/jails/ike
25 87.98.200.163 wendy.osilex.net
/usr/local/jails/wendy
22 87.98.200.163 wendy.osilex.net
/usr/local/jails/wendy
(3 other jails snipped)
Hope this helps,
Best regards,
--
Vedad KAJTAZ
Conseil en systèmes informatiques
vedad at kajtaz.net
http://vedad.kajtaz.net/
8 Av. du Président Roosevelt
94120 Fontenay-sous-bois, FRANCE
GSM: +33 6 74 89 32 12
More information about the freebsd-bugs
mailing list