HEADS UP: multi-IPv4/v6/no-IP jails now in 7-STABLE

Stefan Lambrev stefan.lambrev at moneybookers.com
Thu Apr 30 17:31:33 UTC 2009 

Hi,

On Apr 22, 2009, at 11:25 PM, Miroslav Lachman wrote:

> Stefan Lambrev wrote:
>> Hi,
>> Does this allow multiple network interfaces to be used by a single   
>> jail instance?
>
> Yes, I am using it.
>
- cut -

Basically it works, but I found another problem.
I have created on two servers jails with 2 IPs on different interfaces.
First IP is on "external" interface and second IP is on internal  
interface.
As expected if I send packets from the host (outside jail) their  
source address match the IP of the interface (from which they are  
leaving the machine),
but if I send packets from jail they always go out with source address  
equal to the first IP of the jail even when they are going out
through the second interface.

I do not know if this matters but in my case, internal interface have  
few vlans and the IP is set on the vlan not directly on the interface.

Here is some output from the jail which can be useful:

igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu  
1500
	options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
	ether 00:30:48:9c:3a:0a
	inet 192.168.3.100 netmask 0xffffffff broadcast 192.168.3.100
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active

igb1.2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0  
mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:30:48:9c:3a:0b
	inet 10.35.1.1 netmask 0xffffff00 broadcast 10.35.1.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
	vlan: 2 parent interface: igb1

And here is the tcpdump from igb1.2 when trying to ping 10.35.1.2 from  
inside jail:

17:20:04.109972 IP 192.168.3.100 > 10.35.1.2: ICMP echo request, id  
28421, seq 0, length 64
17:20:05.110321 IP 192.168.3.100 > 10.35.1.2: ICMP echo request, id  
28421, seq 1, length 64

Any idea how this can be fixed?

P.S. I know I can rewrite outgoing packets with firewall, but it's not  
performance wise,
and I expect lot of udp multicast through igb1.2, that's why this  
doesn't look like a proper solution for me.

--
Best Wishes,
Stefan Lambrev
ICQ# 24134177

More information about the freebsd-jail mailing list