HEADS UP: multi-IPv4/v6/no-IP jails now in 7-STABLE

Stefan Lambrev stefan.lambrev at moneybookers.com
Thu May 7 21:53:11 UTC 2009 

Hi,

Sorry for late reply.

On May 1, 2009, at 2:58 AM, Bjoern A. Zeeb wrote:

> On Thu, 30 Apr 2009, Stefan Lambrev wrote:
>
>> Hi,
>>
>> On Apr 22, 2009, at 11:25 PM, Miroslav Lachman wrote:
>>
>>> Stefan Lambrev wrote:
>>>> Hi,
>>>> Does this allow multiple network interfaces to be used by a  
>>>> single  jail instance?
>>> Yes, I am using it.
>> - cut -
>>
>> Basically it works, but I found another problem.
>> I have created on two servers jails with 2 IPs on different  
>> interfaces.
>> First IP is on "external" interface and second IP is on internal  
>> interface.
>> As expected if I send packets from the host (outside jail) their  
>> source address match the IP of the interface (from which they are  
>> leaving the machine),
>> but if I send packets from jail they always go out with source  
>> address equal to the first IP of the jail even when they are going  
>> out
>> through the second interface.
>>
>> I do not know if this matters but in my case, internal interface  
>> have few vlans and the IP is set on the vlan not directly on the  
>> interface.
>>
>> Here is some output from the jail which can be useful:
>>
>> igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0  
>> mtu 1500
>> 	options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
>> 	ether 00:30:48:9c:3a:0a
>> 	inet 192.168.3.100 netmask 0xffffffff broadcast 192.168.3.100
>> 	media: Ethernet autoselect (100baseTX <full-duplex>)
>> 	status: active
>>
>> igb1.2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0  
>> mtu 1500
>> 	options=3<RXCSUM,TXCSUM>
>> 	ether 00:30:48:9c:3a:0b
>> 	inet 10.35.1.1 netmask 0xffffff00 broadcast 10.35.1.255
>> 	media: Ethernet autoselect (1000baseTX <full-duplex>)
>> 	status: active
>> 	vlan: 2 parent interface: igb1
>>
>> And here is the tcpdump from igb1.2 when trying to ping 10.35.1.2  
>> from inside jail:
>>
>> 17:20:04.109972 IP 192.168.3.100 > 10.35.1.2: ICMP echo request, id  
>> 28421, seq 0, length 64
>> 17:20:05.110321 IP 192.168.3.100 > 10.35.1.2: ICMP echo request, id  
>> 28421, seq 1, length 64
>>
>> Any idea how this can be fixed?
>>
>> P.S. I know I can rewrite outgoing packets with firewall, but it's  
>> not performance wise,
>> and I expect lot of udp multicast through igb1.2, that's why this  
>> doesn't look like a proper solution for me.
>
>
> 1) you turned on a non-default feature permitting raw-ip-sockets from
>   inside jails. You lost supp^Wpredicatability. Well not really but
>   this is just the beware-of reminder.

Unfortunately this is the only way to get multicast working in jail.

> 2) you are using 1) with ping to test source address selection which
>   will not work well. There is more magic involved.  Does it work
>   properly and as requested with ping -S <src-ip-you-want> <dst>?

The only difference when using -S is that the "sender" does not  
recognize replies.

> 3) turn off 1) and/or use telnet, ssh, or nc to test outgoing  
> connections
>   in each direction. Does source address selection work here as
>   expected?

telnet works as expected even when raw-ip-sockets are enabled.

> 4) jails do not support MC. You'll have to wait for full-blown network
>   stack virtualization.

Is this planned to be part of 8.0 or ..? :)

>
>
>
> -- 
> Bjoern A. Zeeb                      The greatest risk is not taking  
> one.

--
Best Wishes,
Stefan Lambrev
ICQ# 24134177

More information about the freebsd-jail mailing list