setfib (ez)jails and wierd routing
Andrew Hotlab
andrew.hotlab at hotmail.com
Tue Oct 24 17:07:47 UTC 2017
________________________________________
From: Marko Cupać <marko.cupac at mimar.rs>
Sent: Monday, October 23, 2017 1:58 PM
To: Andrew Hotlab
Cc: freebsd-jail at freebsd.org
Subject: Re: setfib (ez)jails and wierd routing
> On Tue, 17 Oct 2017 15:17:16 +0000
> Andrew Hotlab <andrew.hotlab at hotmail.com> wrote:
>
> > root at BSD11:~ # cat /etc/jail.conf
> > exec.start = "/bin/sh /etc/rc";
> > exec.stop = "/bin/sh /etc/rc.shutdown";
> > exec.clean;
> > mount.devfs;
> > jtest01 {
> > host.hostname = "jtest01.test.lab";
> > path = /usr/jails/jtest01;
> > ip4.addr = "em0|172.21.10.101/32";
> > persist;
> > allow.raw_sockets;
> > exec.fib = "1";
> > }
>
> Andrew,
>
> do you have the ability to remove allow.raw_sockets line from jtest01
> jail and try to ping it while tcpdumping icmp on em1? You should see
> reply packets leaving em1.
>
So sorry: I didn't notice that my own transcript shown exactly the
behaviour you are describing... in fact you can see "echo request"
packets, but no "echo reply" on em0 interface!!
And I can confirm you that the problem does not happen in the same
topology with a FreeBSD 10.3 host.
At this point I guess that all responses to ICMP requests received on
IP addresses assigned to jails linked to specific FIB on FreeBSD 11.x
are not influenced by the FIB, while in FreeBSD 10.x they are.
(No problem from ICMP traffic generated from the jail itself: I saw packets
leaving and coming back through the right interface).
Unfortunately I haven't the competence to point you to the right direction
to solve, but I think it is a jail-related issue, thus this should be the right
mailing list to discuss about this.
I'll come back if I'll be able to understand something more.
Andrew
More information about the freebsd-jail
mailing list