Jails routing and localhost

Ole ole at free.de
Thu Jan 18 12:28:51 UTC 2018 

Hi,

I have some questions about how routing works for jails. 

I have a FreeBSD 11.1 host in a datacenter. Which has only a routed IP
and different /29 routed networks. The IP is setup as /32 and there is a
default route to the router of the datacenter:


  #ifconfig em1
    (...)
    inet a.a.a.57 netmask 0xffffffff broadcast a.a.a.57
    (...)


  # netstat -rn
    (...)
    Destination        Gateway            Flags     Netif Expire
    default            a.a.a.1            UGS         em1
    (...)


If I create jails like

  # ezjail-admin create somejail 'lo1|b.b.b.238,lo1|127.b.b.238'

everything is fine until some service in the jail tries to bind to
127.0.0.1. Because it will bind to the public IP b.b.b.238.
The Handbook [1] tells 

  "Inside a jail, access to the loopback address 127.0.0.1 is
  redirected to the first IP address assigned to the jail."

If I change the order of the IP-Adresses the service will bind to
127.b.b.238. But inside the Jail Networking fails in a way that I can't
debug. I can conntect from the outside via ssh but I can't connect from
the Jail to an external Server. I can't find any differences in
routing table or ifconfig between both setups.


I also tried to use tap interfaces instead of lo, but it results in the
same. 

I wonder how others solve this problem. I searched a lot, but couldn't
find a solution. Maybe you don't have a solution, but can give me a
hint to debug the Problem. Thank you!


regards
Ole

[1] https://www.freebsd.org/doc/handbook/jails-ezjail.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale Signatur von OpenPGP
URL: <http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20180118/b9e73bdc/attachment.sig>

More information about the freebsd-jail mailing list