Jails and IP Aliasing
David Allen
the.real.david.allen at gmail.com
Mon Jul 7 16:51:36 UTC 2008
Unless I'm losing my mind, I'm encountering what seems to yet another
gotcha with jails. The following has been dumbed down for clarity and
brevity.
---------------------------------------------------------------------
# hostname
jailhost.example.org
# host jailhost
jailhost.example.org has address 10.0.1.2
# ifconfig fxp0
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_MTU>
ether 00:07:e9:c8:2e:32
inet 10.0.1.2 netmask 0xffffff00 broadcast 10.0.1.255
inet 10.0.1.3 netmask 0xffffffff broadcast 10.0.1.3
inet 10.0.1.4 netmask 0xffffffff broadcast 10.0.1.4
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
# grep jail /etc/rc.conf
...
jail_ns_hostname="ns.example.org"
jail_ns_ip="10.0.1.3"
...
jail_mail_hostname="mail.example.org"
jail_mail_ip="10.0.1.4"
# sockstat -4l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sendmail 11556 4 tcp4 10.0.1.4:25 *:*
root syslogd 10591 6 udp4 10.0.1.4:514 *:*
root sendmail 10438 4 tcp4 10.0.1.3:25 *:*
bind named 4011 20 udp4 10.0.1.3:53 *:*
bind named 4011 21 tcp4 10.0.1.3:53 *:*
bind named 4011 22 tcp4 10.0.1.3:953 *:*
root syslogd 897 6 udp4 10.0.1.3:514 *:*
root sshd 715 3 tcp4 10.0.1.2:22 *:*
root syslogd 563 6 udp4 127.0.0.1:514 *:*
root sendmail 489 4 tcp4 127.0.0.1:25 *:*
---------------------------------------------------------------------
If I telnet from the jailhost to mail.example.org 25, for example, both
outgoing and incoming connections appear to sockstat, tcpdump, etc. on the
jailhost as using the jail's IP address! Similarly, if I perform a DNS
lookup on the jailhost (using the ns.example.org jail for resolution),
both incoming and outgoing connections occur on the jail's IP address.
Granted, everything is really happening over the loopback address, but a
connection originating from the jailhost to a jail should appear to be
using the jailhost's IP address, or so I'd like to think. If it doesn't,
then the scenario is awkward at best when trying to understand or debug
issues.
The thought occurred to me, however, that I could add a new network card
and reserve that for the IP aliases needed by the jails. But I'm not sure
whether that will work in telling me who's who, or whether I'll discover
another gotcha. ;-)
Comments, questions and complaints all welcomed.
More information about the freebsd-questions
mailing list