Re: cannot resolve host in VNET jail with RSS enabled

From: <moremore2_at_outlook.com>
Date: Tue, 12 Apr 2022 05:32:35 UTC
Hi,
  Thanks for your kindly reply. I've never tried 'options rss' and 'options pcbgroup' before.

# uname -a
FreeBSD haproxy-a 13.1-STABLE FreeBSD 13.1-STABLE #12 local-ece90b520: Tue Apr 12 11:50:47 CST 2022     root@hp380:/usr/obj/usr/src/amd64.amd64/sys/fb13-stable-rss  amd64


# more jail.conf
haproxy-a {
  devfs_ruleset = 8;
  enforce_statfs = 2;
  exec.clean;
  exec.consolelog = /var/log/bastille/haproxy-a_console.log;
  exec.start = '/bin/sh /etc/rc';
  exec.stop = '/bin/sh /etc/rc.shutdown';
  host.hostname = haproxy-a;
  mount.devfs;
  mount.fstab = /usr/local/bastille/jails/haproxy-a/fstab;
  path = /usr/local/bastille/jails/haproxy-a/root;
  securelevel = 2;
  vnet="new";
  vnet.interface='epair10b';

  exec.poststart='/usr/sbin/jexec haproxy-a /sbin/ifconfig epair10b 192.168.200.100 netmask 255.255.255.0 up';
  exec.poststart+='/usr/sbin/jexec haproxy-a /sbin/route add default 192.168.200.1';
  }

  Then in the jail:

root@haproxy-a:/ # drill www.microsoft.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 14133
;; flags: qr rd ra ; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.microsoft.com.	IN	A

;; ANSWER SECTION:
www.microsoft.com.	3563	IN	CNAME	www.microsoft.com-c-3.edgekey.net.
www.microsoft.com-c-3.edgekey.net.	643	IN	CNAME	www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net.
www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net.	620	IN	CNAME	e13678.ca2.s.tl88.net.
e13678.ca2.s.tl88.net.	35	IN	A	115.152.251.229

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 13 msec
;; SERVER: 114.114.114.114
;; WHEN: Tue Apr 12 13:15:58 2022
;; MSG SIZE  rcvd: 197
root@haproxy-a:/ # ping -4 www.microsoft.com
^C
root@haproxy-a:/ # ping -4 115.152.251.229
PING 115.152.251.229 (115.152.251.229): 56 data bytes
64 bytes from 115.152.251.229: icmp_seq=0 ttl=52 time=16.094 ms
64 bytes from 115.152.251.229: icmp_seq=1 ttl=52 time=16.032 ms
64 bytes from 115.152.251.229: icmp_seq=2 ttl=52 time=22.042 ms
64 bytes from 115.152.251.229: icmp_seq=3 ttl=52 time=16.064 ms
64 bytes from 115.152.251.229: icmp_seq=4 ttl=52 time=16.242 ms
64 bytes from 115.152.251.229: icmp_seq=5 ttl=52 time=16.051 ms
^C
--- 115.152.251.229 ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 16.032/17.087/22.042/2.217 ms

And I capture these packets at the same time:
root@haproxy-a:/ # tcpdump -v -n -i epair10b
tcpdump: listening on epair10b, link-type EN10MB (Ethernet), capture size 262144 bytes
13:15:58.795103 IP (tos 0x0, ttl 64, id 63832, offset 0, flags [none], proto UDP (17), length 63)
    192.168.200.100.61519 > 114.114.114.114.53: 14133+ A? www.microsoft.com. (35)
13:15:58.808548 IP (tos 0x0, ttl 149, id 0, offset 0, flags [none], proto UDP (17), length 225)
    114.114.114.114.53 > 192.168.200.100.61519: 14133 4/0/0 www.microsoft.com. CNAME www.microsoft.com-c-3.edgekey.net., www.microsoft.com-c-3.edgekey.net. CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net., www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net. CNAME e13678.ca2.s.tl88.net., e13678.ca2.s.tl88.net. A 115.152.251.229 (197)
13:16:26.916890 IP (tos 0x0, ttl 64, id 24086, offset 0, flags [none], proto UDP (17), length 63)
    192.168.200.100.13052 > 114.114.114.114.53: 44693+ A? www.microsoft.com. (35)
13:16:26.931768 IP (tos 0x0, ttl 149, id 0, offset 0, flags [none], proto UDP (17), length 225)
    114.114.114.114.53 > 192.168.200.100.13052: 44693 4/0/0 www.microsoft.com. CNAME www.microsoft.com-c-3.edgekey.net., www.microsoft.com-c-3.edgekey.net. CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net., www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net. CNAME e13678.ca2.s.tl88.net., e13678.ca2.s.tl88.net. A 115.152.251.229 (197)

13:16:26.931813 IP (tos 0x0, ttl 64, id 63833, offset 0, flags [none], proto ICMP (1), length 253)
    192.168.200.100 > 114.114.114.114: ICMP 192.168.200.100 udp port 13052 unreachable, length 233
	IP (tos 0x0, ttl 149, id 0, offset 0, flags [none], proto UDP (17), length 225)
    114.114.114.114.53 > 192.168.200.100.13052: 44693 4/0/0 www.microsoft.com. CNAME www.microsoft.com-c-3.edgekey.net., www.microsoft.com-c-3.edgekey.net. CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net., www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net. CNAME e13678.ca2.s.tl88.net., e13678.ca2.s.tl88.net. A 115.152.251.229 (197)
13:16:32.004844 IP (tos 0x0, ttl 64, id 23301, offset 0, flags [none], proto UDP (17), length 63)
    192.168.200.100.13052 > 114.114.114.114.53: 44693+ A? www.microsoft.com. (35)
13:16:32.019973 IP (tos 0x0, ttl 149, id 0, offset 0, flags [none], proto UDP (17), length 225)
    114.114.114.114.53 > 192.168.200.100.13052: 44693 4/0/0 www.microsoft.com. CNAME www.microsoft.com-c-3.edgekey.net., www.microsoft.com-c-3.edgekey.net. CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net., www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net. CNAME e13678.ca2.s.tl88.net., e13678.ca2.s.tl88.net. A 115.152.251.229 (197)
13:16:32.020011 IP (tos 0x0, ttl 64, id 63834, offset 0, flags [none], proto ICMP (1), length 253)
    192.168.200.100 > 114.114.114.114: ICMP 192.168.200.100 udp port 13052 unreachable, length 233
	IP (tos 0x0, ttl 149, id 0, offset 0, flags [none], proto UDP (17), length 225)
    114.114.114.114.53 > 192.168.200.100.13052: 44693 4/0/0 www.microsoft.com. CNAME www.microsoft.com-c-3.edgekey.net., www.microsoft.com-c-3.edgekey.net. CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net., www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net. CNAME e13678.ca2.s.tl88.net., e13678.ca2.s.tl88.net. A 115.152.251.229 (197)

13:17:06.761628 IP (tos 0x0, ttl 64, id 54170, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.200.100 > 115.152.251.229: ICMP echo request, id 45603, seq 0, length 64
13:17:06.777676 IP (tos 0x0, ttl 52, id 46238, offset 0, flags [none], proto ICMP (1), length 84)
    115.152.251.229 > 192.168.200.100: ICMP echo reply, id 45603, seq 0, length 64
13:17:07.785398 IP (tos 0x0, ttl 64, id 54171, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.200.100 > 115.152.251.229: ICMP echo request, id 45603, seq 1, length 64
13:17:07.801393 IP (tos 0x0, ttl 52, id 46335, offset 0, flags [none], proto ICMP (1), length 84)
    115.152.251.229 > 192.168.200.100: ICMP echo reply, id 45603, seq 1, length 64
13:17:08.847866 IP (tos 0x0, ttl 64, id 54172, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.200.100 > 115.152.251.229: ICMP echo request, id 45603, seq 2, length 64
13:17:08.869870 IP (tos 0x0, ttl 52, id 46544, offset 0, flags [none], proto ICMP (1), length 84)
    115.152.251.229 > 192.168.200.100: ICMP echo reply, id 45603, seq 2, length 64
13:17:09.909951 IP (tos 0x0, ttl 64, id 54173, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.200.100 > 115.152.251.229: ICMP echo request, id 45603, seq 3, length 64
13:17:09.925956 IP (tos 0x0, ttl 52, id 46614, offset 0, flags [none], proto ICMP (1), length 84)
    115.152.251.229 > 192.168.200.100: ICMP echo reply, id 45603, seq 3, length 64
13:17:10.972385 IP (tos 0x0, ttl 64, id 3781, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.200.100 > 115.152.251.229: ICMP echo request, id 45603, seq 4, length 64
13:17:10.988580 IP (tos 0x0, ttl 52, id 47619, offset 0, flags [none], proto ICMP (1), length 84)
    115.152.251.229 > 192.168.200.100: ICMP echo reply, id 45603, seq 4, length 64
13:17:12.018853 IP (tos 0x0, ttl 64, id 48853, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.200.100 > 115.152.251.229: ICMP echo request, id 45603, seq 5, length 64
13:17:12.034859 IP (tos 0x0, ttl 52, id 48564, offset 0, flags [none], proto ICMP (1), length 84)
    115.152.251.229 > 192.168.200.100: ICMP echo reply, id 45603, seq 5, length 64

Simon
20220412