Kernel panic in nfsv4_loadattr
Dewayne Geraghty
dewayne.geraghty at heuristicsystems.com.au
Sun Jun 25 23:37:42 UTC 2017
Rick,
A minor point. Jails don't break/disable 127.0.0.1, though it certainly
changes behaviour.
127.0.0.1 within a jail context is reassigned the first IP that is
defined in jail.conf (or passed to the jail during creation).
So for example during a ping from a jail with its first ip 10.0.7.96
defined for em1, when a ping occurs within the jail
# ping -c 1 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=42 time=0.039 ms
the tcpdump of lo0 (from the host system), becomes:
09:16:23.699627 IP 10.0.7.96 > 127.0.0.1: ICMP echo request, id 52014,
seq 0, length 64
09:16:23.699671 IP 127.0.0.1 > 10.0.7.96: ICMP echo reply, id 52014, seq
0, length 64
Even though the jail itself has lo0 defined as
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
groups: lo
(ie no explicit 127 subnet).
This has significant security issues and requires careful firewalling
attention.
As an aside, a reasonable approach is to define an ip to lo0 (for the
jail), then, from a jail with first ip 10.0.7.91 the
# ping -c 1 127.0.0.1
becomes
09:25:23.348288 IP 127.1.5.91 > 127.0.0.1: ICMP echo request, id 25647,
seq 0, length 64
09:25:23.348319 IP 127.0.0.1 > 127.1.5.91: ICMP echo reply, id 25647,
seq 0, length 64
A much better outcome - in terms of not needing to allow a possibly
external IP from accessing lo0 :)
This may provide further insight into jail/network issues?
Cheers.
PS Oh and the first IP of a jail also becomes the default route for it
More information about the freebsd-hackers
mailing list