HEADS UP: multi-IPv4/v6/no-IP jails now in 7-STABLE
stefan.lambrev at moneybookers.com
Thu May 7 21:53:11 UTC 2009
Sorry for late reply.
On May 1, 2009, at 2:58 AM, Bjoern A. Zeeb wrote:
> On Thu, 30 Apr 2009, Stefan Lambrev wrote:
>> On Apr 22, 2009, at 11:25 PM, Miroslav Lachman wrote:
>>> Stefan Lambrev wrote:
>>>> Does this allow multiple network interfaces to be used by a
>>>> single jail instance?
>>> Yes, I am using it.
>> - cut -
>> Basically it works, but I found another problem.
>> I have created on two servers jails with 2 IPs on different
>> First IP is on "external" interface and second IP is on internal
>> As expected if I send packets from the host (outside jail) their
>> source address match the IP of the interface (from which they are
>> leaving the machine),
>> but if I send packets from jail they always go out with source
>> address equal to the first IP of the jail even when they are going
>> through the second interface.
>> I do not know if this matters but in my case, internal interface
>> have few vlans and the IP is set on the vlan not directly on the
>> Here is some output from the jail which can be useful:
>> igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0
>> mtu 1500
>> ether 00:30:48:9c:3a:0a
>> inet 192.168.3.100 netmask 0xffffffff broadcast 192.168.3.100
>> media: Ethernet autoselect (100baseTX <full-duplex>)
>> status: active
>> igb1.2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0
>> mtu 1500
>> ether 00:30:48:9c:3a:0b
>> inet 10.35.1.1 netmask 0xffffff00 broadcast 10.35.1.255
>> media: Ethernet autoselect (1000baseTX <full-duplex>)
>> status: active
>> vlan: 2 parent interface: igb1
>> And here is the tcpdump from igb1.2 when trying to ping 10.35.1.2
>> from inside jail:
>> 17:20:04.109972 IP 192.168.3.100 > 10.35.1.2: ICMP echo request, id
>> 28421, seq 0, length 64
>> 17:20:05.110321 IP 192.168.3.100 > 10.35.1.2: ICMP echo request, id
>> 28421, seq 1, length 64
>> Any idea how this can be fixed?
>> P.S. I know I can rewrite outgoing packets with firewall, but it's
>> not performance wise,
>> and I expect lot of udp multicast through igb1.2, that's why this
>> doesn't look like a proper solution for me.
> 1) you turned on a non-default feature permitting raw-ip-sockets from
> inside jails. You lost supp^Wpredicatability. Well not really but
> this is just the beware-of reminder.
Unfortunately this is the only way to get multicast working in jail.
> 2) you are using 1) with ping to test source address selection which
> will not work well. There is more magic involved. Does it work
> properly and as requested with ping -S <src-ip-you-want> <dst>?
The only difference when using -S is that the "sender" does not
> 3) turn off 1) and/or use telnet, ssh, or nc to test outgoing
> in each direction. Does source address selection work here as
telnet works as expected even when raw-ip-sockets are enabled.
> 4) jails do not support MC. You'll have to wait for full-blown network
> stack virtualization.
Is this planned to be part of 8.0 or ..? :)
> Bjoern A. Zeeb The greatest risk is not taking
More information about the freebsd-jail