Jail source address selection broken, patch for ping

Mark Felder feld at feld.me
Mon Apr 9 16:21:07 UTC 2012


This weekend I was deploying our monitoring server into a 32bit FreeBSD  
jail on a 64bit install. This was necessary because we needed the newer  
hardware but couldn't migrate the RRDs to 64bit format without breaking  
other machines that rely on the RRD files and are still 32bit. Our  
monitoring server is fairly extensive and talks to many different VLANs  
and subnets. As a result, IPs on these different VLAN interfaces were  
passed through to the jail. I noticed pretty quickly that for some reason  
PINGs were not able to reach many subnets even though I am allowing raw  
sockets. After doing some traffic sniffing I was able to determine that  
the source IP address was incorrect.

By pure chance I was able to contact bz@ and he provided me with a patch  
for ping based on his recent work on a similar issue with traceroute. This  
solved my problem with the system ping utility, but my tests with fping  
and the ping utility included with our monitoring software still exhibited  
the same issue.

bz informed me that he believes he knows where the bug is in the kernel --  
I believe he pointed me to the area of sys/netinet/ip_raw.c around line  
461. Jails are getting the first IP as a source no matter what.

Anyway, attached is the patch he asked me to post to the mailing list for  
those that need a workaround for ping. I'm sure fixing this in the kernel  
will probably require further discussion among those with actual  
programming skills :-)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20120407-01-ping-source-addr.diff
Type: application/octet-stream
Size: 6163 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20120409/a601a1bf/20120407-01-ping-source-addr.obj

More information about the freebsd-jail mailing list