Am 14.03.2009 um 22:35 schrieb Julian Elischer:
Stefan Bethke wrote:
Am 14.03.2009 um 19:01 schrieb Bjoern A. Zeeb:
On Thu, 12 Mar 2009, Stefan Bethke wrote:
I'm having some trouble configuring a dual-homed jail host,
running -current from about 4 weeks ago.
...
Is there any documentation on how source addresses are selected?
I thought I remembered that on unbound sockets the destination
route would be used to pick the first address of the outgoing
interface as the source address; the same address would be picked
on connecting a socket.
sys/netinet/in_pcb.c:in_pcbladdr() is your friend -
http://fxr.watson.org/fxr/source/netinet/in_pcb.c#L546
This is the case you are running into:
http://fxr.watson.org/fxr/source/netinet/in_pcb.c#L628
/*
* If the outgoing interface on the route found is not
* a loopback interface, use the address from that interface.
* In case of jails do those three steps:
* 1. check if the interface address belongs to the jail. If so use
it.
* 2. check if we have any address on the outgoing interface
* belonging to this jail. If so use it.
* 3. as a last resort return the 'default' jail address.
*/
so you are hitting "3." .
I am not sure but I'd assume
ifconfig tun0 10.0.63.3 10.0.63.255 alias
would work, just not with the logic to create the IPs upon jail
start
(and we will not accept patches to handle that;).
This is what I figured is happening.
For the time being, I've gone back to single-homed; I'm using pf
binat rules to map public ips to the vpn ones for the jails. Not
perfect, but works for most cases. (The only really missing option
is to bind a service in the jail to VPN address only, so it's only
accessible over the VPN, but I can enforce that through pf or
hosts.allow.)
Assigning aliases to tun0 appears to work too, but you need a
distinct destination address for each alias. Annoying.
Since I'm using "topology subnet" in OpenVPN, a point-to-point
interface is conceptually slightly off; a broadcast interface would
fit much nicer. This would also allow the standard rc.d/jail
script to do it's magic, if the necessary tun seetings could be
applied through ifconfig. Is there a specific reason this setting
can only be done through an ioctl on the dev node, instead of
thorugh ifconfig? (Specifically TUNSIFMODE.)
Additionally, this open the way to run OpenVPN inside a jail, since
all ifconfig and route setup would be done prior to OpenVPN
starting up. (tun also down the interface if the dev node is
closed, but I have a feeling that could be mediated somewhat easily
as well.)
One of the things you can do is assign different routing tabels to
each jail. This means that tho can control which interface it will
select as the outgoing interface.
setfib -{0-15} jail (jail args)
I hope to investigate the VIMAGE work soon, but how exactly would that
help me with multihoming jails? As it turns out, my issue is with
source address selection mostly, and the way point-to-point interfaces
work; the routing table doesn't really come into play?
Stefan
--
Stefan Bethke <s...@lassitu.de> Fon +49 151 14070811
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
