Re: how to determine primary (source) IP address in jail
On 28 Feb 2019, at 10:58, Miroslav Lachman wrote:
Is there some easy way to determine the primary (source) address which
is used in jail with multiple IP addresses?
I came to this problem with running local_unbound in jail. Unbound
refuses queries originating in this jail because the do not come from
real 127.0.0.1 (which is the only one allowed by default). Unbound in
jail see requests come from jails IP. It is easy to determine (in
shell script) if jail has only one IP.
But what in case where jail has multiple IPs? Is there some sysctl or
some call to ifconfig or any other util to get the IP which will be
used as source address for queries on local services in jail?
Bind the listen socket of the local unbound to any IP of your jail and
other services (unless the source port got bound) will select the same
IP address as the destination if both are in the same jail.
I know I can allow all IPs of jail in
access-control: a.b.c.d/32 allow
access-control: e.f.g.h/32 allow
I am just curios if there is some way to get "primary" IP in jail
without calling anything from the host environment.
Open a UDP socket; bind to 127.1; call getsockname;
https://reviews.freebsd.org/D19218 is currently having a similar issue
solving it exactly that way.
There were people who in the past added a 127.{2,3,4,5,..} for each
jail and then used that one instead of 127.1 but I’ve never been a
huge fan of that, especially given one may run the resolver for other
services outside that jail (maybe in others) as well and they need to be
able to reach that in a reliable way.
/bz
___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: how to determine primary (source) IP address in jail
One way to fix the problem is to use VNET in your jails and you will get a lo0 with 127.0.0.1 inside the jail. Rudy On 2/28/19 2:58 AM, Miroslav Lachman wrote: Is there some easy way to determine the primary (source) address which is used in jail with multiple IP addresses? I came to this problem with running local_unbound in jail. Unbound refuses queries originating in this jail because the do not come from real 127.0.0.1 (which is the only one allowed by default). Unbound in jail see requests come from jails IP. It is easy to determine (in shell script) if jail has only one IP. But what in case where jail has multiple IPs? Is there some sysctl or some call to ifconfig or any other util to get the IP which will be used as source address for queries on local services in jail? I know I can allow all IPs of jail in access-control: a.b.c.d/32 allow access-control: e.f.g.h/32 allow I am just curios if there is some way to get "primary" IP in jail without calling anything from the host environment. Kind regards Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org" ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: how to determine primary (source) IP address in jail
On 2019-02-28 03:58, Miroslav Lachman wrote: Is there some easy way to determine the primary (source) address which is used in jail with multiple IP addresses? I came to this problem with running local_unbound in jail. Unbound refuses queries originating in this jail because the do not come from real 127.0.0.1 (which is the only one allowed by default). Unbound in jail see requests come from jails IP. It is easy to determine (in shell script) if jail has only one IP. But what in case where jail has multiple IPs? Is there some sysctl or some call to ifconfig or any other util to get the IP which will be used as source address for queries on local services in jail? I know I can allow all IPs of jail in access-control: a.b.c.d/32 allow access-control: e.f.g.h/32 allow I am just curios if there is some way to get "primary" IP in jail without calling anything from the host environment. There's nothing reliable that I know of. Lists of address like that from "ifconfig -a" or "netstat -rn" are in the order that they exist on the host, filtered so only in-jail addresses show up. While this may work for jails that always create aliases for their addresses in the defined order (as jail(8) will). they don't work in cases where the address already exists. It will also have problems when the addresses are on different interfaces. - Jamie ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
how to determine primary (source) IP address in jail
Is there some easy way to determine the primary (source) address which is used in jail with multiple IP addresses? I came to this problem with running local_unbound in jail. Unbound refuses queries originating in this jail because the do not come from real 127.0.0.1 (which is the only one allowed by default). Unbound in jail see requests come from jails IP. It is easy to determine (in shell script) if jail has only one IP. But what in case where jail has multiple IPs? Is there some sysctl or some call to ifconfig or any other util to get the IP which will be used as source address for queries on local services in jail? I know I can allow all IPs of jail in access-control: a.b.c.d/32 allow access-control: e.f.g.h/32 allow I am just curios if there is some way to get "primary" IP in jail without calling anything from the host environment. Kind regards Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Performance issues with VNET/bridge/VLAN
Hi, just a quick info - I need some more time because this is getting weirder and weirder … Changing the „complaint“ host from VLANs to dedicated interfaces fixed the perceived TCP performance issue for that host. Then I tried to reproduce the problem on another host *with* the VLAN based setup. Same OS version, identical setup (all Ansible here) - *no* performance issue. Everything running „fast“. I’ll try to build a reliable test scenario with reproducibly problematic results and report back. Kind regards Patrick -- punkt.de GmbH Internet - Dienstleistungen - Beratung Kaiserallee 13a Tel.: 0721 9109-0 Fax: -100 76133 Karlsruhe i...@punkt.de http://punkt.de AG Mannheim 108285 Gf: Juergen Egeling ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
