[Bug 278232] Jail IPv4 source address selection inside a jail not working
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278232 --- Comment #15 from Gleb Smirnoff --- The changes I and Mark did were not merged to stable/13. So looks like this is some smaller change, that also was merged to stable/13, too. -- You are receiving this mail because: You are the assignee for the bug.
[Bug 278232] Jail IPv4 source address selection inside a jail not working
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278232 Bjoern A. Zeeb changed: What|Removed |Added CC||gleb...@freebsd.org, ||ma...@freebsd.org --- Comment #14 from Bjoern A. Zeeb --- I am adding @glebius in the bases and he's one of the people knowing today's (IN)PCB code and probably has changed it for 14 enough. Maybe markj@ as well? -- You are receiving this mail because: You are the assignee for the bug.
[Bug 278232] Jail IPv4 source address selection inside a jail not working
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278232 --- Comment #13 from Jamie Gritton --- Sorry, it's been a while since I wrote that man page, and it's unclear enough that I didn't read it right myself. ip[46].saddrsel is one of the few options that's on by default, so only the "nosaddrsel" version is important. While nosaddrsel itself isn't documented, jail(8) talks about the boolean options generally and adding "no" to them, and at least mentions the word (though not ina heading) so searching for it gets you to the right place. So yeah, that's not the right direction and you can ignore my comment. -- You are receiving this mail because: You are the assignee for the bug.
[Bug 278232] Jail IPv4 source address selection inside a jail not working
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278232 --- Comment #12 from Dirk Meyer --- Sorry this text is still unclear to me. I would expect "ip4.saddrsel" to allow source selection and "ip4.nosaddrsel" will disable it. but "ip4.nosaddrsel" is not documented in "man jail"? I confirmed removing "ip4.saddrsel" does not change anything. quote from "man jail" [...] For IPv4 the first address given will be used as the source address when source address selection on unbound sockets cannot find a better match. [...] What is the correct way to have "source address selection" in the jail? For now only with "ip4=inherit" I can see the RFC1918 IP is used. -- You are receiving this mail because: You are the assignee for the bug.
[Bug 278232] Jail IPv4 source address selection inside a jail not working
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278232 --- Comment #11 from Jamie Gritton --- This appears to be a feature, working exactly what as it says it does. From jail(8): ip4.saddrsel A boolean option to change the formerly mentioned behaviour and disable IPv4 source address selection for the jail in favour of the primary IPv4 address of the jail. Source address selection is enabled by default for all jails and the ip4.nosaddrsel setting of a parent jail is not inherited for any child jails. -- You are receiving this mail because: You are the assignee for the bug.
[Bug 278232] Jail IPv4 source address selection inside a jail not working
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278232 --- Comment #10 from Dirk Meyer --- I see here: ping with passing the correct source ip works. ping without source ip fails, the first IP of the jail is always used. Sending UDP fails, the first IP of the jail is always used. (tested with snmpwalk) Sending TCP fails, the first IP of the jail is always used. (tested with ssh) TCP from a host only in 192.168.22.0/24 top the jail IP 192.168.22.43 works. -- You are receiving this mail because: You are the assignee for the bug.
[Bug 278232] Jail IPv4 source address selection inside a jail not working
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278232 Bjoern A. Zeeb changed: What|Removed |Added CC||b...@freebsd.org --- Comment #9 from Bjoern A. Zeeb --- Is the problem here just raw sockets, e.g. does TCP/UDP/.. work correctly? I think this once was the fix for raw sockets (in case it helps to track the problem down -- could also be misleading): https://people.freebsd.org/~bz/20100425-01-jail-raw_ip-src.diff -- You are receiving this mail because: You are the assignee for the bug.
[Bug 278232] Jail IPv4 source address selection inside a jail not working
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278232 Jamie Gritton changed: What|Removed |Added Status|New |Open -- You are receiving this mail because: You are the assignee for the bug.
[Bug 278232] Jail IPv4 source address selection inside a jail not working
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278232 --- Comment #8 from Jamie Gritton --- > Hi Jamie, I'm not quite understand that statement. I think those > sysctl knobs can be retired, but why shall we retrieve the formats > of parameters? Isn't them for developers only? For developers yes, most notably for jail(8) itself. Those sysctls define the set of parameters, and what format they're in. So they're useful and necessary, just not to the end user. -- You are receiving this mail because: You are the assignee for the bug.
[Bug 278232] Jail IPv4 source address selection inside a jail not working
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278232 Zhenlei Huang changed: What|Removed |Added CC||ja...@freebsd.org --- Comment #7 from Zhenlei Huang --- # man 2 jail .. Jails have a set of core parameters, and modules can add their own jail parameters. The current set of available parameters, and their for- mats, can be retrieved via the security.jail.param sysctl MIB entry. Notable parameters include those mentioned in the jail() description above, as well as jid and name, which identify the jail being created or modified. See jail(8) for more information on the core jail parame- ters. Hi Jamie, I'm not quite understand that statement. I think those sysctl knobs can be retired, but why shall we retrieve the formats of parameters? Isn't them for developers only? -- You are receiving this mail because: You are the assignee for the bug.
[Bug 278232] Jail IPv4 source address selection inside a jail not working
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278232 --- Comment #6 from Zhenlei Huang --- (In reply to Dirk Meyer from comment #4) > ip4.addr > ip4.saddrsel Those options are per jail. That is to say, they should be applied either in the command line or in the jail.conf . > There is also a sysctl, but I am unable to change it outside, > nor does it reflect the status inside the jail: > host# sysctl security.jail.param.ip4.saddrsel=1 > security.jail.param.ip4.saddrsel: 0 -> 0 > Is this the expected behavior ? Yes. Those sysctl knobs serve no purposes but are kept only for backward compatibility. Users should not have contact with them. See also the commit log [1]. 1. https://cgit.freebsd.org/src/commit/?id=0304c7316344d7e2d1dee3aa0249724ec629e8ef -- You are receiving this mail because: You are the assignee for the bug.
[Bug 278232] Jail IPv4 source address selection inside a jail not working
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278232 --- Comment #5 from Michael Osipov --- So if 13.2 worked and 13.3 does not then the issue is somewhere in between.. -- You are receiving this mail because: You are the assignee for the bug.
[Bug 278232] Jail IPv4 source address selection inside a jail not working
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278232 --- Comment #4 from Dirk Meyer --- Same failure on FreeBSD-13.3 # freebsd-version -kru 13.3-RELEASE-p1 13.3-RELEASE-p1 13.3-RELEASE-p1 I would like to know what the expected behavior of ip4.saddrsel in this case is. 1) The selection behaves different from the host, changing the netmask to /24 did had no effect either. # man jail ip4.addr A list of IPv4 addresses assigned to the jail. If this is set, the jail is restricted to using only these addresses. Any attempts to use other addresses fail, and attempts to use wildcard addresses silently use the jailed address instead. For IPv4 the first address given will be used as the source address when source address selection on unbound sockets cannot find a better match. It is only possible to start multiple jails with the same IP address if none of the jails has more than this single overlapping IP address assigned to itself. ip4.saddrsel A boolean option to change the formerly mentioned behaviour and disable IPv4 source address selection for the jail in favour of the primary IPv4 address of the jail. Source address selection is enabled by default for all jails and the ip4.nosaddrsel setting of a parent jail is not inherited for any child jails. 2) There is also a sysctl, but I am unable to change it outside, nor does it reflect the status inside the jail: host# sysctl -d security.jail.param.ip4.saddrsel security.jail.param.ip4.saddrsel: Do (not) use IPv4 source address selection rather than the primary jail IPv4 address. host# sysctl security.jail.param.ip4.saddrsel=1 security.jail.param.ip4.saddrsel: 0 -> 0 jail# sysctl security.jail.param.ip4.saddrsel security.jail.param.ip4.saddrsel: 0 Is this the expected behavior ? -- You are receiving this mail because: You are the assignee for the bug.
[Bug 278232] Jail IPv4 source address selection inside a jail not working
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278232 Mark Linimon changed: What|Removed |Added Assignee|b...@freebsd.org|j...@freebsd.org -- You are receiving this mail because: You are the assignee for the bug.
