Summary: | After turning off the jail does not remove network routes | ||
---|---|---|---|
Product: | Base System | Reporter: | Vladyslav V. Prodan <admin> |
Component: | bin | Assignee: | freebsd-jail (Nobody) <jail> |
Status: | Closed Feedback Timeout | ||
Severity: | Affects Many People | CC: | jamie |
Priority: | --- | ||
Version: | 10.3-BETA2 | ||
Hardware: | amd64 | ||
OS: | Any |
Description
Vladyslav V. Prodan
2016-03-14 22:43:30 UTC
# ifconfig re0 | grep 10\\.0 inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 inet 10.0.0.19 netmask 0xffffff00 broadcast 10.0.0.255 # arp -d 10.0.0.22 10.0.0.22 (10.0.0.22) deleted # arp -na | grep 10\\.0\\.0\\.22 ? (10.0.0.22) at 00:e0:4d:a0:f8:46 on re0 permanent [ethernet] I suspect the problem lies in the "/24" of "re0|10.0.0.22/24". Jail aliases are almost always going to use the /32 netmask, which is the default if one isn't specified. From what I see of your netstat output, your primary address is on the 10.0.0.0/24 subnet. The only time you'd want a non-/32 subnet on a jail is if your set aside a separate subnet used only for that jail. Note this instruction from the "alias" section of ifconfig(8): "If the address is on the same subnet as the first network address for this interface, a non-conflicting netmask must be given. Usually 0xffffffff is most appropriate." In any case, I was unable to reproduce this behavior. I don't know all the parameters of your setup, but it looks like you should just remove those netmasks. The problem is not the creation of an IP address, network mask, other than /32. I can give some examples of network topology, when the IP jail need to assign a subnet mask for the correct operation of the network protocols. For example, a DHCP-server or Samba services (nmbd and winbindd) The problem is in the removal of a route to this IP when you turn off the jail. Yes, of course there are cases where something besides a /32 is appropriate - that is why jail(8) allows that. However, as I mentioned it did appear that you had violated the specification that an alias should be on a non-conflicting netmask. The fact remains that I am unable to reproduce your problem. Perhaps I could if I had your entire configuration - all jails, all other network setup. jail(8) simply calls ifconfig(8) with "alias" to add IP addresses, and with "-alias" to remove them - see the output of "jail -vc" and "jail -vr". The jail will not be removed if the "ifconfig ... -alias" command fails, which implies that the command is succeeding. Unless of course there actually is a bug in the way jail(8) is running this program. My guess is the command is succeeding, but isn't removing some arp entry because the alias when incorrectly specified when it was created. If it's clear (from "jail -v") that the correct ifconfig commands are being run, then this might be considered an ifconfig bug. If the correct commands aren't being run, then it could be a jail bug. |