Please help!
What is wrong in my configuration? Where to look for an error?
I had upgraded system to releng/12.3 but I got the same behaviour.
on host machine:
inside jail ds:
result of tcpdump on host machine
This is a truss tracing of execution of getaddrinfo
result of tcpdump on host machine
This is a truss tracing of execution of drill
It does not work sending and connecting outside from jail neither by name nor by ip address. The rest functionality works perfectly.
I can't imagine what is wrong.
What is wrong in my configuration? Where to look for an error?
I had upgraded system to releng/12.3 but I got the same behaviour.
Code:
[root:~]# uname -a
FreeBSD hostname 12.2-RELEASE-p10 FreeBSD 12.2-RELEASE-p10 12803d8a99c(releng/12.2) CUSTOM amd64on host machine:
Code:
# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 1 mtu 1500
options=81249b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LRO,WOL_MAGIC,VLAN_HWFILTER>
ether 00:1b:21:d2:a5:b3
inet 176.124.147.86 netmask 0xffffffc0 broadcast 176.124.147.127
media: Ethernet 1000baseT (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=81209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER>
ether 90:e2:ba:80:fc:a7
inet 10.108.1.1 netmask 0xffffff00 broadcast 10.108.1.255
inet 10.108.1.12 netmask 0xffffffff broadcast 10.108.1.12
media: Ethernet 1000baseT (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
...
Code:
# cat /etc/jail.conf
ds {
host.hostname = "ds"; # Hostname
ip4.addr = "10.108.1.12"; # IP address of the jail
interface = "em1";
exec.prestart = "";
exec.poststop = "";
}
Code:
[root:~]# ipfw show
00100 4008317 3317890748 reass ip from any to any via em0
00200 0 0 check-state :default
00300 1433928 714756256 allow ip from any to any via em1
00400 0 0 allow ip from any to any via em2
00500 150274 42378685 allow ip from any to any via em3
00600 0 0 allow ip from any to any via em4
00700 1229804 474111138 allow ip from any to any via lo0
00800 2 92 nat 100 ip from 10.108.1.12 to any via em0
00900 0 0 allow ip from any to any frag
01000 0 0 deny ip from any to any not verrevpath via em0
01100 0 0 deny ip from any to any not antispoof via em0
01200 1577 85211 allow icmp from any to any
01300 124 6997 allow tcp from any to me 21 setup keep-state :default
01400 1127 61223 allow tcp from any to me 40000-50000 setup keep-state :default
01500 203 19907 allow tcp from any to me 5432 setup keep-state :default
01600 0 0 allow tcp from 10.0.0.0/8 to me 3306 setup keep-state :default
01700 155 9300 deny ip from me to any 25 setup keep-state :default
01800 2 80 deny ip from any to me 25 via em0 keep-state :default
01900 11933 11413892 allow tcp from me to any 80,443 setup keep-state :default
02000 155 18243 allow tcp from any to any 53 setup keep-state :default
02100 11458 2097558 allow udp from any to any 53 keep-state :default
02200 62610 49601879 allow tcp from any to me 80 setup limit src-addr 108 :default
02300 2336851 2496064782 allow tcp from any to me 443 setup limit src-addr 108 :default
02400 1685 1886569 allow tcp from any to me 8888 setup limit src-addr 108 :default
02500 29 1376 allow tcp from any to me 108,22 setup keep-state :default
02600 0 0 allow udp from me to any 123 keep-state :default
02700 0 0 deny ip from any to 0.0.0.0/8 via em0
02800 0 0 deny ip from any to 169.254.0.0/16 via em0
02900 0 0 deny ip from any to 192.0.2.0/24 via em0
03000 0 0 deny ip from any to 224.0.0.0/4 via em0
03100 7547 882381 deny ip from any to 240.0.0.0/4 via em0
03200 0 0 deny ip from table(0) to any
03300 0 0 deny log logamount 500 ip from me to table(1)
03400 1573073 755750158 nat 100 ip from any to any via em0
03500 0 0 deny log logamount 100000 ip from any to any
65535 14 1866 allow ip from any to any
Code:
[root:~]# sockstat -l4 | grep 53
unbound unbound 83079 3 udp4 10.108.1.1:53 *:*
unbound unbound 83079 4 tcp4 10.108.1.1:53 *:*
unbound unbound 83079 5 udp4 10.108.1.12:53 *:* <------------------
unbound unbound 83079 6 tcp4 10.108.1.12:53 *:*
unbound unbound 83079 7 udp4 10.108.2.1:53 *:*
unbound unbound 83079 8 tcp4 10.108.2.1:53 *:*
unbound unbound 83079 9 udp4 10.108.3.1:53 *:*
unbound unbound 83079 10 tcp4 10.108.3.1:53 *:*
unbound unbound 83079 15 udp4 127.0.0.1:53 *:*
unbound unbound 83079 16 tcp4 127.0.0.1:53 *:*
unbound unbound 83079 17 udp4 10.108.4.1:53 *:*
unbound unbound 83079 18 tcp4 10.108.4.1:53 *:*
unbound unbound 83079 20 tcp4 127.0.0.1:8953 *:*
nsd nsd 82197 5 udp4 176.124.147.86:53 *:*
nsd nsd 82197 6 tcp4 176.124.147.86:53 *:*
nsd nsd 82196 5 udp4 176.124.147.86:53 *:*
nsd nsd 82196 6 tcp4 176.124.147.86:53 *:*
nsd nsd 60237 5 udp4 176.124.147.86:53 *:*
nsd nsd 60237 6 tcp4 176.124.147.86:53 *:*
nsd nsd 60236 5 udp4 176.124.147.86:53 *:*
nsd nsd 60236 6 tcp4 176.124.147.86:53 *:*inside jail ds:
Code:
➜ / ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 1 mtu 1500
options=81249b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LRO,WOL_MAGIC,VLAN_HWFILTER>
ether 00:1b:21:d2:a5:b3
media: Ethernet 1000baseT (1000baseT <full-duplex>)
status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=81209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER>
ether 90:e2:ba:80:fc:a7
inet 10.108.1.12 netmask 0xffffffff broadcast 10.108.1.12
media: Ethernet 1000baseT (1000baseT <full-duplex>)
status: active
Code:
➜ / getaddrinfo ya.ru
getaddrinfo: Name does not resolve
➜ /result of tcpdump on host machine
Code:
# tcpdump -ilo0 port 53
12:32:57.975594 IP 10.108.1.12.57977 > 10.108.1.12.domain: 12187+ A? ya.ru. (23)
12:32:58.054052 IP 10.108.1.12.domain > 10.108.1.12.57977: 12187 1/0/0 A 87.250.250.242 (39)
12:33:02.982464 IP 10.108.1.12.57977 > 10.108.1.12.domain: 12187+ A? ya.ru. (23)
12:33:02.982574 IP 10.108.1.12.domain > 10.108.1.12.57977: 12187 1/0/0 A 87.250.250.242 (39)
12:33:13.038802 IP 10.108.1.12.24044 > 10.108.1.12.domain: 35156+ AAAA? ya.ru. (23)
12:33:13.112982 IP 10.108.1.12.domain > 10.108.1.12.24044: 35156 1/0/0 AAAA 2a02:6b8::2:242 (51)
12:33:18.041204 IP 10.108.1.12.24044 > 10.108.1.12.domain: 35156+ AAAA? ya.ru. (23)
12:33:18.041312 IP 10.108.1.12.domain > 10.108.1.12.24044: 35156 1/0/0 AAAA 2a02:6b8::2:242 (51)This is a truss tracing of execution of getaddrinfo
Code:
0.003748492 mmap(0x0,69632,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34366791680 (0x8006ba000)
0.003790758 socket(PF_INET,SOCK_DGRAM|SOCK_CLOEXEC,0) = 3 (0x3)
0.003823702 connect(3,{ AF_INET 127.0.0.1:53 },16) = 0 (0x0)
0.003870634 sendto(3,"\M-l"\^A\0\0\^A\0\0\0\0\0\0\^Bya"...,23,0,NULL,0) = 23 (0x17)
0.214132672 poll({ 3/POLLRDNORM },1,5000) = 1 (0x1)
0.214170561 recvfrom(3,"\M-l"\M^A\M^@\0\^A\0\^A\0\0\0\0"...,65536,0,{ AF_INET 10.108.1.12:53 },0x7fffffffcb78) = 39 (0x27) <-------------------------------- 5 seconds
5.027590716 poll({ 3/POLLRDNORM },1,4789) = 0 (0x0)
5.027711767 sendto(3,"\M-l"\^A\0\0\^A\0\0\0\0\0\0\^Bya"...,23,0,NULL,0) = 23 (0x17)
5.027788954 poll({ 3/POLLRDNORM },1,10000) = 1 (0x1)
5.027819955 recvfrom(3,"\M-l"\M^A\M^@\0\^A\0\^A\0\0\0\0"...,65536,0,{ AF_INET 10.108.1.12:53 },0x7fffffffcb78) = 39 (0x27)
15.048610172 poll({ 3/POLLRDNORM },1,9999) = 0 (0x0)
15.048707283 close(3) = 0 (0x0)
15.048752068 socket(PF_INET,SOCK_DGRAM|SOCK_CLOEXEC,0) = 3 (0x3)
15.048787800 connect(3,{ AF_INET 127.0.0.1:53 },16) = 0 (0x0)
15.048845592 sendto(3,"\M-a\M-s\^A\0\0\^A\0\0\0\0\0\0"...,23,0,NULL,0) = 23 (0x17)
15.057370310 poll({ 3/POLLRDNORM },1,5000) = 1 (0x1)
15.057398968 recvfrom(3,"\M-a\M-s\M^A\M^@\0\^A\0\^A\0\0\0"...,65536,0,{ AF_INET 10.108.1.12:53 },0x7fffffffcb78) = 51 (0x33)
20.078299792 poll({ 3/POLLRDNORM },1,4991) = 0 (0x0)
20.078428565 sendto(3,"\M-a\M-s\^A\0\0\^A\0\0\0\0\0\0"...,23,0,NULL,0) = 23 (0x17)
20.078507334 poll({ 3/POLLRDNORM },1,10000) = 1 (0x1)
20.078537445 recvfrom(3,"\M-a\M-s\M^A\M^@\0\^A\0\^A\0\0\0"...,65536,0,{ AF_INET 10.108.1.12:53 },0x7fffffffcb78) = 51 (0x33)
30.096357048 poll({ 3/POLLRDNORM },1,9999) = 0 (0x0)
30.096433347 close(3) = 0 (0x0)
Code:
➜ / drill ya.ru
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 35596
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; ya.ru. IN A
;; ANSWER SECTION:
ya.ru. 485 IN A 87.250.250.242
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 23 msec
;; SERVER: 127.0.0.1
;; WHEN: Thu Feb 3 12:06:14 2022
;; MSG SIZE rcvd: 39
➜ /result of tcpdump on host machine
Code:
# tcpdump -ilo0 port 53
12:49:22.192933 IP 10.108.1.12.27080 > 10.108.1.12.domain: 38718+ A? ya.ru. (23)
12:49:22.193004 IP 10.108.1.12.domain > 10.108.1.12.27080: 38718 1/0/0 A 87.250.250.242 (39)This is a truss tracing of execution of drill
Code:
0.006090504 mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34371297280 (0x800b06000)
0.006128069 socket(PF_INET,SOCK_DGRAM,IPPROTO_UDP) = 3 (0x3)
0.006180969 sendto(3,"I\M-J\^A\0\0\^A\0\0\0\0\0\0\^Bya"...,23,0,{ AF_INET 127.0.0.1:53 },16) = 23 (0x17)
0.027699108 poll({ 3/POLLIN|POLLERR },1,5000) = 1 (0x1)
0.027728641 fcntl(3,F_GETFL,) = 2 (0x2)
0.027752929 fcntl(3,F_SETFL,O_RDWR|O_NONBLOCK) = 0 (0x0)
0.027778431 mmap(0x0,69632,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34371301376 (0x800b07000)
0.027809207 recvfrom(3,"I\M-J\M^A\M^@\0\^A\0\^A\0\0\0\0"...,65535,0,NULL,0x0) = 39 (0x27) <--------------------------
0.027876694 close(3) = 0 (0x0)
0.027948126 mmap(0x0,69632,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34371371008 (0x800b18000)
0.027995761 access("/etc/localtime",R_OK) = 0 (0x0)
0.028025320 open("/etc/localtime",O_RDONLY,011022134) = 3 (0x3)
0.028046004 fstat(3,{ mode=-r--r--r-- ,inode=3690184,size=1518,blksize=4096 }) = 0 (0x0)
0.028088605 read(3,"TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0"...,41448) = 1518 (0x5ee)
0.028133640 close(3) = 0 (0x0)
0.028163254 mmap(0x0,24576,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34371440640 (0x800b29000)
0.028186528 issetugid() = 0 (0x0)
0.028212318 open("/usr/share/zoneinfo/posixrules",O_RDONLY,00) = 3 (0x3)
0.028232102 fstat(3,{ mode=-r--r--r-- ,inode=3699347,size=3519,blksize=4096 }) = 0 (0x0)
0.028255601 mmap(0x0,53248,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34371465216 (0x800b2f000)
0.028306604 read(3,"TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0"...,41448) = 3519 (0xdbf)
0.028352460 close(3) = 0 (0x0)It does not work sending and connecting outside from jail neither by name nor by ip address. The rest functionality works perfectly.
I can't imagine what is wrong.
