From owner-FreeBSD-users-jp@jp.FreeBSD.org Sat Feb 19 11:49:54 2011
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) id p1J2nsa53272;
	Sat, 19 Feb 2011 11:49:54 +0900 (JST)
	(envelope-from owner-FreeBSD-users-jp@jp.FreeBSD.org)
Received: from pis.elm.toba-cmt.ac.jp (pis.elm.toba-cmt.ac.jp [202.26.248.196])
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) with ESMTP/inet id p1J2nsg53267
	for <FreeBSD-users-jp@jp.FreeBSD.org>; Sat, 19 Feb 2011 11:49:54 +0900 (JST)
	(envelope-from kiri@pis.elm.toba-cmt.ac.jp)
Received: from kiri.pis.pis.elm.toba-cmt.ac.jp (localhost [127.0.0.1])
	by pis.elm.toba-cmt.ac.jp (8.14.3/8.14.2) with ESMTP id p1J2nkb5053505
	for <FreeBSD-users-jp@jp.FreeBSD.org>; Sat, 19 Feb 2011 11:49:48 +0900 (JST)
	(envelope-from kiri@pis.elm.toba-cmt.ac.jp)
Message-Id: <201102190249.p1J2nkb5053505@pis.elm.toba-cmt.ac.jp>
From: KIRIYAMA Kazuhiko <kiri@pis.elm.toba-cmt.ac.jp>
To: FreeBSD-users-jp@jp.FreeBSD.org
User-Agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.8
 (=?ISO-8859-4?Q?Shij=F2?=) APEL/10.6 MULE XEmacs/21.4 (patch 21)
 (Educational Television) (i386--freebsd)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=ISO-2022-JP
Reply-To: FreeBSD-users-jp@jp.FreeBSD.org
Precedence: list
Date: Sat, 19 Feb 2011 11:49:46 +0900
X-Sequence: FreeBSD-users-jp 93358
Subject: [FreeBSD-users-jp 93358] Can't through gateway within jail
Sender: owner-FreeBSD-users-jp@jp.FreeBSD.org
X-Originator: kiri@pis.elm.toba-cmt.ac.jp
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+060209

$B6M;3$G$9(B

8.0-STABLE->8.2-PRERELEASE $B$K>e$2$F(B nat $BFb$N(B jail $B4D6-$+$i%2!<(B
$B%H%&%'%$$rD6$($k$3$H$,$G$-$J$/$J$C$F:$$C$F$$$^$9!%%M%C%H%o!<(B
$B%/$O0J2<$N$H$*$j$G$9!%(B
                                              202.26.248.32/27
------------------------+-------------------------------------
                        |202.26.248.53
 +--NAT box(natd)-------+-------------------------+
 |                    bge0                        |
 |                t2.st.toba-cmt.ac.jp            |
 |         +------+------+------+------+--------+ |
 |firewall |  ns  | mail |  web |  ftp |diskless| |
 |   bge1  | bge1 | bge1 | bge1 | bge1 |  bge1  | |
 +----+----+--+---+--+---+--+---+--+---+----+---+-+
      |254    |2     |3     |4     |5       |1   192.168.2.0/24
------+-------+------+------+------+--------+------------------

$B$3$3$G!$(B

t2# jls
   JID  IP Address      Hostname                      Path
     1  192.168.2.4     web.cct2                      /jails/web
     2  192.168.2.2     ns.cct2                       /jails/ns
     3  192.168.2.3     mail.cct2                     /jails/mail
     5  192.168.2.1     diskless.cct2                 /jails/diskless
     7  192.168.2.5     ftp.cct2                      /jails/ftp
t2# ping -c 3 202.26.248.4
PING 202.26.248.4 (202.26.248.4): 56 data bytes
64 bytes from 202.26.248.4: icmp_seq=0 ttl=63 time=0.185 ms
64 bytes from 202.26.248.4: icmp_seq=1 ttl=63 time=0.179 ms
64 bytes from 202.26.248.4: icmp_seq=2 ttl=63 time=0.179 ms

--- 202.26.248.4 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.179/0.181/0.185/0.003 ms
t2# ping -c 3 192.168.2.4
PING 192.168.2.4 (192.168.2.4): 56 data bytes
64 bytes from 192.168.2.4: icmp_seq=0 ttl=64 time=0.017 ms
64 bytes from 192.168.2.4: icmp_seq=1 ttl=64 time=0.021 ms
64 bytes from 192.168.2.4: icmp_seq=2 ttl=64 time=0.018 ms

--- 192.168.2.4 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.017/0.019/0.021/0.002 ms
t2# jexec 7 tcsh
ftp# ping -c 3 192.168.2.4
PING 192.168.2.4 (192.168.2.4): 56 data bytes
64 bytes from 192.168.2.4: icmp_seq=0 ttl=64 time=0.017 ms
64 bytes from 192.168.2.4: icmp_seq=1 ttl=64 time=0.021 ms
64 bytes from 192.168.2.4: icmp_seq=2 ttl=64 time=0.010 ms

--- 192.168.2.4 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.010/0.016/0.021/0.005 ms
ftp# ping -c 3 202.26.248.4
PING 202.26.248.4 (202.26.248.4): 56 data bytes

--- 202.26.248.4 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
ftp# 

$B$J$+$s$8$G$9!%$H$j$"$($:(B

t2# netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            202.26.248.33      UGS        12     1785   bge0
127.0.0.1          link#3             UH          0       11    lo0
192.168.2.0/24     link#2             U           6     1458   bge1
192.168.2.1        link#2             UHS         0     1459    lo0 =>
192.168.2.1/32     link#2             U           0        0   bge1
192.168.2.2        link#2             UHS         0     1471    lo0 =>
192.168.2.2/32     link#2             U           0        0   bge1
192.168.2.3        link#2             UHS         0     1459    lo0 =>
192.168.2.3/32     link#2             U           0        0   bge1
192.168.2.4        link#2             UHS         0     1463    lo0 =>
192.168.2.4/32     link#2             U           0        0   bge1
192.168.2.5        link#2             UHS         0      803    lo0 =>
192.168.2.5/32     link#2             U           0        0   bge1
192.168.2.254      link#2             UHS         0        0    lo0
202.26.248.32/27   link#1             U           1     1458   bge0
202.26.248.53      link#1             UHS         0        0    lo0

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::1                               ::1                           UH          lo0
fe80::%lo0/64                     link#3                        U           lo0
fe80::1%lo0                       link#3                        UHS         lo0
ff01:3::/32                       fe80::1%lo0                   U           lo0
ff02::%lo0/32                     fe80::1%lo0                   U           lo0
t2# ifconfig 
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
        ether d4:85:64:39:70:82
        inet 202.26.248.53 netmask 0xffffffe0 broadcast 202.26.248.63
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
bge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
        ether d4:85:64:39:70:83
        inet 192.168.2.254 netmask 0xffffff00 broadcast 192.168.2.255
        inet 192.168.2.4 netmask 0xffffffff broadcast 192.168.2.4
        inet 192.168.2.2 netmask 0xffffffff broadcast 192.168.2.2
        inet 192.168.2.3 netmask 0xffffffff broadcast 192.168.2.3
        inet 192.168.2.1 netmask 0xffffffff broadcast 192.168.2.1
        inet 192.168.2.5 netmask 0xffffffff broadcast 192.168.2.5
        media: Ethernet autoselect (1000baseT <full-duplex,flowcontrol,rxpause,txpause>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 
        inet6 ::1 prefixlen 128 
        inet 127.0.0.1 netmask 0xff000000 
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
t2# sysctl -a|grep jail
security.jail.param.cpuset.id: 0
security.jail.param.host.hostid: 0
security.jail.param.host.hostuuid: 64
security.jail.param.host.domainname: 256
security.jail.param.host.hostname: 256
security.jail.param.children.max: 0
security.jail.param.children.cur: 0
security.jail.param.enforce_statfs: 0
security.jail.param.securelevel: 0
security.jail.param.path: 1024
security.jail.param.name: 256
security.jail.param.parent: 0
security.jail.param.jid: 0
security.jail.param.linux.oss_version: 0
security.jail.param.linux.osrelease: 65
security.jail.param.linux.osname: 65
security.jail.enforce_statfs: 2
security.jail.mount_allowed: 0
security.jail.chflags_allowed: 0
security.jail.allow_raw_sockets: 1
security.jail.sysvipc_allowed: 0
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 1
security.jail.jail_max_af_ips: 255
security.jail.jailed: 0
t2# 

$B$J$+$s$8$G$9$,!$(Bsecurity.jail.allow_raw_sockets $B$O(B 1 $B$K%;%C(B
$B%H$5$l$F$$$^$9!%$H$K$+$/(B 8.0-STABLE $B>e$G<B:]$KF0$$$F$$$k4D6-(B
$B$r$[$\$=$N$^$^%3%T!<$7$F$$$^$9$N$G!)!)!)$G$9!%>I>u$H$7$F$O(B
$B!V(BJail $B4D6-Fb$+$i%G%U%)%k%H%k!<%H$,8+$($J$$!W$H$$$&$3$H$J$s(B
$B$G$9$,!$$3$l$C$F(B 8.2-* $B$K$J$C$F2?$+@_Dj$9$kI,MW$K$J$C$?$s$G(B
$B$7$?$C$1!)(B 
