Hello,

I am experiencing a strange issue with a jail : I cannot ping outside of the box, I always have this message when trying to ping google : ping: "sendto: Can't assign requested address"

My jail IP is 127.0.0.2, I can ping 127.0.0.1 . I have put pf for NAT 127.0.0.0/8 to my external IP.

Here my ssysctel configuration related to jails :

# sysctl -a | grep jail
security.jail.jailed: 0
security.jail.mount_allowed: 0
security.jail.chflags_allowed: 0
security.jail.allow_raw_sockets: 1
security.jail.enforce_statfs: 2
security.jail.sysvipc_allowed: 1
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 1

Do you guys have an idea of what's wrong with my setup ?

Why do you want to use 127.0.0.2 as jail ip address? Never seen such setup.

Yes, I want to use a local address as jail address. My box is hosted in a datacenter and I only have one public IP adress. I am open to any other suggestion but my main idea is to use private address and to use nat/pat to access jail from the internet.

127.0.0.2 is not a private address, it's a localhost only address. Use RFC-1918 addresses if you don't have another public IP address.


127.0.0.0/8 - This block is assigned for use as the Internet host
loopback address. A datagram sent by a higher level protocol to an
address anywhere within this block should loop back inside the host.
This is ordinarily implemented using only 127.0.0.1/32 for loopback,
but no addresses within this block should ever appear on any network
anywhere [RFC1700, page 5].

http://www.rfc-editor.org/rfc/rfc3330.txt

But the idea to use 127.0.0.2 for such a jail-setup is ... creative! :)

I'm interested why it shouldn't work. If packets arrive this host and it is NATed into a localhost address, why should it not work? We are already on the same and local host. Maybe only datagrams in outgoing direction are a problem, because it's not allowed to send out (to the NAT instance) with a localhost address? Or is it just the ping which doesn't work, and the service in the jail works with the NATing? At least the default MTU of 16384 Bytes on the loopback interface could lead to an undesirable behavior.

@mbs: Where/how did you configure the IP 127.0.0.2 on the host-system? As alias on lo0? Could you send an "ifconfig -a" and a "netstat -rn", please?

cheers,
honk

I'm interested why it shouldn't work. If packets arrive this host and it is NATed into a localhost address, why should it not work?
Who would do the NAT? The host? If the host translates it back to 127.0.0.2 it will send it to itself not the jail. If the jail does the NAT it would need an addressable IP address defeating the idea of using 127.0.0.2.

We are already on the same and local host.
I think, technically, we're not. The jail is more or less a virtual machine.