"ping: sendto: Can't assign requested address" in Jail

Hello,

I am experiencing a strange issue with a jail : I cannot ping outside of the box, I always have this message when trying to ping google :
Code:
ping: "sendto: Can't assign requested address"

My jail IP is 127.0.0.2, I can ping 127.0.0.1 . I have put PF for NAT 127.0.0.0/8 to my external IP.

Here my ssysctel configuration related to jails :
Code:
# sysctl -a | grep jail
security.jail.jailed: 0
security.jail.mount_allowed: 0
security.jail.chflags_allowed: 0
security.jail.allow_raw_sockets: 1
security.jail.enforce_statfs: 2
security.jail.sysvipc_allowed: 1
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 1
Do you guys have an idea of what's wrong with my setup?
 
Last edited by a moderator:
Yes, I want to use a local address as jail address. My box is hosted in a datacenter and I only have one public IP adress. I am open to any other suggestion but my main idea is to use private address and to use nat/pat to access jail from the internet.
 
127.0.0.2 is not a private address, it's a localhost only address. Use RFC-1918 addresses if you don't have another public IP address.

127.0.0.0/8 - This block is assigned for use as the Internet host
loopback address. A datagram sent by a higher level protocol to an
address anywhere within this block should loop back inside the host.
This is ordinarily implemented using only 127.0.0.1/32 for loopback,
but no addresses within this block should ever appear on any network
anywhere
[RFC1700, page 5].

http://www.rfc-editor.org/rfc/rfc3330.txt
 
But the idea to use 127.0.0.2 for such a jail-setup is ... creative! :)

I'm interested why it shouldn't work. If packets arrive this host and it is NATed into a localhost address, why should it not work? We are already on the same and local host. Maybe only datagrams in outgoing direction are a problem, because it's not allowed to send out (to the NAT instance) with a localhost address? Or is it just the ping which doesn't work, and the service in the jail works with the NATing? At least the default MTU of 16384 Bytes on the loopback interface could lead to an undesirable behavior.

@mbs: Where/how did you configure the IP 127.0.0.2 on the host-system? As alias on lo0? Could you send an "ifconfig -a" and a "netstat -rn", please?

cheers,
honk
 
honk said:
I'm interested why it shouldn't work. If packets arrive this host and it is NATed into a localhost address, why should it not work?
Who would do the NAT? The host? If the host translates it back to 127.0.0.2 it will send it to itself not the jail. If the jail does the NAT it would need an addressable IP address defeating the idea of using 127.0.0.2.

We are already on the same and local host.
I think, technically, we're not. The jail is more or less a virtual machine.
 
You can use 127.0.0.x for jail's IP by using interface=lo0 in jail.conf but the jail cannot access network. A pf rule is needed for the jail to access network but pf cannot easily differentiate between 127.0.0.1 and 127.0.0.x unless complex rule is written so you'd better use a separate subnet recommended by RFC-1918 (10.x.x.x, 192.168.x.x, 172.16.0.0 - 172.31.255.255).

To allow networking, first, interface must be specified in jail.conf. That interface must exist in host's ifconfig and has alias containing subnet of jail's IP address because value of ip4.addr= in jail.conf will be added to interface specified in interface=. If subnet of ip4.addr doesn't exist in that interface, jail's IP won't be added.

The easiest setup is to use jail's IP under the same subnet as the host, which is the same subnet as gateway. I.e., if em0 of the host use IP 192.168.0.5 with gateway 192.168.0.1, then jail IP should be in range of 192.168.0.x.

For host with only one public IP i.e., 61.x.x.x, you have to use a private subnet by adding a subnet to network interface as an alias, specify jail's IP under that subnet, then use pf to NAT that subnet to public IP.

/etc/rc.conf
Code:
ifconfig_em0_alias0="inet 192.168.1.1 netmask 255.255.255.0"

/etc/jail.conf
Code:
allow.raw_sockets = 1; # allow ping
...
interface="em0"; # add ip4.addr to this interface
name {
  host.hostname = "name.local";
  ip4.addr = "192.168.1.4";
}

/etc/pf.conf
Code:
IP_PUB="61.x.x.x"
NET_JAIL="192.168.1.0/24"
nat pass on em0 from $NET_JAIL to any -> $IP_PUB
 
Back
Top