weird jail networking and keymap issues

I just started getting into jails and ran into some issues. Networking INTO the jail works fine, but networking OUT of the jail doesn't. Not only does ping not work (for which I did fix the appropriate jail sysctl), but no ftp, no telnet, no ssh, nothing can get out. Additionally my keymap inside the jail seems screwed (finnish chars don't work) for some reason even though the rc.conf keymap setting is the same as it is on the host, where they key map works as it should.


First, I create the 10.0.0.21 alias on the host:

Code:
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:0c:29:51:19:a0
        inet 192.168.1.130 netmask 0xffffff00 broadcast 192.168.1.255
        inet 10.0.0.21 netmask 0xffffffff broadcast 10.0.0.21
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active

Then I built my world, installed ezjail and created my jail. Here's the ezjail config for it:

Code:
cat /usr/local/etc/ezjail/semipublic
export jail_semipublic_hostname="semipublic"
export jail_semipublic_ip="10.0.0.21"
export jail_semipublic_rootdir="/usr/jails/semipublic"
export jail_semipublic_exec_start="/bin/sh /etc/rc"
export jail_semipublic_exec_stop=""
export jail_semipublic_mount_enable="YES"
export jail_semipublic_devfs_enable="YES"
export jail_semipublic_devfs_ruleset="devfsrules_jail"
export jail_semipublic_procfs_enable="YES"
export jail_semipublic_fdescfs_enable="YES"
export jail_semipublic_image=""
export jail_semipublic_imagetype=""
export jail_semipublic_attachparams=""
export jail_semipublic_attachblocking=""
export jail_semipublic_forceblocking=""
export jail_semipublic_zfs_datasets=""
export jail_semipublic_cpuset=""
export jail_semipublic_fib=""

Now I brought it up.

Code:
jls
   JID  IP Address      Hostname                      Path
     2  10.0.0.21       jail.semipublic.atombsd       /usr/jails/semipublic

It does respond to ping from the host:

Code:
ping 10.0.0.21
PING 10.0.0.21 (10.0.0.21): 56 data bytes
64 bytes from 10.0.0.21: icmp_seq=0 ttl=64 time=0.047 ms
64 bytes from 10.0.0.21: icmp_seq=1 ttl=64 time=0.038 ms
64 bytes from 10.0.0.21: icmp_seq=2 ttl=64 time=0.037 ms

Inside the jail:

Code:
ifconfig em0
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:0c:29:51:19:a0
        inet 10.0.0.21 netmask 0xffffffff broadcast 10.0.0.21
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active

The jail's rc.conf matches the router settings of the host and resolv.conf is the same as the host:

Code:
cat /etc/rc.conf
hostname="jail.semipublic.atombsd"
ifconfig_em0="inet 10.0.0.21 netmask 255.255.255.255"
defaultrouter="192.168.1.1"
clear_tmp_enable="YES"

cat /etc/resolv.conf
nameserver 192.168.1.1

Ideas?
 
I fixed the rc.conf inside the jail to match the netmask 255.255.255.0 of the hos and changed the defaultrouter from 192.168.1.1 (which is my real router, used by the jail host and other machines on the network) to 192.168.1.130, which is actual jail host and now I can at least ping my jail host from within the jail. However attempts to get any further, like pinging other machines on the LAN still fail.

And for the record:
Code:
security.jail.socket_unixiproute_only: 1 -> 0
security.jail.allow_raw_sockets: 0 -> 1
Do not help.
 
Problem solved: the defaultroute of the jail MUST be in the same subnet as the as ip of the jail, ie, if I have the jail sitting on a 10.0.0.x subnet aliased IP, it cannot go through a 192.168.1.x subnet router. Solved by creating a new 192.168.1.x alias on the jail host and attaching the jail to that IP.
 
Back
Top