Re: RPC request sent to 127.0.0.1 becomes from other IP on machine

From: Benjamin Kaduk <kaduk_at_MIT.EDU>
Date: Thu, 10 Dec 2015 18:49:45 -0500 (EST)
On Thu, 10 Dec 2015, Rick Macklem wrote:

> Hi,
>
> Mark has reported a problem via email where the nfsuserd daemon sees
> requests coming from an IP# assigned to the machine instead of 127.0.0.1.
> Here's a snippet from his message:
>   Ok, I have Plex in a jail and when I scan the remote NFS file share the
>   *local* server's nfsuserd spams the logs.
> Spamming the logs refers to the messages nfsuserd generates when it gets
> a request from an address other than 127.0.0.1.
>
> I think the best solution is to switch nfsuserd over to using an AF_LOCAL
> socket like the gssd uses, but that will take a little coding and probably
> won't be MFCable.
>
> I've sent him the attached patch to try as a workaround.
>
> Does anyone happen to know under what circumstances the address 127.0.0.1
> gets replaced?

My memory is quite hazy on this subject, but I think that outbound traffic
from a jail is not permitted to use the system loopback address 127.0.0.1;
traffic from this address within a jail gets replace with the jail's
primary IP address.  It is possible to specify an alternate loopback
address for use within the jail (e.g., 127.0.0.2) and if that alternate
address is only bound within the jail, it can be used for outgoing traffic
to the host.  See jail.conf(5); I appear to have something like:

kduck {
    host.hostname = "kduck.mit.edu";
    ip4.addr = lo0|127.0.0.2, 18.18.0.52;
[...]
}

Note that there may be some additional magic about the primary address of
the jail being first (or last?) in the list of addresses.

-Ben
Received on Thu Dec 10 2015 - 22:55:00 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:01 UTC