я не понимаю где косяк.
getaddrinfo использует весь софт. Поэтому ничего что лезет наружу из jail-а не работает.
# cat /etc/jail.conf
Код: Выделить всё
ds {
host.hostname = "ds"; # Hostname
ip4.addr = "10.108.1.12"; # IP address of the jail
interface = "em1";
exec.prestart = "";
exec.poststop = "";
}
Вот рулы в ipfw:
Код: Выделить всё
[root:/usr/local/etc/nsd]# ipfw show
00100 39973561 35605298033 reass ip from any to any via em0
00200 0 0 check-state :default
00300 13716784 10052371772 allow ip from any to any via em1
00400 0 0 allow ip from any to any via em2
00500 4968218 3202489230 allow ip from any to any via em3
00600 0 0 allow ip from any to any via em4
00700 12791616 5343315940 allow ip from any to any via lo0
00800 112 5832 nat 100 ip from 10.108.1.12 to any via em0
00900 0 0 allow ip from any to any frag
01000 0 0 deny ip from any to any not verrevpath via em0
01100 0 0 deny ip from any to any not antispoof via em0
01200 16788 906534 allow icmp from any to any
01300 2633 153202 allow tcp from any to me 21 setup keep-state :default
01400 1227320 1111442340 allow tcp from any to me 40000-50000 setup keep-state :default
01500 1741 149167 allow tcp from any to me 5432 setup keep-state :default
01600 0 0 allow tcp from 10.0.0.0/8 to me 3306 setup keep-state :default
01700 880 52800 deny ip from me to any 25 setup keep-state :default
01800 46 2432 deny ip from any to me 25 via em0 keep-state :default
01900 4881 3105209 allow tcp from me to any 80,443 setup keep-state :default
02000 576 65547 allow tcp from any to any 53 setup keep-state :default
02100 113737 19113217 allow udp from any to any 53 keep-state :default
02200 762946 758564259 allow tcp from any to me 80 setup limit src-addr 108 :default
02300 19061274 20427211854 allow tcp from any to me 443 setup limit src-addr 108 :default
02400 18245 17777939 allow tcp from any to me 8888 setup limit src-addr 108 :default
02500 235 10552 allow tcp from any to me 108,22 setup keep-state :default
02600 0 0 allow udp from me to any 123 keep-state :default
02700 0 0 deny ip from any to 0.0.0.0/8 via em0
02800 0 0 deny ip from any to 169.254.0.0/16 via em0
02900 0 0 deny ip from any to 192.0.2.0/24 via em0
03000 2396 195755 deny ip from any to 224.0.0.0/4 via em0
03100 66773 9180409 deny ip from any to 240.0.0.0/4 via em0
03200 3 180 deny ip from table(0) to any
03300 0 0 deny log logamount 50 ip from me to table(1)
03400 18695308 13257454380 nat 100 ip from any to any via em0
03500 0 0 deny log logamount 100000 ip from any to any
65535 151 73173 allow ip from any to any
[root:/usr/local/etc/nsd]#
не работает getaddrinfo.
Код: Выделить всё
➜ / getaddrinfo ya.ru
getaddrinfo: Name does not resolve
➜ /
Код: Выделить всё
# tcpdump -ilo0 port 53
12:32:57.975594 IP 10.108.1.12.57977 > 10.108.1.12.domain: 12187+ A? ya.ru. (23)
12:32:58.054052 IP 10.108.1.12.domain > 10.108.1.12.57977: 12187 1/0/0 A 87.250.250.242 (39)
12:33:02.982464 IP 10.108.1.12.57977 > 10.108.1.12.domain: 12187+ A? ya.ru. (23)
12:33:02.982574 IP 10.108.1.12.domain > 10.108.1.12.57977: 12187 1/0/0 A 87.250.250.242 (39)
12:33:13.038802 IP 10.108.1.12.24044 > 10.108.1.12.domain: 35156+ AAAA? ya.ru. (23)
12:33:13.112982 IP 10.108.1.12.domain > 10.108.1.12.24044: 35156 1/0/0 AAAA 2a02:6b8::2:242 (51)
12:33:18.041204 IP 10.108.1.12.24044 > 10.108.1.12.domain: 35156+ AAAA? ya.ru. (23)
12:33:18.041312 IP 10.108.1.12.domain > 10.108.1.12.24044: 35156 1/0/0 AAAA 2a02:6b8::2:242 (51)
Код: Выделить всё
➜ / drill ya.ru
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 35596
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; ya.ru. IN A
;; ANSWER SECTION:
ya.ru. 485 IN A 87.250.250.242
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 23 msec
;; SERVER: 127.0.0.1
;; WHEN: Thu Feb 3 12:06:14 2022
;; MSG SIZE rcvd: 39
➜ /
[code]# tcpdump -ilo0 port 53
12:49:22.192933 IP 10.108.1.12.27080 > 10.108.1.12.domain: 38718+ A? ya.ru. (23)
12:49:22.193004 IP 10.108.1.12.domain > 10.108.1.12.27080: 38718 1/0/0 A 87.250.250.242 (39)
Всё слушается unbound-ом нормально на 10.108.1.12
DNS master:
Код: Выделить всё
[root:/usr/local/etc/nsd]# sockstat -l4 | grep 53
unbound unbound 83079 3 udp4 10.108.1.1:53 *:*
unbound unbound 83079 4 tcp4 10.108.1.1:53 *:*
unbound unbound 83079 5 udp4 10.108.1.12:53 *:*
unbound unbound 83079 6 tcp4 10.108.1.12:53 *:*
unbound unbound 83079 7 udp4 10.108.2.1:53 *:*
unbound unbound 83079 8 tcp4 10.108.2.1:53 *:*
unbound unbound 83079 9 udp4 10.108.3.1:53 *:*
unbound unbound 83079 10 tcp4 10.108.3.1:53 *:*
unbound unbound 83079 15 udp4 127.0.0.1:53 *:*
unbound unbound 83079 16 tcp4 127.0.0.1:53 *:*
unbound unbound 83079 17 udp4 10.108.4.1:53 *:*
unbound unbound 83079 18 tcp4 10.108.4.1:53 *:*
unbound unbound 83079 20 tcp4 127.0.0.1:8953 *:*
nsd nsd 82197 5 udp4 176.124.147.86:53 *:*
nsd nsd 82197 6 tcp4 176.124.147.86:53 *:*
nsd nsd 82196 5 udp4 176.124.147.86:53 *:*
nsd nsd 82196 6 tcp4 176.124.147.86:53 *:*
nsd nsd 60237 5 udp4 176.124.147.86:53 *:*
nsd nsd 60237 6 tcp4 176.124.147.86:53 *:*
nsd nsd 60236 5 udp4 176.124.147.86:53 *:*
nsd nsd 60236 6 tcp4 176.124.147.86:53 *:*