Strange routing using zones

From: przemolicc@poczta.fm
Date: Tue Oct 10 2006 - 07:28:13 EDT

There is a host with Solaris 10 and installed one zone. The host has
4 NICs. Global zone [GZ] is defined/connected to one NIC (e1000g0 = g.g.g.230)
and local zone [LZ] to another NIC (e1000g1 = l.l.l.110). Both are connected to
_different_ subnets. Routing and IP addresses:

GZ = e1000g0 = g.g.g.230
LZ = e1000g1 = l.l.l.110

bash-3.00# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000
lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        zone LZ
        inet 127.0.0.1 netmask ff000000
e1000g0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet g.g.g.230 netmask ffffff00 broadcast 192.168.220.255
        ether 0:14:4f:1f:f2:a8
e1000g1: flags=1000842<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
        inet 0.0.0.0 netmask 0
        ether 0:14:4f:1f:f2:a9
e1000g1:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
        zone LZ
        inet l.l.l.110 netmask ffffff00 broadcast 10.213.1.255

bash-3.00# netstat -rn

Routing Table: IPv4
  Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
l.l.l.110 g.g.g.230 UH 1 0 e1000g0
g.g.g.0 g.g.g.230 U 1 10 e1000g0
224.0.0.0 g.g.g.230 U 1 0 e1000g0
default g.g.g.4 UG 1 26
default l.l.l.4 UG 1 40 e1000g1
127.0.0.1 127.0.0.1 UH 2 4 lo0

To prevent routing between zones (security reasons) I ran:
/usr/sbin/route add default l.l.l.4 -ifp e1000g1
/usr/sbin/route add g.g.g.230 l.l.l.110 -interface -reject
/usr/sbin/route add l.l.l.110 g.g.g.230 -interface -reject

There is apache in the LZ which binds to port 80. When someone (client = c.c.c.186) from
outside (internet) is trying to connect to the apache in the LZ
some packets are going back to the client by the e1000g0 (GZ) !
Observation on NIC gives me:

[e1000g1] /opt/sfw/bin/tethereal -i e1000g1 -t ad host l.l.l.110 and host c.c.c.186
[e1000g0] /opt/sfw/bin/tethereal -i e1000g0 -t ad host l.l.l.110 and host c.c.c.186

[1] [e1000g1] 2006-10-06 09:25:11.329472 c.c.c.186 -> l.l.l.110 TCP 32945 > 80 [SYN] Seq=0 Ack=0 Win=25200 Len=0 MSS=1460
[2] [e1000g0] 2006-10-06 09:25:11.329568 l.l.l.110 -> c.c.c.186 TCP 80 > 32945 [SYN, ACK] Seq=0 Ack=1 Win=49640 Len=0 MSS=1460
[3] [e1000g1] 2006-10-06 09:25:14.518694 c.c.c.186 -> l.l.l.110 TCP 32945 > 80 [SYN] Seq=0 Ack=0 Win=25200 Len=0 MSS=1460
[4] [e1000g1] 2006-10-06 09:25:14.518731 l.l.l.110 -> c.c.c.186 TCP 80 > 32945 [ACK] Seq=0 Ack=0 Win=49640 Len=0
[5] [e1000g1] 2006-10-06 09:25:14.527126 c.c.c.186 -> l.l.l.110 TCP 32945 > 80 [RST] Seq=0 Ack=0 Win=0 Len=0
[6] [e1000g1] 2006-10-06 09:25:20.532428 c.c.c.186 -> l.l.l.110 TCP 32945 > 80 [SYN] Seq=0 Ack=0 Win=25200 Len=0 MSS=1460
[7] [e1000g1] 2006-10-06 09:25:20.532465 l.l.l.110 -> c.c.c.186 TCP 80 > 32945 [SYN, ACK] Seq=0 Ack=1 Win=49640 Len=0 MSS=1460
[8] [e1000g1] 2006-10-06 09:25:21.071132 c.c.c.186 -> l.l.l.110 TCP 32945 > 80 [ACK] Seq=1 Ack=1 Win=25200 Len=0

Can someone explain me why, in the line [2], the packet goes using e1000g0 ?!?!

/usr/sbin/route delete host l.l.l.110 g.g.g.230
doesn't help.

Is it bug or something wrong in my configuration ?

przemol

----------------------------------------------------------------------
Jestes kierowca? To poczytaj! >>> http://link.interia.pl/f199e
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:40:58 EDT