From owner-freebsd-jail@FreeBSD.ORG Mon Dec 21 00:00:41 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DA9851065670 for ; Mon, 21 Dec 2009 00:00:41 +0000 (UTC) (envelope-from andrew.hotlab@hotmail.com) Received: from blu0-omc3-s38.blu0.hotmail.com (blu0-omc3-s38.blu0.hotmail.com [65.55.116.113]) by mx1.freebsd.org (Postfix) with ESMTP id A49528FC18 for ; Mon, 21 Dec 2009 00:00:41 +0000 (UTC) Received: from BLU138-W33 ([65.55.116.74]) by blu0-omc3-s38.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Sun, 20 Dec 2009 15:48:40 -0800 Message-ID: X-Originating-IP: [81.174.54.98] From: Andrew Hotlab To: , Date: Sun, 20 Dec 2009 23:48:40 +0000 Importance: Normal In-Reply-To: <21820472@ipt.ru> References: <8250ac3f0912160040q31750cd5oe6fe66eb4398b20b@mail.gmail.com>, <55743415@ipt.ru>, <8250ac3f0912162342p1a54d6bcpa6487b14831dce33@mail.gmail.com>, <21820472@ipt.ru> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginalArrivalTime: 20 Dec 2009 23:48:40.0076 (UTC) FILETIME=[F49E94C0:01CA81CE] Cc: freebsd-jail@freebsd.org Subject: RE: ezjail.flavour X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Dec 2009 00:00:41 -0000 It seems that FreeBSD 8 does not like to start rc scripts named *.sh. Here = is a little patch for the script ezjail-admin which seems to fix the problem. --- ezjail-admin 2009/12/20 23:28:09 1.1+++ ezjail-admin 2009/12/20 23:28:2= 6 @@ -550=2C7 +550=2C7 @@ =A0=A0 =A0 # If a config is found=2C make it auto run on jails startup =A0=A0 =A0 if [ -f "${ezjail_rootdir}/ezjail.flavour" ]=3B then - =A0 =A0 =A0ln -s /ezjail.flavour "${ezjail_rootdir}/etc/rc.d/ezjail-confi= g.sh" + =A0 =A0 =A0ln -s /ezjail.flavour "${ezjail_rootdir}/etc/rc.d/ezjail-confi= g" =A0=A0 =A0 =A0 chmod 0700 "${ezjail_rootdir}/ezjail.flavour" =A0=A0 =A0 =A0 echo "Note: Shell scripts installed=2C flavourizing on jails= first startup." =A0=A0 =A0 fi I think ezjail urgently needs some updates in order not to remain behind=A0= the new features in FreeBSD which can dramatically improve the jail system usage=A0= (vnet=2C ZFS=2C multiple FIB support=2C etc). =A0I'm not a shell script expert=2C bu= t my everyday work gives me the chance to have a pretty high-level view on what is needed= . =A0I'll be glad to be contacted off-list by someone with some shell scripting skills a= nd a few hours of spare time to spend with me on this very useful tool. Andrew ----------------------------------------> To: freebsd-questions@k-moeller.d= k > From: bsam@ipt.ru > Date: Thu=2C 17 Dec 2009 11:35:51 +0300 > CC: freebsd-jail@freebsd.org > Subject: Re: ezjail.flavour > > Kalle M=F8ller writes: > >>> I've got the same behaviour. Seems that the script ezjail.flavour >>> is not executed because it uses old rc rules and so it is ingored >>> at startup. >> What are the new rc rules=2C because it looks fair simple to correct=2C = went >> through the code yesterday. > > Well=2C I'm not an rc guru. But seems that RC(8) may be a good start. > > -- > WBR=2C bsam > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe=2C send any mail to "freebsd-jail-unsubscribe@freebsd.org" =20 _________________________________________________________________ Windows Live Hotmail: Your friends can get your Facebook updates=2C right f= rom Hotmail=AE. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/so= cial-network-basics.aspx?ocid=3DPID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092= 009= From owner-freebsd-jail@FreeBSD.ORG Mon Dec 21 11:06:59 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 10EEF1065693 for ; Mon, 21 Dec 2009 11:06:59 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id F35D18FC22 for ; Mon, 21 Dec 2009 11:06:58 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nBLB6wVN004134 for ; Mon, 21 Dec 2009 11:06:58 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nBLB6wvg004132 for freebsd-jail@FreeBSD.org; Mon, 21 Dec 2009 11:06:58 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 21 Dec 2009 11:06:58 GMT Message-Id: <200912211106.nBLB6wvg004132@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Dec 2009 11:06:59 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 5 problems total. From owner-freebsd-jail@FreeBSD.ORG Wed Dec 23 10:20:08 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 60FB91065676; Wed, 23 Dec 2009 10:20:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [IPv6:2001:4068:10::3]) by mx1.freebsd.org (Postfix) with ESMTP id EA3908FC1E; Wed, 23 Dec 2009 10:20:07 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 6FF7B41C707; Wed, 23 Dec 2009 11:20:06 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([192.168.74.103]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id EYgba+EvCISV; Wed, 23 Dec 2009 11:20:05 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id CC30941C6DB; Wed, 23 Dec 2009 11:20:05 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 8BDAA4448EC; Wed, 23 Dec 2009 10:19:23 +0000 (UTC) Date: Wed, 23 Dec 2009 10:19:23 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Mel Flynn In-Reply-To: <200912221734.05795.mel.flynn+fbsd.hackers@mailing.thruhere.net> Message-ID: <20091223100943.T86040@maildrop.int.zabbadoz.net> References: <200912221734.05795.mel.flynn+fbsd.hackers@mailing.thruhere.net> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-hackers@freebsd.org, freebsd-jail@freebsd.org Subject: Re: Jail on 2 interfaces? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-jail@FreeBSD.org List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Dec 2009 10:20:08 -0000 On Tue, 22 Dec 2009, Mel Flynn wrote: Hi, first of all this would find more people to help on freebsd-jail as it has nothing to do with hackers ;-) > I don't see this documented in jail(8) nor rc(8) nor defaults/rc.conf, so is > it possible to have 2 IP's on 2 ethernet interfaces? And if so, is it settable > for rc(8)? > > The usage case is to have the same jailed proxy server on two seperate > internal networks. Ideally, the proxy will use one address for outgoing, so I > guess I'll need a default route or dive into the squid config. > > At present I have: > ifconfig_bge0="inet 192.168.177.60 netmask 255.255.255.0" > ifconfig_em0="inet 192.168.176.60 netmask 255.255.255.0" > ifconfig_em0_alias0="inet 192.168.176.62 netmask 255.255.255.255" > jail_squid_rootdir="/usr/squid" > jail_squid_ip="192.168.177.62" > jail_squid_ip_multi0="192.168.176.62" > jail_squid_interface="bge0" > > But this created the IP on bge0 even though one exists on em0. Is it as simple > as not specifying the interface and add the 177.62 alias on bge0? > Ideally I'd have a jail_$jail_ip_multi$aliasno_interface="foo0", but my main > worry is that the jail infrastructure understands the routing involved. >From what you are writing I assume that you are on FreeBSD 7.2-Release or later; no official FreeBSD version before had supported multiple-IPs with a jail. What it did was what you were asking for. That's the problem. 1) either use ifconfig 2) or use jail + interfaces 3) but do not mix them (especially not overlapping) So I would suggest to do it like this: # Base system IPs. ifconfig_bge0="inet 192.168.177.60/24" ifconfig_em0="inet 192.168.176.60/24" jail_squid_rootdir="/usr/squid" # Either use: jail_squid_ip="bge0|192.168.177.62/32,em0|192.168.176.62/32" # or: jail_squid_ip="bge0|192.168.177.62/32" jail_squid_ip_multi0="em0|192.168.176.62/32" but do not use jail_squid_interface=".." as that will be a global default for that jail. As you can see, I removed the ifconfig_em0_alias0 line. If you want to keep that and mix things then you could do: jail_squid_ip="bge0|192.168.177.62/32" jail_squid_ip_multi0="192.168.176.62/32" again without the jail_squid_interface=".." line. HTH /bz -- Bjoern A. Zeeb It will not break if you know what you are doing. From owner-freebsd-jail@FreeBSD.ORG Wed Dec 23 10:25:07 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A10E7106566B; Wed, 23 Dec 2009 10:25:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [IPv6:2001:4068:10::3]) by mx1.freebsd.org (Postfix) with ESMTP id 2498A8FC1A; Wed, 23 Dec 2009 10:25:07 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 431C041C798; Wed, 23 Dec 2009 11:25:06 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([192.168.74.103]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id SLS1sM7A9ESl; Wed, 23 Dec 2009 11:25:05 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id AC80041C796; Wed, 23 Dec 2009 11:25:05 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 2438F4448EC; Wed, 23 Dec 2009 10:24:43 +0000 (UTC) Date: Wed, 23 Dec 2009 10:24:43 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Matthew Seaman In-Reply-To: <4B31DD99.7000103@infracaninophile.co.uk> Message-ID: <20091223101938.J86040@maildrop.int.zabbadoz.net> References: <200912221734.05795.mel.flynn+fbsd.hackers@mailing.thruhere.net> <4B31DD99.7000103@infracaninophile.co.uk> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-hackers@freebsd.org, Mel Flynn , freebsd-jail@FreeBSD.org Subject: Re: Jail on 2 interfaces? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-jail@FreeBSD.org List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Dec 2009 10:25:07 -0000 On Wed, 23 Dec 2009, Matthew Seaman wrote: > Mel Flynn wrote: >> Hi, >> >> I don't see this documented in jail(8) nor rc(8) nor defaults/rc.conf, so >> is it possible to have 2 IP's on 2 ethernet interfaces? And if so, is it >> settable for rc(8)? >> >> The usage case is to have the same jailed proxy server on two seperate >> internal networks. Ideally, the proxy will use one address for outgoing, so >> I guess I'll need a default route or dive into the squid config. >> >> At present I have: >> ifconfig_bge0="inet 192.168.177.60 netmask 255.255.255.0" >> ifconfig_em0="inet 192.168.176.60 netmask 255.255.255.0" >> ifconfig_em0_alias0="inet 192.168.176.62 netmask 255.255.255.255" >> jail_squid_rootdir="/usr/squid" >> jail_squid_ip="192.168.177.62" >> jail_squid_ip_multi0="192.168.176.62" >> jail_squid_interface="bge0" >> >> But this created the IP on bge0 even though one exists on em0. Is it as >> simple as not specifying the interface and add the 177.62 alias on bge0? >> Ideally I'd have a jail_$jail_ip_multi$aliasno_interface="foo0", but my >> main worry is that the jail infrastructure understands the routing >> involved. > > To do this directly is now possible in 8.0-RELEASE or better. You will > need a custom kernel with 'options VIMAGE' and I believe the standard jail > startup scripts need a bit of work in order for them to start the jail with > the correct command line arguments to enable the vnet functionality. No, that's wrong. FreeBSD 7.2-R and later can do multi-IP jails and have the IPs on multiple interfaces; there is no need for a dedicated network stack. The routing is no much different than if you would do it in the base system with two IPs. if it works there, just putting it in a multi-IP jail with the adresses on the right interface will just work as well. If you want different routing for a jail use setfib with a multi-FIB based kernel (you may need to recompile the kernel for that) but you still won't need mutliple network stacks. > Alternatively, you can achieve much the same effect that you want by using > a simple one-ip jail and writing firewall rules to redirect traffic into it, > and NAT traffic coming out of it. Using firewall NAT with jails is something I often see and usually never understand unless people only have a single IP and want to share that between lots of jails (though if not duplicate services exist, that will just work as well by default these days as well). -- Bjoern A. Zeeb It will not break if you know what you are doing. From owner-freebsd-jail@FreeBSD.ORG Wed Dec 23 15:55:23 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E8B601065695 for ; Wed, 23 Dec 2009 15:55:22 +0000 (UTC) (envelope-from mel.flynn+fbsd.hackers@mailing.thruhere.net) Received: from mailhub.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id 8B1448FC24 for ; Wed, 23 Dec 2009 15:55:22 +0000 (UTC) Received: from smoochies.rachie.is-a-geek.net (mailhub.rachie.is-a-geek.net [192.168.2.11]) by mailhub.rachie.is-a-geek.net (Postfix) with ESMTP id B6CEE7E818; Wed, 23 Dec 2009 06:37:15 -0900 (AKST) From: Mel Flynn To: freebsd-hackers@freebsd.org, freebsd-jail@freebsd.org Date: Wed, 23 Dec 2009 06:37:10 -0900 User-Agent: KMail/1.12.1 (FreeBSD/8.0-STABLE; KDE/4.3.1; i386; ; ) References: <200912221734.05795.mel.flynn+fbsd.hackers@mailing.thruhere.net> <20091223100943.T86040@maildrop.int.zabbadoz.net> In-Reply-To: <20091223100943.T86040@maildrop.int.zabbadoz.net> MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <200912230637.10093.mel.flynn+fbsd.hackers@mailing.thruhere.net> Cc: Subject: Re: Jail on 2 interfaces? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Dec 2009 15:55:23 -0000 On Wednesday 23 December 2009 01:19:23 Bjoern A. Zeeb wrote: > On Tue, 22 Dec 2009, Mel Flynn wrote: > > Hi, > > first of all this would find more people to help on freebsd-jail as it > has nothing to do with hackers ;-) Yes, that was pretty braindead of me, especially since the intention was questions@. > > I don't see this documented in jail(8) nor rc(8) nor defaults/rc.conf, so > > is it possible to have 2 IP's on 2 ethernet interfaces? And if so, is it > > settable for rc(8)? > > > > The usage case is to have the same jailed proxy server on two seperate > > internal networks. Ideally, the proxy will use one address for outgoing, > > so I guess I'll need a default route or dive into the squid config. > > > > At present I have: > > ifconfig_bge0="inet 192.168.177.60 netmask 255.255.255.0" > > ifconfig_em0="inet 192.168.176.60 netmask 255.255.255.0" > > ifconfig_em0_alias0="inet 192.168.176.62 netmask 255.255.255.255" > > jail_squid_rootdir="/usr/squid" > > jail_squid_ip="192.168.177.62" > > jail_squid_ip_multi0="192.168.176.62" > > jail_squid_interface="bge0" > > > > But this created the IP on bge0 even though one exists on em0. Is it as > > simple as not specifying the interface and add the 177.62 alias on bge0? > > Ideally I'd have a jail_$jail_ip_multi$aliasno_interface="foo0", but my > > main worry is that the jail infrastructure understands the routing > > involved. > > > >From what you are writing I assume that you are on FreeBSD 7.2-Release > > or later; no official FreeBSD version before had supported > multiple-IPs with a jail. 8.0-p3, yes. > What it did was what you were asking for. That's the problem. > > 1) either use ifconfig > 2) or use jail + interfaces > 3) but do not mix them (especially not overlapping) > > So I would suggest to do it like this: > > # Base system IPs. > ifconfig_bge0="inet 192.168.177.60/24" > ifconfig_em0="inet 192.168.176.60/24" > > jail_squid_rootdir="/usr/squid" > # Either use: > jail_squid_ip="bge0|192.168.177.62/32,em0|192.168.176.62/32" > # or: > jail_squid_ip="bge0|192.168.177.62/32" > jail_squid_ip_multi0="em0|192.168.176.62/32" > > but do not use jail_squid_interface=".." as that will be a global > default for that jail. Is it a global *default* or a global? For example, could I specify: jail_squid_interface="bge0" jail_squid_ip="192.168.177.62/32" jail_squid_ip_multi0="192.168.177.63/32" jail_squid_ip_multi1="em0|192.168.177.62/32" Below is a patch against HEAD to document the $interface|$ip syntax. -- Mel Index: etc/defaults/rc.conf =================================================================== --- etc/defaults/rc.conf (revision 200901) +++ etc/defaults/rc.conf (working copy) @@ -648,6 +648,7 @@ #jail_example_fib="0" # Routing table for setfib(1) #jail_example_ip="192.0.2.10,2001:db8::17" # Jail's primary IPv4 and IPv6 address #jail_example_ip_multi0="2001:db8::10" # and another IPv6 address +#jail_example_ip_multi1="em0|192.0.3.10/32" # and another IPv4 address on a specific interface #jail_example_exec_start="/bin/sh /etc/rc" # command to execute in jail for starting #jail_example_exec_afterstart0="/bin/sh command" # command to execute after the one for # starting the jail. More than one can be From owner-freebsd-jail@FreeBSD.ORG Wed Dec 23 16:10:08 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 21EB910656B6; Wed, 23 Dec 2009 16:10:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [IPv6:2001:4068:10::3]) by mx1.freebsd.org (Postfix) with ESMTP id A74D48FC16; Wed, 23 Dec 2009 16:10:07 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 9490F41C712; Wed, 23 Dec 2009 17:10:06 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([192.168.74.103]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id jYCwPovX3tc6; Wed, 23 Dec 2009 17:10:06 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id 1C8EC41C707; Wed, 23 Dec 2009 17:10:06 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id D06DC4448EC; Wed, 23 Dec 2009 16:06:50 +0000 (UTC) Date: Wed, 23 Dec 2009 16:06:50 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Mel Flynn In-Reply-To: <200912230637.10093.mel.flynn+fbsd.hackers@mailing.thruhere.net> Message-ID: <20091223160221.R86040@maildrop.int.zabbadoz.net> References: <200912221734.05795.mel.flynn+fbsd.hackers@mailing.thruhere.net> <20091223100943.T86040@maildrop.int.zabbadoz.net> <200912230637.10093.mel.flynn+fbsd.hackers@mailing.thruhere.net> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-hackers@freebsd.org, freebsd-jail@freebsd.org Subject: Re: Jail on 2 interfaces? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Dec 2009 16:10:08 -0000 On Wed, 23 Dec 2009, Mel Flynn wrote: >> or later; no official FreeBSD version before had supported >> multiple-IPs with a jail. > > 8.0-p3, yes. ok >> What it did was what you were asking for. That's the problem. >> >> 1) either use ifconfig >> 2) or use jail + interfaces >> 3) but do not mix them (especially not overlapping) >> >> So I would suggest to do it like this: >> >> # Base system IPs. >> ifconfig_bge0="inet 192.168.177.60/24" >> ifconfig_em0="inet 192.168.176.60/24" >> >> jail_squid_rootdir="/usr/squid" >> # Either use: >> jail_squid_ip="bge0|192.168.177.62/32,em0|192.168.176.62/32" >> # or: >> jail_squid_ip="bge0|192.168.177.62/32" >> jail_squid_ip_multi0="em0|192.168.176.62/32" >> >> but do not use jail_squid_interface=".." as that will be a global >> default for that jail. > > Is it a global *default* or a global? For example, could I specify: It's a global default; a more specific interface name that comes with an address will override it. So you could do what you drafted below. The entire "ifconfig" feature in rc.d/jail does not really belong there but people started using it after it was introduced so we lost that race. > jail_squid_interface="bge0" > jail_squid_ip="192.168.177.62/32" > jail_squid_ip_multi0="192.168.177.63/32" > jail_squid_ip_multi1="em0|192.168.177.62/32" > > Below is a patch against HEAD to document the $interface|$ip syntax. That wasn't done on purpose; man rc.conf has it, if you lookup jail__ip . /bz -- Bjoern A. Zeeb It will not break if you know what you are doing.