From owner-freebsd-net@freebsd.org  Sun Jun 26 09:38:16 2016
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2DFEFB80932
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Sun, 26 Jun 2016 09:38:16 +0000 (UTC)
 (envelope-from org.freebsd.security@io7m.com)
Received: from nov-007-i540.relay.mailchannels.net
 (nov-007-i540.relay.mailchannels.net [46.232.183.94])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 359AB11AD;
 Sun, 26 Jun 2016 09:38:11 +0000 (UTC)
 (envelope-from org.freebsd.security@io7m.com)
X-Sender-Id: _forwarded-from|212.69.61.187
Received: from relay.mailchannels.net (localhost [127.0.0.1])
 by relay.mailchannels.net (Postfix) with ESMTP id DF5FB120259;
 Sun, 26 Jun 2016 09:38:05 +0000 (UTC)
Received: from bs3-dallas.accountservergroup.com
 (ip-10-213-14-133.us-west-2.compute.internal [10.213.14.133])
 by relay.mailchannels.net (Postfix) with ESMTPA id 565C2120356;
 Sun, 26 Jun 2016 09:38:05 +0000 (UTC)
X-Sender-Id: _forwarded-from|212.69.61.187
Received: from bs3-dallas.accountservergroup.com
 (bs3-dallas.accountservergroup.com [10.107.128.240])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA)
 by 0.0.0.0:2500 (trex/5.6.15); Sun, 26 Jun 2016 09:38:05 +0000
X-MC-Relay: Forwarding
X-MailChannels-SenderId: _forwarded-from|212.69.61.187
X-MailChannels-Auth-Id: wwwh
X-MC-Loop-Signature: 1466933885594:1694019265
X-MC-Ingress-Time: 1466933885594
Received: from cust187-dsl61.idnet.net ([212.69.61.187]:63267
 helo=copperhead.int.arc7.info)
 by bs3-dallas.accountservergroup.com with esmtps (TLSv1:AES256-SHA:256)
 (Exim 4.87) (envelope-from <org.freebsd.security@io7m.com>)
 id 1bH6Vo-000FC5-Gq; Sun, 26 Jun 2016 04:37:56 -0500
Date: Sun, 26 Jun 2016 09:37:54 +0000
From: <org.freebsd.security@io7m.com>
To: Alan Somers <asomers@freebsd.org>
Cc: FreeBSD Net <freebsd-net@freebsd.org>
Subject: Re: ifconfig: BRDGADD lo1: invalid argument
Message-ID: <20160626093754.5e534ff4@copperhead.int.arc7.info>
In-Reply-To: <CAOtMX2hv_ePxVwrzYaXBjcO=uCez4V50OGFGCrzjCV87az9RLw@mail.gmail.com>
References: <20160625164240.7cea7587@copperhead.int.arc7.info>
 <20160625234636.2f086908@x23>
 <20160625220551.646eccb6@copperhead.int.arc7.info>
 <CAOtMX2hv_ePxVwrzYaXBjcO=uCez4V50OGFGCrzjCV87az9RLw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-PopBeforeSMTPSenders: org.mesa3d.mesa-users@io7m.com, net.java@io7m.com,
 com.io7m.lists@io7m.com, org.codehaus.mojo@io7m.com, com.meetup@io7m.com,
 org.archlinux@io7m.com, com.steampowered@io7m.com, com.blendswap@io7m.com,
 org.opengl@io7m.com, legalandgeneral@io7m.com, org.freedesktop@io7m.com,
 org.jogamp@io7m.com, org.junit@io7m.com, org.apache.maven.user@io7m.com,
 org.sonatype@io7m.com, org.dyn4j@io7m.com,
 com.creative.opensource.openal@io7m.com, org.fossil-scm.fossil-users@io7m.com,
 github@io7m.com, code@io7m.com, contact@io7m.com, mark-ext@io7m.com,
 mark@io7m.com, io.github.lmax-exchange@io7m.com, com.the-blueprints@io7m.com,
 com.dropbox@io7m.com, com.rockstargames@io7m.com, org.openjdk@io7m.com,
 com.myfitnesspal@io7m.com, org.codehaus@io7m.com, org.readium@io7m.com,
 org.khanacademy@io7m.com, com.nexusmods@io7m.com, io.github.apitrace@io7m.com,
 com.apple@io7m.com, org.apache.commons@io7m.com, org.freebsd.security@io7m.com,
 com.stronglifts@io7m.com, com.carpediemkravmaga@io7m.com,
 uk.co.discountsupplements@io7m.com, co
 m.skype@io7m.com, com.goodhempnutrition@io7m.com, org.jgrapht@io7m.com,
 com.google@io7m.com, android-developers@io7m.com, org.mapdb@io7m.com,
 com.jetbrains@io7m.com, org.eclipse@io7m.com, com.slack@io7m.com,
 net.openvpn@io7m.com, nu.xom@io7m.com, de.jflex.users@io7m.com,
 org.freesound@io7m.com, org.blender@io7m.com, com.bugsnag@io7m.com,
 com.git-scm@io7m.com
X-AuthUser: 
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jun 2016 09:38:16 -0000

Hello.

On 2016-06-25T18:13:18 -0600
Alan Somers <asomers@freebsd.org> wrote:

> On Sat, Jun 25, 2016 at 4:05 PM,  <org.freebsd.security@io7m.com> wrote:
> > I'm not using vnet jails. I'm actually just trying to get filtering of
> > outbound traffic (see the other mail I sent to this list a few seconds
> > before you responded).  
> 
> Based on my experience, I highly recommend vnet jails if you want
> outbound filtering.  It's much simpler than trying to filter outbound
> traffic from shared-IP jails.

I'm trying to look at vnet jails, but they still seem to be mostly
undocumented and not entirely supported. Lots of fairly recent posts
online regarding panics in day-to-day use. Using them in production
seems risky. Is there something I should be looking at in particular?

When you say shared-IP jails, what exactly are you referring to? I'm
not sure what's shared in this case; I have one public IP (it's a VPS)
but individual jails are on their own private loopback addresses.

M