From owner-freebsd-jail@freebsd.org Thu Dec 15 20:09:31 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 72778C81648; Thu, 15 Dec 2016 20:09:31 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 366449DE; Thu, 15 Dec 2016 20:09:30 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id CD5B62849B; Thu, 15 Dec 2016 21:09:27 +0100 (CET) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 80D5528429; Thu, 15 Dec 2016 21:09:26 +0100 (CET) Subject: Re: multiple interfaces for jail.conf(1) and jail_set(2) To: Michael Grimm , freebsd-questions@freebsd.org Cc: freebsd-jail@FreeBSD.org References: <0ED7F403-F14E-4A72-8E54-AF74AAE15061@blackskyresearch.net> <45822529-2096-4B32-8515-F5875BEF7101@ellael.org> <56419.128.135.52.6.1481751332.squirrel@cosmo.uchicago.edu> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <5852F876.5070807@quip.cz> Date: Thu, 15 Dec 2016 21:09:26 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:42.0) Gecko/20100101 Firefox/42.0 SeaMonkey/2.39 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Dec 2016 20:09:31 -0000 Michael Grimm wrote on 2016/12/15 19:36: > [cc'd to freebsd-jail@FreeBSD.org where that thread originated] > > Valeri Galtsev wrote: > >> On Wed, December 14, 2016 2:30 pm, Michael Grimm wrote: > >>> # >>> # network settings to apply/destroy during start/stop of every jail >>> # >>> exec.prestart = "sleep 2"; >>> exec.prestart += "/sbin/ifconfig epair${jailID} create up"; >>> exec.prestart += "/sbin/ifconfig bridge0 addm epair${jailID}a"; >>> exec.start = "/sbin/sysctl net.inet6.ip6.dad_count=0"; >>> exec.start += "/sbin/ifconfig lo0 127.0.0.1 up"; >>> exec.start += "/sbin/ifconfig epair${jailID}b inet ${ip4_addr}"; >>> exec.start += "/sbin/ifconfig epair${jailID}b inet6 ${ip6_addr}"; >>> exec.start += "/sbin/route add default -gateway 10.1.1.254"; >>> exec.start += "/sbin/route add -inet6 default -gateway ${ip6prefixLOCAL}::254"; >>> exec.stop = "/sbin/route del default"; >>> exec.stop += "/sbin/route del -inet6 default"; >>> exec.stop += "/bin/sh /etc/rc.shutdown"; >>> exec.poststop = "/sbin/ifconfig epair${jailID}a destroy"; >>> >>> # >>> # individual jail settings >>> # >>> dns { >>> $jailID = 1; >>> $ip4_addr = 10.1.1.1; >>> $ip4_addr_2 = 10.1.1.2; > > […] > >> Michael, is it possible to have two addresses belonging to two different >> networks (through two different network interfaces)? >> >> Say, on host system: >> >> ifconfig_igb0="inet 172.20.9.22 ... >> ifconfig_igb1="inet 10.1.1.17 ... >> >> >> and in some jail >> >> $ip4_addr = 172.20.9.22; >> $ip4_addr_2 = 10.1.1.17; >> >> - will that work? This is what didn't work for me in the past when >> configured jails old style in /etc/rc.conf > > I can't answer that because I have never tried it before. More IP addresses on more interfaces works for me for many years even in old rc.conf style jails. Converted to new jail.conf is something like this costa { host.hostname = "costa.example.com"; ip4.addr = 94.104.135.21; ip4.addr += 192.168.222.57; } As you can see, IPs are from different networks. We are not using auto add / remove IP on interfaces. We don't want to have something else to manage IP addresses. All IPs are defined in rc.conf on their proper interfaces. In this case, first jail's IP is in bge1 and the second is on nfe0 (LAN interface) I already made jail using VPN assigned IP on tun0 OpenVPN interface. In another words - jail doesn't care about interfaces. If there is an IP in the system (on whatever interface) then you can assign it to jail and you can assign as many IPs as you want (up to some really high limit). Miroslav Lachman