From owner-freebsd-net@FreeBSD.ORG Fri Oct 2 18:24:30 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C7E4A1065670 for ; Fri, 2 Oct 2009 18:24:30 +0000 (UTC) (envelope-from remodeler@alentogroup.org) Received: from courriel.marmotmail.com (courriel.marmotmail.com [85.17.36.172]) by mx1.freebsd.org (Postfix) with ESMTP id 88C6E8FC12 for ; Fri, 2 Oct 2009 18:24:30 +0000 (UTC) Received: from bruce.epifora.com (localhost.local [127.0.0.1]) by courriel.marmotmail.com (Postfix) with ESMTP id E8A4323968C for ; Fri, 2 Oct 2009 21:39:19 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by bruce.epifora.com (Postfix) with ESMTP id 658A64761F9 for ; Fri, 2 Oct 2009 14:36:55 -0400 (EDT) Received: from bruce.epifora.com ([127.0.0.1]) by localhost (bruce.epifora.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 27923-04 for ; Fri, 2 Oct 2009 14:36:53 -0400 (EDT) Received: from alentogroup.org (localhost [127.0.0.1]) by bruce.epifora.com (Postfix) with ESMTP id 4545C4761F8 for ; Fri, 2 Oct 2009 14:36:53 -0400 (EDT) From: "remodeler" To: freebsd-net@freebsd.org Date: Fri, 2 Oct 2009 14:36:53 -0400 Message-Id: <20091002181509.M38849@alentogroup.org> In-Reply-To: <4AC4FD98.3000301@elischer.org> References: <20091001173851.M50386@alentogroup.org> <4AC4FD98.3000301@elischer.org> X-OriginatingIP: 127.0.0.1 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Subject: Re: vimage-assigning interface to jail X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 18:24:30 -0000 Thank you to Julian for his kind response on my original question. I have succeeded with the "jail [...] vnet [...]" syntax Julian suggested. I looked through the /etc/rc.d/jail script and discovered why I cannot start a vnet jail with the rc mechanism - the vnet parameter to jail requires the -c flag, and the /etc/rc.d/jail script uses alternate syntax precluding the -c flag (instead of named parameters, it uses the four fixed parameters of path, hostname, ip, and command). I wonder if someone might help with a problem I am unable to resolve. I have no network connectivity from the vnet jail. I have opened the jail completely up for testing, mounting the host devfs, procfs, allowing raw sockets, and setting socket_unixiproute_only=0. I get the error message: PING 192.168.0.16 (192.168.0.16): 56 data bytes ping: sendto: No route to host and vimage testvnet route get default route: writing to routing socket: No such process I've read some of Julian's work on implementing FIB's (multiple kernel routing tables) - do I need to create and bind a route table (and socket) to the vnet? How do I do so? Also, I developed a local rc.d script that flexibly combines starting my vnet'd service jails and initiating the netgraph subsystem to bridge the virtual network stacks (jails) and physical ethernet interface using ng_ether, ng_eiface, and ng_bridge nodes. I intend to migrate the various security checks from /etc/rc.d/jail into my local script. That script uses a local configuration file with syntax similar to rc.conf for the jail values, but I don't see a clean way to load a netgraph configuration (and also notice there isn't a netgraph rc script, but examples for setting up local scripts). Is it a reasonable thought to parse a vizgraph dot file for netgraph configuration in my script? Thank you in advance.