From owner-freebsd-questions@freebsd.org  Fri Feb 26 11:52:57 2016
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C72F3AB51A6
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Fri, 26 Feb 2016 11:52:57 +0000 (UTC)
 (envelope-from sascha.biberhofer@univie.ac.at)
Received: from mail.geekosphere.org (mail.geekosphere.org
 [IPv6:2a01:4f8:190:13e3::3])
 by mx1.freebsd.org (Postfix) with ESMTP id 94E21151B
 for <freebsd-questions@freebsd.org>; Fri, 26 Feb 2016 11:52:57 +0000 (UTC)
 (envelope-from sascha.biberhofer@univie.ac.at)
Received: from localhost (unknown
 [IPv6:2a02:8109:1dbf:f168:6267:20ff:feae:5ea0])
 by mail.geekosphere.org (Postfix) with ESMTPSA id A2BADFB64D
 for <freebsd-questions@freebsd.org>; Fri, 26 Feb 2016 11:52:55 +0000 (UTC)
Date: Fri, 26 Feb 2016 12:53:35 +0100
From: Sascha Biberhofer <s.biberhofer@sphericalelephant.com>
To: User Questions <freebsd-questions@freebsd.org>
Subject: Jails, loopback-addresses and IPv6
Message-ID: <20160226115335.GC1279@phosphorus>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Feb 2016 11:52:57 -0000

When setting up jails, the handbook mentions [1] that the
loopback-address is an "alias" for the first IP-address assigned to that
jail. In particular, listening on the loopback-address seems to be
equivalent to listening on that IP, which might well be a globally
reachable address. This - as far as I have understood this - leads one
to create another loopback-device (e.g. lo1) and assign
loopback-addresses like lo1|127.0.1.* to the jail and use stuff like pf
to prevent other jails from accessing loopback-addresses not belonging
to them (please correct me if I'm wrong on this).  

However, with IPv6, one has exactly one loopback-address (::1/128),
hence such a setup can't easily be replicated. Is there any commonplace
way to solve this? I could probably assign ULAs to each jail as the
first IPv6-address, but this seems like a cumbersome workaround. People
have also suggested switching to VIMAGE, which - as far as I can tell -
isn't ready for production. 

Any thoughts/ideas/suggestions on this would be greatly appreciated.

Cheers,
Sascha


[1] https://www.freebsd.org/doc/handbook/jails-ezjail.html  14.6.1