Date: Sat, 22 Nov 2008 02:24:19 +0100 From: Ruben van Staveren <ruben@verweg.com> To: Ruslan Ermilov <ru@freebsd.org> Cc: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>, freebsd-jail@freebsd.org Subject: Re: can jail use 2 NICS? Message-ID: <7CE62E42-B1C2-4D4E-860B-C4F2F5849ABE@verweg.com> In-Reply-To: <20081121202316.GB28339@edoofus.dev.vega.ru> References: <EEBDDC3B-CE47-46F0-B5D3-1FDBDB77E721@verweg.com> <20081116101126.T61259@maildrop.int.zabbadoz.net> <D8D53A5B-5092-435C-BECB-E8100DD00BA9@verweg.com> <20081116135929.S61259@maildrop.int.zabbadoz.net> <20081121202316.GB28339@edoofus.dev.vega.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--Apple-Mail-27--98242926
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Hi,
On 21 Nov 2008, at 21:23, Ruslan Ermilov wrote:
> Hi,
>
> Have been traveling, hence long "no reply"...
>
> On Sun, Nov 16, 2008 at 02:10:35PM +0000, Bjoern A. Zeeb wrote:
>> So the basic idea could be to only have
>> jail_<name>_ip=""
>> jail_<name>_ip6=""
>>
>> and each of them would have a format like:
>>
>> [iface|]address[/prefix]
>
> I'd suggest [iface:] instead.
This will get a bit ambiguous when IPv6 addresses are used...
>> where iface and prefix are optional and prefix only makes sense if
>> iface is given?
>>
>> If iface is given it means configure the address with prefix to the
>> given interface; if prefix is not given the default would be /32 for
>> ipv4 and /128 for ipv6.
Yes, and I prefer the prefix notation above the subnet mask one.
Related, I still need to look at ifconfig canonicalizing stuff like
2001:888:1029::192.168.1.129 before operating on the interface
structure.
This helps in ifconfig delete <iface> 2001:888:1029::192.168.1.129
currently this does not work because on ifconfig up the value is
converted to 2001:888:1029::c0a8:181
>> So now this would give really long and complicated lines in rc.conf.
>> Do you think we could have something like the _alias<N> for interface
>> addresses so that it would be like:
>>
>> jail_<name>_ip="" # default
>> jail_<name>_ip_multi0="" # second IP of the jail
>> jail_<name>_ip_multi1="" # third IP of the jail
>> jail_<name>_ip_multi2="" # 4th IP of the jail
>>
>> and similar for IPv6?
>>
>> (multi might not be the best suffix)
>>
>> Something along those lines?
From a user point of view, it will make a messy configuration. it
might be more preferable then to have something in the order of
jail "<name>" {
iface <iface>
prefix <pfxlen>
addr [<iface>] <addr1>[/<pfxlen>]
addr [<iface>] <addr1>[/<pfxlen>]
...
}
For Bjoern I think something like this in an /etc/jail.conf will mark
a clear separation between rc.conf and jail management ?
>> Ruslan, what do you think about something like that? We could have
>> that for HEAD and 7 just now and add the _multi<N> support with the
>> multi-IP jail patches? Could you and Ruben work together to build
>> this?
>>
> I think this is a good idea. My workaround with routes
> I mentioned doesn't actually work, so currently we use
> a version from HEAD on our production servers, and the
> modified version of ezjail port that supports netmasks.
The route thing, is that the setfib configuration from HEAD ?
>
> Cheers,
> --
> Ruslan Ermilov
> ru@FreeBSD.org
> FreeBSD committer
Regards,
Ruben
--Apple-Mail-27--98242926
content-type: application/pgp-signature; x-mac-type=70674453;
name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
iD8DBQFJJ19EZ88+mcQxRw0RAvuIAJ0ak9RtTpZF4Tx0QTpGLJE4QJ8rqwCeO2yJ
SDpUKkbItqVrG2OGDBPAUdM=
=MoUk
-----END PGP SIGNATURE-----
--Apple-Mail-27--98242926--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7CE62E42-B1C2-4D4E-860B-C4F2F5849ABE>