From owner-freebsd-questions@freebsd.org Fri Feb 26 12:57:05 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4081EAB5563 for ; Fri, 26 Feb 2016 12:57:05 +0000 (UTC) (envelope-from freebsd@qeng-ho.org) Received: from bede.qeng-ho.org (bede.qeng-ho.org [217.155.128.241]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "fileserver.home.qeng-ho.org", Issuer "fileserver.home.qeng-ho.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C805F108 for ; Fri, 26 Feb 2016 12:57:04 +0000 (UTC) (envelope-from freebsd@qeng-ho.org) Received: from arthur.home.qeng-ho.org (arthur.home.qeng-ho.org [172.23.1.2]) by bede.home.qeng-ho.org (8.15.2/8.15.2) with ESMTP id u1QCut1e027730; Fri, 26 Feb 2016 12:56:55 GMT (envelope-from freebsd@qeng-ho.org) Subject: Re: Jails, loopback-addresses and IPv6 To: Sascha Biberhofer , User Questions References: <20160226115335.GC1279@phosphorus> From: Arthur Chance Message-ID: <56D04B97.1050202@qeng-ho.org> Date: Fri, 26 Feb 2016 12:56:55 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: <20160226115335.GC1279@phosphorus> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Feb 2016 12:57:05 -0000 On 26/02/2016 11:53, Sascha Biberhofer wrote: > When setting up jails, the handbook mentions [1] that the > loopback-address is an "alias" for the first IP-address assigned to that > jail. In particular, listening on the loopback-address seems to be > equivalent to listening on that IP, which might well be a globally > reachable address. This - as far as I have understood this - leads one > to create another loopback-device (e.g. lo1) and assign > loopback-addresses like lo1|127.0.1.* to the jail and use stuff like pf > to prevent other jails from accessing loopback-addresses not belonging > to them (please correct me if I'm wrong on this). That's pretty much it. If you look at the networking code, in a jail an address of 127.0.0.1, either as source or destination, is rewritten as the primary address of the jail. Ignoring jails, the IPv4 networking code knows of both loopback addresses (127.*) and loopback devices (lo*) and ensures that packets containing loopback addresses (in either source or destination fields) are dropped on non-loopback devices. This means jails on 127.* can only talk to the outside world if you have NAT in place. If all jails are assigned lo1|127.0.1.*/24 addresses then they can all talk to each other freely (and the host if it has such an address). If you wish to control communication between jails you need a firewall. If however you simply don't want jails to be able to talk to each other, I think giving them 127.0.1.*/32 addresses should work, alternatively give them 127.x.y.1/24 addresses. > However, with IPv6, one has exactly one loopback-address (::1/128), > hence such a setup can't easily be replicated. Is there any commonplace > way to solve this? I could probably assign ULAs to each jail as the > first IPv6-address, but this seems like a cumbersome workaround. People > have also suggested switching to VIMAGE, which - as far as I can tell - > isn't ready for production. > > Any thoughts/ideas/suggestions on this would be greatly appreciated. Warning: I haven't yet converted my systems to use IPv6 (my ISP has only just started supporting it and I have to find time to sort it out) so the following is purely theoretical on my part. Yes, there's only one loopback address, and for most purposes it's just another unicast address. ULAs are also normal unicast addresses, they merely have the qualification that they should not be seen outside your administrative domain. A badly configured router might let them through, which is why 40 bits of the 48 bit prefix are supposed to be randomly generated, to avoid collisions. There are also link local addresses (fe80::/10, the equivalent of 169.254.*/16) which can only be seen on the one interface. These might be useful for jails, depending on what you want to do. As for VIMAGE, many people are happily using it but officially it's not ready for production work. The latest news was in the January FreeBSD Foundation newsletter https://www.freebsdfoundation.org/press/2016janupdate.pdf (PDF). TL;DR version: probably in Release 11.0. -- Moore's Law of Mad Science: Every eighteen months, the minimum IQ necessary to destroy the world drops by one point.