From owner-freebsd-jail@freebsd.org Wed Oct 14 12:18:49 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id ED8D14379E0 for ; Wed, 14 Oct 2020 12:18:49 +0000 (UTC) (envelope-from xeper000@gmail.com) Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CBBKN6yDyz3d7W for ; Wed, 14 Oct 2020 12:18:48 +0000 (UTC) (envelope-from xeper000@gmail.com) Received: by mail-io1-xd2a.google.com with SMTP id q9so4717109iow.6 for ; Wed, 14 Oct 2020 05:18:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=CyR2hSuAuP4n/JPpJhcz1k584iQ5BbvuDzWREZsxKto=; b=QaxR4xIaWRVnk0YFqopCHmzCPIk8D4Rk++ubR1SmyIDUCR3ya58eqRCp2zLeDWkuHY HMyDjdvfqluKiv48XDZ8GQ0isBVIG9EXIO2VbNU7ReJ1An/oiyhZKa5eixJr8KUIRY2o 0Uft5xUspLnDKw4SirdLe2CMzAkx1u+U1ltMbJ24k1tlZd5/G6wcJbrFTHaOsWPeBvct PP0M7ONFxbEWffieWzRXngprtPDYU0gEK/n4+Xj+GBnPf0/RMy2oohcMkD0cUdy20BX1 UpTXV/OC+k7cfUV7EyLYBrcgCwopWHuGzIPHvtfKLFFcv4QrJjTKpxO/66Rx+tPrQvQM 5Flw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=CyR2hSuAuP4n/JPpJhcz1k584iQ5BbvuDzWREZsxKto=; b=Lr2OZYCzcy/qisvinFA/hTY1Cks+wLksF2ugiFX2Z0MHI3SRUF0ViPQN+RO759xOTq QmVEmFH0oslzb7ao0ky6bUfN+3m9LZ1XKRlMhE4j9FmiG2pGc+5SuLEVMzLw5XqBLQn/ ecnraLdDMqNw/mLvsVGGbN+QHN4EvoW6QztMN0TYoZe7V+2YZgrSRwCQ4o1mfxV786Tn bWVAx6sEb/iqioAuuhLSS656jEpRnWpG5iR6r3ZgEcgqlB12oYIOIqRLpjPCtWDgyZBa kL4VVvfFw5YwfJcUi3kE2QIZzq9mpQPJwPR0LwtXO2mEhGhYSEjUxbaEYTaP5SESsFSF Md2Q== X-Gm-Message-State: AOAM532811kZTFuFi53J3CZyEp6UehXop9i/DX4yg5RbAHdvDOAmXiin JDp7fxWf7JZ5iSaYicHcOZBH8CbpZ6ve5ecTO+lwKBNEFsM= X-Google-Smtp-Source: ABdhPJyizNDu/Pw0LjGIxzEp5hRtyTMMOtxTtUWsRgslM62nlagRInRf4tcB11EzWXudltmkEsNRykpaUw2gsXXo9CE= X-Received: by 2002:a05:6638:2ad:: with SMTP id d13mr2705492jaq.89.1602677927175; Wed, 14 Oct 2020 05:18:47 -0700 (PDT) MIME-Version: 1.0 From: Arsenij Solovjev Date: Wed, 14 Oct 2020 14:18:36 +0200 Message-ID: Subject: vnet Jail on a non-dedicated network interface To: freebsd-jail@freebsd.org X-Rspamd-Queue-Id: 4CBBKN6yDyz3d7W X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=QaxR4xIa; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of xeper000@gmail.com designates 2607:f8b0:4864:20::d2a as permitted sender) smtp.mailfrom=xeper000@gmail.com X-Spamd-Result: default: False [-2.39 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.98)[-0.981]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.03)[-1.031]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::d2a:from]; NEURAL_SPAM_SHORT(0.62)[0.625]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-jail]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Oct 2020 12:18:50 -0000 Hi all! Does anybody know if it's possible to run a vnet jail on a non-dedicated interface? I have the Lucas book on jails. In it he says that for vnet you need to pick a dedicated interface, remove all networking IP configuration and only bring it up. Afterwards you set up jib and whatnot. All works well if I use a dedicated secondary interface (let's call it em1). If I use em0 however I cannot ping the jail. I would like to have a host with that has a single network interface which is used for both normal networking stuff as well as having the vnet jail run on it. Maybe I could create some sort of virtual interface and run vnet on it? Any ideas here? Thanks in advance! Arsenij From owner-freebsd-jail@freebsd.org Wed Oct 14 12:42:26 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id F2895438802 for ; Wed, 14 Oct 2020 12:42:26 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CBBrf6B9mz3fqB; Wed, 14 Oct 2020 12:42:26 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "Let's Encrypt Authority X3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 9EC0B216DD; Wed, 14 Oct 2020 12:42:26 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id AB5AE3998E; Wed, 14 Oct 2020 14:42:24 +0200 (CEST) From: "Kristof Provost" To: "Arsenij Solovjev" Cc: freebsd-jail@freebsd.org Subject: Re: vnet Jail on a non-dedicated network interface Date: Wed, 14 Oct 2020 14:42:24 +0200 X-Mailer: MailMate (1.13.2r5673) Message-ID: <3F8DAE0C-0EA1-40C5-9825-262F547E1954@FreeBSD.org> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Oct 2020 12:42:27 -0000 On 14 Oct 2020, at 14:18, Arsenij Solovjev wrote: > Hi all! > Does anybody know if it's possible to run a vnet jail on a > non-dedicated > interface? I have the Lucas book on jails. In it he says that for vnet > you > need to pick a dedicated interface, remove all networking IP > configuration > and only bring it up. Afterwards you set up jib and whatnot. > > All works well if I use a dedicated secondary interface (let's call it > em1). If I use em0 however I cannot ping the jail. > > I would like to have a host with that has a single network interface > which > is used for both normal networking stuff as well as having the vnet > jail > run on it. > > Maybe I could create some sort of virtual interface and run vnet on > it? > > Any ideas here? Thanks in advance! > Look at epair interfaces. You can put em0 and epair0a in a bridge together and add epair0b to the vnet jail. That gets the vnet jail connected to your LAN. Or you can skip the bridge, assign an IP to epair0a and route between the jail and your LAN. Regards, Kristof From owner-freebsd-jail@freebsd.org Wed Oct 14 13:36:28 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 28851439576 for ; Wed, 14 Oct 2020 13:36:28 +0000 (UTC) (envelope-from xeper000@gmail.com) Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com [IPv6:2607:f8b0:4864:20::d2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CBD2z6776z40rf; Wed, 14 Oct 2020 13:36:27 +0000 (UTC) (envelope-from xeper000@gmail.com) Received: by mail-io1-xd2c.google.com with SMTP id k21so1167973ioa.9; Wed, 14 Oct 2020 06:36:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=Jc+ujoWlPDr95vnmRZoNWKjPZYWGiCz+7HXN/X5oQiQ=; b=qPnAg6VbBo5scfH33FYc+8O6dzSKRMkC0bvlMC7GOTRbR9BN0GpJRyAhPLHjZMshN5 QZz5NF6sZ8LzIy2hjP2vwdgm725h72r930FfSHsjOAsQiI4Rdzp7YrDKONks4wxTqZjZ zkWMo4Aqr91/RrWl09fUgyfvCd2dRxJkj7l7Xywo4IEj7sNS7Vv/GBK1C8TvbQ71rueP STuyTTlVVOd75nMtsNVYdSWphUgM/6yMkmFw7PF8wO3MayjnQCZj5OFlUffWwSjplVtS D+Cyzjz6iHy7wclrnQEYuuotab9N6kBjJAvq8w2/3iIvmudg4o1T71t5PBMX0akW5Ju7 II2A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=Jc+ujoWlPDr95vnmRZoNWKjPZYWGiCz+7HXN/X5oQiQ=; b=HVOGxEF37QI6dgroKgIA3UHmujejIJIFCXLHIHy6+FkIwUsRZq+SclLeMfFwgeWb0d 89Oymd16N0zIz+gnAK/97XRXAoR2qOOj/Chjnxs9DoTMGghDgtqAZNhKGLu/PcBIlzyB 26y73boR6qrvHbmYDhfDZXFQeBnXIIeBP9dOkkZnQXLrlmszBeGF+seVUzixsGqIK+9J XYrvjpXWZecC1f9aZo5GSrOdaysi3bfQTp1Y09/oaOqPhTLhNMPx2kTh1Wa3/ab9tnub PIY4AADa8is5+x5wVdVxla1UtLH+QdTBb8jnrKKjtNPgevXmUzbW+PTnlHJD+m0itfut 9WOw== X-Gm-Message-State: AOAM5309v1pdRuqA8eJsgEc/85G2/U0PQshfhFkQcMtmz3Lg216J8o3I 650VCjTfe5OPEQEsscHQhwLZitkg7aTh3zvPegSSP5K3noM= X-Google-Smtp-Source: ABdhPJycMwKNHTY9PUjcK2Z2V44cA8ag/HG1P928qTa95n4g/p/p2ITipu1dWQksnTv7pHbhMt8fpjhlgs++dcEDSwc= X-Received: by 2002:a02:7b1d:: with SMTP id q29mr3176702jac.118.1602682584413; Wed, 14 Oct 2020 06:36:24 -0700 (PDT) MIME-Version: 1.0 References: <3F8DAE0C-0EA1-40C5-9825-262F547E1954@FreeBSD.org> In-Reply-To: <3F8DAE0C-0EA1-40C5-9825-262F547E1954@FreeBSD.org> From: Arsenij Solovjev Date: Wed, 14 Oct 2020 15:36:12 +0200 Message-ID: Subject: Re: vnet Jail on a non-dedicated network interface To: kp@freebsd.org, freebsd-jail@freebsd.org X-Rspamd-Queue-Id: 4CBD2z6776z40rf X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Oct 2020 13:36:28 -0000 On Wed, 14 Oct 2020 at 14:42, Kristof Provost wrote: > On 14 Oct 2020, at 14:18, Arsenij Solovjev wrote: > > Hi all! > > Does anybody know if it's possible to run a vnet jail on a > > non-dedicated > > interface? I have the Lucas book on jails. In it he says that for vnet > > you > > need to pick a dedicated interface, remove all networking IP > > configuration > > and only bring it up. Afterwards you set up jib and whatnot. > > > > All works well if I use a dedicated secondary interface (let's call it > > em1). If I use em0 however I cannot ping the jail. > > > > I would like to have a host with that has a single network interface > > which > > is used for both normal networking stuff as well as having the vnet > > jail > > run on it. > > > > Maybe I could create some sort of virtual interface and run vnet on > > it? > > > > Any ideas here? Thanks in advance! > > > Look at epair interfaces. > > You can put em0 and epair0a in a bridge together and add epair0b to the > vnet jail. > That gets the vnet jail connected to your LAN. > > Or you can skip the bridge, assign an IP to epair0a and route between > the jail and your LAN. > > Regards, > Kristof > Hi Kristof, Thanks for your reply! considering your first idea. I did this, the jail gets created seemingly fine. However I cannot ping the ip of epair0b (this works when using a dedicated interface). Also I cannot reach my gateway from within the jail. This too works when using a dedicated interface. Btw I have "sysctl security.jail.allow_raw_sockets=1". Here is my host ifconfig when putting em0 and epair0a in a bridge: em0: flags=8943 metric 0 > mtu 1500 > options=812099 ether 9a:4c:eb:b5:95:bf inet 172.18.20.145 netmask 0xffffff00 broadcast 172.18.20.255 media: Ethernet autoselect (1000baseT ) status: active nd6 options=29 jailether: flags=8843 metric 0 mtu > 1500 > options=81209b ether 56:39:b7:c5:2e:ec media: Ethernet autoselect (1000baseT ) status: active nd6 options=29 lo0: flags=8049 metric 0 mtu 16384 > options=680003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff000000 inet 10.43.84.1 netmask 0xffffff00 groups: lo nd6 options=21 em0bridge: flags=8843 metric 0 mtu > 1500 > ether 02:13:0b:48:53:00 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: e0a_sambaad flags=143 ifmaxaddr 0 port 5 priority 128 path cost 2000 member: em0 flags=143 ifmaxaddr 0 port 1 priority 128 path cost 20000 groups: bridge nd6 options=1 e0a_sambaad: flags=8943 > metric 0 mtu 1500 > options=8 ether 02:a4:c4:b5:95:bf hwaddr 02:78:fd:34:e8:0a groups: epair media: Ethernet 10Gbase-T (10Gbase-T ) status: active nd6 options=29 Here's the ifconfig from my within my jail: lo0: flags=8049 metric 0 mtu 16384 > options=680003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 inet 127.0.0.1 netmask 0xff000000 groups: lo nd6 options=21 e0b_sambaad: flags=8843 metric 0 > mtu 1500 > options=8 ether 0e:a4:c4:b5:95:bf hwaddr 02:78:fd:34:e8:0b inet 172.18.20.197 netmask 0xffffff00 broadcast 172.18.20.255 groups: epair media: Ethernet 10Gbase-T (10Gbase-T ) status: active nd6 options=29 The rc.conf in my jail contains the following: ifconfig_e0b_sambaad="172.18.20.197/24" > defaultrouter="172.18.20.1" And last but not least, here's my jail.conf: Samba-AD_sambaad{ > allow.mount.devfs="true"; vnet.interface="e0b_sambaad"; exec.prestart="/usr/local/scripts/jib addm sambaad em0"; exec.poststop="/usr/local/scripts/jib destroy sambaad"; sysvshm="new"; sysvmsg="new"; host.hostname="sambaad"; exec.start="'/etc/rc'"; allow.mount.fdescfs="true"; devfs_ruleset="6"; sysvsem="new"; allow.mount.procfs="true"; enforce_statfs="2"; exec.stop="'/etc/rc.shutdown'"; mount.devfs="true"; path="/cs/systemJheap/Samba-AD/j/sambaad/root"; vnet="new"; allow.raw_sockets="true"; allow.mount="true"; } Do you have an idea why I cannot ping my jail from within my network when using a non-dedicated interface? BR Arsenij From owner-freebsd-jail@freebsd.org Wed Oct 14 13:41:03 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CF072439C14 for ; Wed, 14 Oct 2020 13:41:03 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CBD8H5DZyz41GG; Wed, 14 Oct 2020 13:41:03 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "Let's Encrypt Authority X3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 839A021CA0; Wed, 14 Oct 2020 13:41:03 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 3150E39B82; Wed, 14 Oct 2020 15:41:02 +0200 (CEST) From: "Kristof Provost" To: "Arsenij Solovjev" Cc: freebsd-jail@freebsd.org Subject: Re: vnet Jail on a non-dedicated network interface Date: Wed, 14 Oct 2020 15:41:01 +0200 X-Mailer: MailMate (1.13.2r5673) Message-ID: In-Reply-To: References: <3F8DAE0C-0EA1-40C5-9825-262F547E1954@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; format=flowed Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Oct 2020 13:41:03 -0000 On 14 Oct 2020, at 15:36, Arsenij Solovjev wrote: > On Wed, 14 Oct 2020 at 14:42, Kristof Provost wrote: > >> On 14 Oct 2020, at 14:18, Arsenij Solovjev wrote: >>> Hi all! >>> Does anybody know if it's possible to run a vnet jail on a >>> non-dedicated >>> interface? I have the Lucas book on jails. In it he says that for = >>> vnet >>> you >>> need to pick a dedicated interface, remove all networking IP >>> configuration >>> and only bring it up. Afterwards you set up jib and whatnot. >>> >>> All works well if I use a dedicated secondary interface (let's call = >>> it >>> em1). If I use em0 however I cannot ping the jail. >>> >>> I would like to have a host with that has a single network interface >>> which >>> is used for both normal networking stuff as well as having the vnet >>> jail >>> run on it. >>> >>> Maybe I could create some sort of virtual interface and run vnet on >>> it? >>> >>> Any ideas here? Thanks in advance! >>> >> Look at epair interfaces. >> >> You can put em0 and epair0a in a bridge together and add epair0b to = >> the >> vnet jail. >> That gets the vnet jail connected to your LAN. >> >> Or you can skip the bridge, assign an IP to epair0a and route between >> the jail and your LAN. >> >> Regards, >> Kristof >> > > Hi Kristof, > > Thanks for your reply! > > considering your first idea. I did this, the jail gets created = > seemingly > fine. However I cannot ping the ip of epair0b (this works when using a > dedicated interface). > Also I cannot reach my gateway from within the jail. This too works = > when > using a dedicated interface. > Btw I have "sysctl security.jail.allow_raw_sockets=3D1". > Here is my host ifconfig when putting em0 and epair0a in a bridge: > > em0: flags=3D8943 metri= c = > 0 >> mtu 1500 >> > options=3D812099 > > ether 9a:4c:eb:b5:95:bf > > inet 172.18.20.145 netmask 0xffffff00 broadcast 172.18.20.255 > > media: Ethernet autoselect (1000baseT ) > > status: active > > nd6 options=3D29 > > jailether: flags=3D8843 metric = 0 = > mtu >> 1500 >> > options=3D81209b > > ether 56:39:b7:c5:2e:ec > > media: Ethernet autoselect (1000baseT ) > > status: active > > nd6 options=3D29 > > lo0: flags=3D8049 metric 0 mtu 16384 >> > options=3D680003 > > inet6 ::1 prefixlen 128 > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 > > inet 127.0.0.1 netmask 0xff000000 > > inet 10.43.84.1 netmask 0xffffff00 > > groups: lo > > nd6 options=3D21 > > em0bridge: flags=3D8843 metric = 0 = > mtu >> 1500 >> > ether 02:13:0b:48:53:00 > > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 > > maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 > > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 > > member: e0a_sambaad flags=3D143 > > ifmaxaddr 0 port 5 priority 128 path cost 2000 > > member: em0 flags=3D143 > > ifmaxaddr 0 port 1 priority 128 path cost 20000 > > groups: bridge > > nd6 options=3D1 > > e0a_sambaad: = > flags=3D8943 >> metric 0 mtu 1500 >> > options=3D8 > > ether 02:a4:c4:b5:95:bf > > hwaddr 02:78:fd:34:e8:0a > > groups: epair > > media: Ethernet 10Gbase-T (10Gbase-T ) > > status: active > > nd6 options=3D29 > > > > Here's the ifconfig from my within my jail: > > lo0: flags=3D8049 metric 0 mtu 16384 >> > options=3D680003 > > inet6 ::1 prefixlen 128 > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 > > inet 127.0.0.1 netmask 0xff000000 > > groups: lo > > nd6 options=3D21 > > e0b_sambaad: flags=3D8843 metri= c = > 0 >> mtu 1500 >> > options=3D8 > > ether 0e:a4:c4:b5:95:bf > hwaddr 02:78:fd:34:e8:0b > This is odd. Are you assigning a new MAC address to the epair interfaces = somewhere? Both ends of the epair seem to have a new MAC address, and = the same one at that. Regards, Kristof From owner-freebsd-jail@freebsd.org Wed Oct 14 13:52:10 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CB3D443A283 for ; Wed, 14 Oct 2020 13:52:10 +0000 (UTC) (envelope-from xeper000@gmail.com) Received: from mail-il1-x136.google.com (mail-il1-x136.google.com [IPv6:2607:f8b0:4864:20::136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CBDP63cR6z41pD; Wed, 14 Oct 2020 13:52:10 +0000 (UTC) (envelope-from xeper000@gmail.com) Received: by mail-il1-x136.google.com with SMTP id p9so5204024ilr.1; Wed, 14 Oct 2020 06:52:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VCXIo7FvqfUGGeEEgVTfsJZipf8KUs+hogbFVznAv0A=; b=QczlMgM9gozA7kHh/WvDOKLZh2YLw+xWwnLctOzf20AnDUB7o7yQIo6rCNKCZG1KwQ 5LA9I9ktf/ntKU95cMegiEclhR7eGIA81DJ55w8ep8D2DmZFcoENt0iz7MAVeVPWh+Mq b7YrgTDF5v89S/qO8cWRAMIy9sPX8IUUnYSaKcRX0hG0TEZGMnSCcwcZqP0YoRUNYWEQ XyxRNSdhP+m16TD/T1UCjBh+CCtY7M+TR1wrd3meklLs5z1ydDhtaAPVrpJ/PvBmdfE2 5f5Yo+KtagzQRwNLpifx9JDaKpBvWAwg+Etgppz2Oyej8DpII7M0p2Bh39Im0LTPHd4N bF/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VCXIo7FvqfUGGeEEgVTfsJZipf8KUs+hogbFVznAv0A=; b=SHYvww+V3zc560tGBy+PfyrIl2Osi9a0zKM+r7ijfPY9nF1cHYIxQJpqDYdT/T7m8Q 6lm4vh57sb2NKgQ/hK/lSeQuIyd6vTj51s0hbMROwmH8Q0m0DOl9vHx5PzJ7F7sAsumJ lD5ifxxWvu2kQ3y1MlPIm32FiAhzLVONdOnbvfdabaJ7RT7dsgQb8YuwQmzaG800MAd/ f/vPKPU0664yASHpWXorYeubO6XiXTjxPJFoJqoMjNilyXZhq7BE1qEnyvO4epDAR8S2 Zt4fyjgyCXj8USigoigg1xek1v9zWCpXD8RrmIZyvODYec5l6PMiXV5FRXeHLnGITkp7 jK8Q== X-Gm-Message-State: AOAM533kRg+LJ0NJXMzoq/Ce32Scn3mh4t4nSy0ieF/UiATUIwGNw0Wi DaIsKjqZaDGmZMJtpUbFyEt+FikC/rogmksEWd0iCp/K X-Google-Smtp-Source: ABdhPJye/Os9mVPDb3mig2Z/9PKRai4fq0IRByrDh4D+RfvqnmdC4CAZ5qsP7eq7wwAzqrOffvl+E0qR1t829wHgrFo= X-Received: by 2002:a92:ce45:: with SMTP id a5mr3812912ilr.308.1602683528830; Wed, 14 Oct 2020 06:52:08 -0700 (PDT) MIME-Version: 1.0 References: <3F8DAE0C-0EA1-40C5-9825-262F547E1954@FreeBSD.org> In-Reply-To: From: Arsenij Solovjev Date: Wed, 14 Oct 2020 15:51:57 +0200 Message-ID: Subject: Re: vnet Jail on a non-dedicated network interface To: Kristof Provost Cc: freebsd-jail@freebsd.org X-Rspamd-Queue-Id: 4CBDP63cR6z41pD X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; REPLY(-4.00)[] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Oct 2020 13:52:10 -0000 On Wed, 14 Oct 2020 at 15:41, Kristof Provost wrote: > On 14 Oct 2020, at 15:36, Arsenij Solovjev wrote: > > On Wed, 14 Oct 2020 at 14:42, Kristof Provost wrote: > > > >> On 14 Oct 2020, at 14:18, Arsenij Solovjev wrote: > >>> Hi all! > >>> Does anybody know if it's possible to run a vnet jail on a > >>> non-dedicated > >>> interface? I have the Lucas book on jails. In it he says that for > >>> vnet > >>> you > >>> need to pick a dedicated interface, remove all networking IP > >>> configuration > >>> and only bring it up. Afterwards you set up jib and whatnot. > >>> > >>> All works well if I use a dedicated secondary interface (let's call > >>> it > >>> em1). If I use em0 however I cannot ping the jail. > >>> > >>> I would like to have a host with that has a single network interface > >>> which > >>> is used for both normal networking stuff as well as having the vnet > >>> jail > >>> run on it. > >>> > >>> Maybe I could create some sort of virtual interface and run vnet on > >>> it? > >>> > >>> Any ideas here? Thanks in advance! > >>> > >> Look at epair interfaces. > >> > >> You can put em0 and epair0a in a bridge together and add epair0b to > >> the > >> vnet jail. > >> That gets the vnet jail connected to your LAN. > >> > >> Or you can skip the bridge, assign an IP to epair0a and route between > >> the jail and your LAN. > >> > >> Regards, > >> Kristof > >> > > > > Hi Kristof, > > > > Thanks for your reply! > > > > considering your first idea. I did this, the jail gets created > > seemingly > > fine. However I cannot ping the ip of epair0b (this works when using a > > dedicated interface). > > Also I cannot reach my gateway from within the jail. This too works > > when > > using a dedicated interface. > > Btw I have "sysctl security.jail.allow_raw_sockets=1". > > Here is my host ifconfig when putting em0 and epair0a in a bridge: > > > > em0: flags=8943 metric > > 0 > >> mtu 1500 > >> > > > options=812099 > > > > ether 9a:4c:eb:b5:95:bf > > > > inet 172.18.20.145 netmask 0xffffff00 broadcast 172.18.20.255 > > > > media: Ethernet autoselect (1000baseT ) > > > > status: active > > > > nd6 options=29 > > > > jailether: flags=8843 metric 0 > > mtu > >> 1500 > >> > > > options=81209b > > > > ether 56:39:b7:c5:2e:ec > > > > media: Ethernet autoselect (1000baseT ) > > > > status: active > > > > nd6 options=29 > > > > lo0: flags=8049 metric 0 mtu 16384 > >> > > options=680003 > > > > inet6 ::1 prefixlen 128 > > > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 > > > > inet 127.0.0.1 netmask 0xff000000 > > > > inet 10.43.84.1 netmask 0xffffff00 > > > > groups: lo > > > > nd6 options=21 > > > > em0bridge: flags=8843 metric 0 > > mtu > >> 1500 > >> > > ether 02:13:0b:48:53:00 > > > > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 > > > > maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 > > > > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 > > > > member: e0a_sambaad flags=143 > > > > ifmaxaddr 0 port 5 priority 128 path cost 2000 > > > > member: em0 flags=143 > > > > ifmaxaddr 0 port 1 priority 128 path cost 20000 > > > > groups: bridge > > > > nd6 options=1 > > > > e0a_sambaad: > > flags=8943 > >> metric 0 mtu 1500 > >> > > options=8 > > > > ether 02:a4:c4:b5:95:bf > > > > hwaddr 02:78:fd:34:e8:0a > > > > groups: epair > > > > media: Ethernet 10Gbase-T (10Gbase-T ) > > > > status: active > > > > nd6 options=29 > > > > > > > > Here's the ifconfig from my within my jail: > > > > lo0: flags=8049 metric 0 mtu 16384 > >> > > options=680003 > > > > inet6 ::1 prefixlen 128 > > > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 > > > > inet 127.0.0.1 netmask 0xff000000 > > > > groups: lo > > > > nd6 options=21 > > > > e0b_sambaad: flags=8843 metric > > 0 > >> mtu 1500 > >> > > options=8 > > > > ether 0e:a4:c4:b5:95:bf > > hwaddr 02:78:fd:34:e8:0b > > > This is odd. Are you assigning a new MAC address to the epair interfaces > somewhere? Both ends of the epair seem to have a new MAC address, and > the same one at that. > > Regards, > Kristof > Not explicitly, no, I let the jib script do the epair creation. From owner-freebsd-jail@freebsd.org Wed Oct 14 13:55:20 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2B9F743A24A for ; Wed, 14 Oct 2020 13:55:20 +0000 (UTC) (envelope-from xeper000@gmail.com) Received: from mail-il1-x12a.google.com (mail-il1-x12a.google.com [IPv6:2607:f8b0:4864:20::12a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CBDSl5vjzz41kM; Wed, 14 Oct 2020 13:55:19 +0000 (UTC) (envelope-from xeper000@gmail.com) Received: by mail-il1-x12a.google.com with SMTP id j13so5208777ilc.4; Wed, 14 Oct 2020 06:55:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=c9VeCGrcIjABKrAxMei7OITTbCIMHeouTbL6GLcCwzs=; b=dDkPT/v6r3Es4qIbP2Az+uM+AmL7R5qeq6Ysfa7c6f78Myb0sPTR6zwIJSsQBJSMpt ieWMsbF+5oJ7kCyMmqL3eYMds3fuwdUpBdA5taghuOgLFa++LQv78kWtSr3/5whCUIhV iN13zawrl05jtmPngneCSIG/Fzk7UDGJyeY7eQVWkwisduR4kRbX19DvyUkuqwsbRFyI /GuDbiHEuXAu0ivlvlKE7nPdKntOX5uG7SRViEUUIFe8m3F0VJ7YnRl4qhBIjsvQ+G4s TWlGKO73pzwLBi8lQ5wxzIZ59XgYICM/at4Cyox8UEE/GF2DAEs0ConeMA1/XCIOgcQ0 eFOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=c9VeCGrcIjABKrAxMei7OITTbCIMHeouTbL6GLcCwzs=; b=V2DvX6d5oARD41Qxc9Nif728rqd5x6wo9Y+R8g9ltIPvql+gKvlrnK9T5NY1H9wtXW 54yzZhXgAFHFObNDw8bp/BV2LExagxBmpUq9uTYqnrSRbdBiwRbfU9BCtOG3882qPULZ RvuwE5Pc1c662mt9PImLlUrbnel25RUyleDv+U4QtaZ83LblcJA4VoC0qr7/4ux4ybTk y467T7C2nzunNG4iRq2TuxAPK8yseZBC+2dxYSYIdkhccdnKNxEPipP8mJbYeDxAxjeC C/JIUgN4+SG2PvxUIum7MyAgrFvKcVlN8u0E87Arn9udRow0LJhdAFYmcVuBGdYgkYnv 8Ccg== X-Gm-Message-State: AOAM533yFAdQNGUXlohHT++DmNWExHZkkpF2rQH5eC3m1AmgCxLuWozY tUSL41HsoOhTaigIOGUdSuD3Ol2XWjiFTpPgn7WZ6dJH X-Google-Smtp-Source: ABdhPJwnwdFn9NJukVQNFV7x9On3yODY/Qau5mlsfxXl56Lo1w7QbDjTHAtGF3gh+GnFyBiU4DttcWm2WoDy7z0j5NM= X-Received: by 2002:a05:6e02:1073:: with SMTP id q19mr3903924ilj.55.1602683718334; Wed, 14 Oct 2020 06:55:18 -0700 (PDT) MIME-Version: 1.0 References: <3F8DAE0C-0EA1-40C5-9825-262F547E1954@FreeBSD.org> In-Reply-To: From: Arsenij Solovjev Date: Wed, 14 Oct 2020 15:55:07 +0200 Message-ID: Subject: Re: vnet Jail on a non-dedicated network interface To: Kristof Provost Cc: freebsd-jail@freebsd.org X-Rspamd-Queue-Id: 4CBDSl5vjzz41kM X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Oct 2020 13:55:20 -0000 Btw, an important detail I left out, I'm running a Samba DC with Bind9 inside the jail. Maybe this interferes somehow? On Wed, 14 Oct 2020 at 15:41, Kristof Provost wrote: > On 14 Oct 2020, at 15:36, Arsenij Solovjev wrote: > > On Wed, 14 Oct 2020 at 14:42, Kristof Provost wrote: > > > >> On 14 Oct 2020, at 14:18, Arsenij Solovjev wrote: > >>> Hi all! > >>> Does anybody know if it's possible to run a vnet jail on a > >>> non-dedicated > >>> interface? I have the Lucas book on jails. In it he says that for > >>> vnet > >>> you > >>> need to pick a dedicated interface, remove all networking IP > >>> configuration > >>> and only bring it up. Afterwards you set up jib and whatnot. > >>> > >>> All works well if I use a dedicated secondary interface (let's call > >>> it > >>> em1). If I use em0 however I cannot ping the jail. > >>> > >>> I would like to have a host with that has a single network interface > >>> which > >>> is used for both normal networking stuff as well as having the vnet > >>> jail > >>> run on it. > >>> > >>> Maybe I could create some sort of virtual interface and run vnet on > >>> it? > >>> > >>> Any ideas here? Thanks in advance! > >>> > >> Look at epair interfaces. > >> > >> You can put em0 and epair0a in a bridge together and add epair0b to > >> the > >> vnet jail. > >> That gets the vnet jail connected to your LAN. > >> > >> Or you can skip the bridge, assign an IP to epair0a and route between > >> the jail and your LAN. > >> > >> Regards, > >> Kristof > >> > > > > Hi Kristof, > > > > Thanks for your reply! > > > > considering your first idea. I did this, the jail gets created > > seemingly > > fine. However I cannot ping the ip of epair0b (this works when using a > > dedicated interface). > > Also I cannot reach my gateway from within the jail. This too works > > when > > using a dedicated interface. > > Btw I have "sysctl security.jail.allow_raw_sockets=1". > > Here is my host ifconfig when putting em0 and epair0a in a bridge: > > > > em0: flags=8943 metric > > 0 > >> mtu 1500 > >> > > > options=812099 > > > > ether 9a:4c:eb:b5:95:bf > > > > inet 172.18.20.145 netmask 0xffffff00 broadcast 172.18.20.255 > > > > media: Ethernet autoselect (1000baseT ) > > > > status: active > > > > nd6 options=29 > > > > jailether: flags=8843 metric 0 > > mtu > >> 1500 > >> > > > options=81209b > > > > ether 56:39:b7:c5:2e:ec > > > > media: Ethernet autoselect (1000baseT ) > > > > status: active > > > > nd6 options=29 > > > > lo0: flags=8049 metric 0 mtu 16384 > >> > > options=680003 > > > > inet6 ::1 prefixlen 128 > > > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 > > > > inet 127.0.0.1 netmask 0xff000000 > > > > inet 10.43.84.1 netmask 0xffffff00 > > > > groups: lo > > > > nd6 options=21 > > > > em0bridge: flags=8843 metric 0 > > mtu > >> 1500 > >> > > ether 02:13:0b:48:53:00 > > > > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 > > > > maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 > > > > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 > > > > member: e0a_sambaad flags=143 > > > > ifmaxaddr 0 port 5 priority 128 path cost 2000 > > > > member: em0 flags=143 > > > > ifmaxaddr 0 port 1 priority 128 path cost 20000 > > > > groups: bridge > > > > nd6 options=1 > > > > e0a_sambaad: > > flags=8943 > >> metric 0 mtu 1500 > >> > > options=8 > > > > ether 02:a4:c4:b5:95:bf > > > > hwaddr 02:78:fd:34:e8:0a > > > > groups: epair > > > > media: Ethernet 10Gbase-T (10Gbase-T ) > > > > status: active > > > > nd6 options=29 > > > > > > > > Here's the ifconfig from my within my jail: > > > > lo0: flags=8049 metric 0 mtu 16384 > >> > > options=680003 > > > > inet6 ::1 prefixlen 128 > > > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 > > > > inet 127.0.0.1 netmask 0xff000000 > > > > groups: lo > > > > nd6 options=21 > > > > e0b_sambaad: flags=8843 metric > > 0 > >> mtu 1500 > >> > > options=8 > > > > ether 0e:a4:c4:b5:95:bf > > hwaddr 02:78:fd:34:e8:0b > > > This is odd. Are you assigning a new MAC address to the epair interfaces > somewhere? Both ends of the epair seem to have a new MAC address, and > the same one at that. > > Regards, > Kristof > From owner-freebsd-jail@freebsd.org Wed Oct 14 15:14:56 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D8DE143BF34 for ; Wed, 14 Oct 2020 15:14:56 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CBGDb6wC6z46tZ; Wed, 14 Oct 2020 15:14:55 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-qk1-x730.google.com with SMTP id b69so2965326qkg.8; Wed, 14 Oct 2020 08:14:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=WdB/oM1x9sN/FKL5DVdKG+JHlrcxjR6HtU4LEIuPAS0=; b=IvHFxjJ2S0473perqpGVO/9eRI2Edhi+xfHunxJNaSGBUYbGofT2TBAnb2KJRUJQeQ byFaNxRFvdk7BadhyrA1sbXzrBBG/i+Ip94bFkm7vdtPX7qSxLuzpnvK8Uh32flAMJrL za4woIo7Y7aNWj7PLxyZ0YL2oCortp41fOz36Uq8fk0TjwnaAK6cYnYMBgqp29gtV0dp jpW5GIO33PnoLQY7DF/rXs50izTAOS/yIMIOhQOs4SHOcejOu0dgjF0zqalpa8p16JDY pI3pteIXphjN9FnvRTidL/Tlzz5OAuskNL0Iv+gprPY0HkARaE8p8fBbnOdZpRiS6z8E i4gw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=WdB/oM1x9sN/FKL5DVdKG+JHlrcxjR6HtU4LEIuPAS0=; b=ksWGOckrg2q/0JOqCq5eeO0iYZXyvtTHiR3AG5YSzK+iNQPf9yIDBVijj6+VYUChMU TFdtzE83/oGG2//FeGJUC/+KSHL4/C46FTqLXGu86rDfDfh4FlF+170S5ygbH14qAGlo OPURXrWPLF1AL4yayD8bOsm7xjuH4AGbdCD87NKu9N5DyqgZsdLSuFVePTiUnvBQ+mZ+ kiMdk/hO4smAJK37W7n5lA3JX+vFW6z5wl0PiL27o7Le9PdLemHTxJmpy1cpahX4efNs n1r5+l6EoW3xBw8bL4759whl/muZ2Sp+6+qb66vqOM6nSmPoXb7NCxBKlFfLLp8KgFBi BHnQ== X-Gm-Message-State: AOAM531KFWGQHnMnoSYXKEH61Lt/U1PmoKDFNNMfhz1fgLodfinCidDB ASj9PGPCGfp0ZptjthQZtKw= X-Google-Smtp-Source: ABdhPJw73ltgNz6RfbV7TPOKShCEagW9NcpG0afpZNYX8ipWZaDqP0A/PS6TMKAL3+LR8XyZtTrDpg== X-Received: by 2002:a37:7e41:: with SMTP id z62mr5331051qkc.495.1602688494993; Wed, 14 Oct 2020 08:14:54 -0700 (PDT) Received: from [10.0.10.8] (cpe-65-25-51-0.neo.res.rr.com. [65.25.51.0]) by smtp.googlemail.com with ESMTPSA id b191sm1344656qkg.81.2020.10.14.08.14.53 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 14 Oct 2020 08:14:54 -0700 (PDT) Message-ID: <5F8715ED.8020606@gmail.com> Date: Wed, 14 Oct 2020 11:14:53 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Arsenij Solovjev CC: Kristof Provost , freebsd-jail@freebsd.org Subject: Re: vnet Jail on a non-dedicated network interface References: <3F8DAE0C-0EA1-40C5-9825-262F547E1954@FreeBSD.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4CBGDb6wC6z46tZ X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=IvHFxjJ2; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of luzar722@gmail.com designates 2607:f8b0:4864:20::730 as permitted sender) smtp.mailfrom=luzar722@gmail.com X-Spamd-Result: default: False [-3.28 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-0.25)[-0.246]; FREEMAIL_TO(0.00)[gmail.com]; RECEIVED_SPAMHAUS_PBL(0.00)[65.25.51.0:received]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.003]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.03)[-1.027]; MIME_GOOD(-0.10)[text/plain]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::730:from]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-jail] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Oct 2020 15:14:56 -0000 Arsenij Solovjev wrote: > On Wed, 14 Oct 2020 at 15:41, Kristof Provost wrote: > >> On 14 Oct 2020, at 15:36, Arsenij Solovjev wrote: >>> On Wed, 14 Oct 2020 at 14:42, Kristof Provost wrote: >>> >>>> On 14 Oct 2020, at 14:18, Arsenij Solovjev wrote: >>>>> Hi all! >>>>> Does anybody know if it's possible to run a vnet jail on a >>>>> non-dedicated >>>>> interface? I have the Lucas book on jails. In it he says that for >>>>> vnet >>>>> you >>>>> need to pick a dedicated interface, remove all networking IP >>>>> configuration >>>>> and only bring it up. Afterwards you set up jib and whatnot. >>>>> >>>>> All works well if I use a dedicated secondary interface (let's call >>>>> it >>>>> em1). If I use em0 however I cannot ping the jail. >>>>> >>>>> I would like to have a host with that has a single network interface >>>>> which >>>>> is used for both normal networking stuff as well as having the vnet >>>>> jail >>>>> run on it. >>>>> >>>>> Maybe I could create some sort of virtual interface and run vnet on >>>>> it? >>>>> >>>>> Any ideas here? Thanks in advance! >>>>> >>>> Look at epair interfaces. >>>> >>>> You can put em0 and epair0a in a bridge together and add epair0b to >>>> the >>>> vnet jail. >>>> That gets the vnet jail connected to your LAN. >>>> >>>> Or you can skip the bridge, assign an IP to epair0a and route between >>>> the jail and your LAN. >>>> >>>> Regards, >>>> Kristof >>>> >>> Hi Kristof, >>> >>> Thanks for your reply! >>> >>> considering your first idea. I did this, the jail gets created >>> seemingly >>> fine. However I cannot ping the ip of epair0b (this works when using a >>> dedicated interface). >>> Also I cannot reach my gateway from within the jail. This too works >>> when >>> using a dedicated interface. >>> Btw I have "sysctl security.jail.allow_raw_sockets=1". >>> snip: >>> >> This is odd. Are you assigning a new MAC address to the epair interfaces >> somewhere? Both ends of the epair seem to have a new MAC address, and >> the same one at that. >> >> Regards, >> Kristof >> > > Not explicitly, no, I let the jib script do the epair creation. To Arsenij Solovjev For the record sure would like to see your jail.conf file where you setup this non-dedicated vnet jail system. I believe a non-dedicated vnet jail is for local access only. Is that correct? The bridge setup is for public internet access? Is that correct? To Kristof Provost In your reply you said. "Or you can skip the bridge, assign an IP to epair0a and route between the jail and your LAN." Please explain this statement. Route how? From owner-freebsd-jail@freebsd.org Wed Oct 14 15:42:08 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8D01843C84A for ; Wed, 14 Oct 2020 15:42:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4CBGr03F32z49SY for ; Wed, 14 Oct 2020 15:42:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id 6F39943CBD6; Wed, 14 Oct 2020 15:42:08 +0000 (UTC) Delivered-To: jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6F02443C633 for ; Wed, 14 Oct 2020 15:42:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CBGr02PC2z49LC for ; Wed, 14 Oct 2020 15:42:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 35AFF10C11 for ; Wed, 14 Oct 2020 15:42:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 09EFg8aw006879 for ; Wed, 14 Oct 2020 15:42:08 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 09EFg8Up006878 for jail@FreeBSD.org; Wed, 14 Oct 2020 15:42:08 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: jail@FreeBSD.org Subject: [Bug 229968] jail can see other interfaces in linprocfs Date: Wed, 14 Oct 2020 15:42:07 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: trasz@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: jail@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: blocked Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Oct 2020 15:42:08 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D229968 Edward Tomasz Napierala changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |247219 Referenced Bugs: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D247219 [Bug 247219] Linuxulator umbrella ticket --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-jail@freebsd.org Wed Oct 14 19:53:48 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0F84344169C for ; Wed, 14 Oct 2020 19:53:48 +0000 (UTC) (envelope-from xeper000@gmail.com) Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CBNQM10mpz4Pj8; Wed, 14 Oct 2020 19:53:46 +0000 (UTC) (envelope-from xeper000@gmail.com) Received: by mail-il1-x12f.google.com with SMTP id w17so765239ilg.8; Wed, 14 Oct 2020 12:53:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/Xs/gIYQXhV6CHcrsx6Du7JJIeJ+kJuXtOxeGUBCJt0=; b=H422liKTuv2frlbVhBHbKl6A5OXIrCs8N9LFzl/NDzXT587fCVb1/b3QfeXsS0JEYj r5u2cHWUeuPbRczwM2KX2w2F9BQ3Gv7mL429+6CKcOX+80j+WSopv098wFh6+yMsCBFz j4MJ6SzFMJOa+UjPVMpGTkjMo2OJcHJB1PvaNKIIXirkM9RnbQNDUkvKGSoRzHCeoPM8 mATh/vCPisFBfTKKa+NP0y/qaXuuAhDP8NzZ+6DTzFBefxjPba7cyMznwDm6E+3o9DIv nTmVB3+5Iv++aLklbkeaWDzqH7GpHOXtz4GZ2IkqhvzF90OMWGodYrUptbq329AWxqiy dvHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/Xs/gIYQXhV6CHcrsx6Du7JJIeJ+kJuXtOxeGUBCJt0=; b=efB2mRo7k7FiEZn/m5PVXDbKNT5dNtTob4Tw6l4+I/W5zNR7K4YKav5TEcFD+3ht2q zOGWsMEDbPo5P+ZROLo1LJk/xWHmH7yJBMoufDPmYFTAKKhJjYvaVhKoam6L503fDd6K gyWGtTnGbZQgEUZ3veY6uu9oJzzxss/Oiv7M2pXLGajuXDfRDH7T1pvuHcNS86aHGOeW pIxTt4M/rIX9HiEXp3nUGkuLKPPtB6HpW7h7U67K2REp938DCaKa/KWmtqGmlLUAoLK4 th9wb/ZVSA/uUzVigXL1aE73cmzYlxIvtZ+BaFPgLuCyOqcA61SQ+uNJ4wB7xOcFUcu/ ZSRw== X-Gm-Message-State: AOAM5337mwp3sBHlYHYI47aY6scuaofR/Lf9r3Z501SzyOdGTmnKgmLG IyHa42CMkskojsj0zwawFE/Z1ncVBlUw1HZ370I= X-Google-Smtp-Source: ABdhPJxpnbNiRg3L3TKEwypi6GWNhqAhunl2tvcak2cOqgn7gpPIOQNCBqs32CaKOZOofnfq6pjOmef0BfB9l628mvE= X-Received: by 2002:a92:a307:: with SMTP id a7mr602658ili.97.1602705226036; Wed, 14 Oct 2020 12:53:46 -0700 (PDT) MIME-Version: 1.0 References: <3F8DAE0C-0EA1-40C5-9825-262F547E1954@FreeBSD.org> <5F8715ED.8020606@gmail.com> In-Reply-To: <5F8715ED.8020606@gmail.com> From: Arsenij Solovjev Date: Wed, 14 Oct 2020 21:53:35 +0200 Message-ID: Subject: Re: vnet Jail on a non-dedicated network interface To: Ernie Luzar Cc: Kristof Provost , freebsd-jail@freebsd.org X-Rspamd-Queue-Id: 4CBNQM10mpz4Pj8 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=H422liKT; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of xeper000@gmail.com designates 2607:f8b0:4864:20::12f as permitted sender) smtp.mailfrom=xeper000@gmail.com X-Spamd-Result: default: False [-3.22 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.01)[-1.006]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; NEURAL_HAM_LONG(-1.01)[-1.013]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::12f:from]; NEURAL_HAM_SHORT(-0.20)[-0.204]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-jail]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Oct 2020 19:53:48 -0000 Hi Ernie, please consider the last block in my second email, that is the jail.conf for the non-dedicated interface. The host runs all "normal" IP networking on em0. On Wed, 14 Oct 2020 at 17:14, Ernie Luzar wrote: > Arsenij Solovjev wrote: > > On Wed, 14 Oct 2020 at 15:41, Kristof Provost wrote: > > > >> On 14 Oct 2020, at 15:36, Arsenij Solovjev wrote: > >>> On Wed, 14 Oct 2020 at 14:42, Kristof Provost wrote: > >>> > >>>> On 14 Oct 2020, at 14:18, Arsenij Solovjev wrote: > >>>>> Hi all! > >>>>> Does anybody know if it's possible to run a vnet jail on a > >>>>> non-dedicated > >>>>> interface? I have the Lucas book on jails. In it he says that for > >>>>> vnet > >>>>> you > >>>>> need to pick a dedicated interface, remove all networking IP > >>>>> configuration > >>>>> and only bring it up. Afterwards you set up jib and whatnot. > >>>>> > >>>>> All works well if I use a dedicated secondary interface (let's call > >>>>> it > >>>>> em1). If I use em0 however I cannot ping the jail. > >>>>> > >>>>> I would like to have a host with that has a single network interface > >>>>> which > >>>>> is used for both normal networking stuff as well as having the vnet > >>>>> jail > >>>>> run on it. > >>>>> > >>>>> Maybe I could create some sort of virtual interface and run vnet on > >>>>> it? > >>>>> > >>>>> Any ideas here? Thanks in advance! > >>>>> > >>>> Look at epair interfaces. > >>>> > >>>> You can put em0 and epair0a in a bridge together and add epair0b to > >>>> the > >>>> vnet jail. > >>>> That gets the vnet jail connected to your LAN. > >>>> > >>>> Or you can skip the bridge, assign an IP to epair0a and route between > >>>> the jail and your LAN. > >>>> > >>>> Regards, > >>>> Kristof > >>>> > >>> Hi Kristof, > >>> > >>> Thanks for your reply! > >>> > >>> considering your first idea. I did this, the jail gets created > >>> seemingly > >>> fine. However I cannot ping the ip of epair0b (this works when using a > >>> dedicated interface). > >>> Also I cannot reach my gateway from within the jail. This too works > >>> when > >>> using a dedicated interface. > >>> Btw I have "sysctl security.jail.allow_raw_sockets=1". > >>> snip: > > >>> > >> This is odd. Are you assigning a new MAC address to the epair interfaces > >> somewhere? Both ends of the epair seem to have a new MAC address, and > >> the same one at that. > >> > >> Regards, > >> Kristof > >> > > > > Not explicitly, no, I let the jib script do the epair creation. > > > To Arsenij Solovjev > > For the record sure would like to see your jail.conf file where you > setup this non-dedicated vnet jail system. > > I believe a non-dedicated vnet jail is for local access only. Is that > correct? > > The bridge setup is for public internet access? Is that correct? > > > To Kristof Provost > > In your reply you said. > "Or you can skip the bridge, assign an IP to epair0a and route between > the jail and your LAN." > Please explain this statement. Route how? > > > > > > > > >