Date: Wed, 10 Dec 2025 16:05:36 +0100 From: Michael Gmelin <grembo@freebsd.org> To: Anthony Pankov <anthony.pankov@yahoo.com> Cc: freebsd-jail@freebsd.org Subject: Re: shared (between jails) local host interface Message-ID: <137D79EC-A1CA-4185-AB50-7E2EAEBE5E3A@freebsd.org> In-Reply-To: <2397748.20251210141029@yahoo.com> References: <2397748.20251210141029@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 10. Dec 2025, at 12:09, Anthony Pankov <anthony.pankov@yahoo.com> wrote:
>
> Hello,
>
> I'm again facing the problem of providing host-wide interface to all jails in a host.
> I want (for example) that there is a jail with unbound (DNS resolver/cacher) inside, binded to a host-wide interface. Host-wide interface has a well known address (IPv6 1::1/128 for example).
> All other jails simply put "nameserver 1::1" in its resolv.conf.
>
> The problem that jails can't share one ip address ("address clashes") and can't "inherit" one interface only. Inheriting is for a whole network as I see.
>
> May be someone have some suggestions?
>
>
> P.S. Sometime ago I solve this in a not a clean manner by supplying own loopback interface and unique address (127.0.X.1) to every jail in a host. Then jail with unbound bind to its 127.0.U.1, other jail must set "nameserver 127.0.U.1". This solution has administrative problems because of a dynamic nature of addresses (127.0.X.1). Thing get worse if jails transferred to a different host.
>
>
The way this is usually accomplished is:
- use vnet jails, connect them to a bridge on the jailhost, make DNS listen to the bridge’s IP or
- make DNS listen on an IP reachable from within the jail and firewall off access from other sources on your network (in this case no vnet is required)
There are also hacks (at least with IPv4) where you can have a rdr rule in pf.conf that redirects dns traffic originating from your jail to your dns server listening to 127.0.0.1. Think ‘rdr proto udp from $jailip to 1.2.3.4 port 53 -> 127.0.0.1`.
Sharing localhost among many jails isn’t really desirable unless you have very compelling reasons (reaching a dns server doesn’t seem one of them to me, but I don’t know the details of your setup).
Cheers
Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?137D79EC-A1CA-4185-AB50-7E2EAEBE5E3A>