Date: Tue, 30 Jun 2020 20:30:08 -0400 From: Ernie Luzar <luzar722@gmail.com> To: =?ISO-8859-1?Q?J=C1K=D3_Andr=E1s?= <jako.andras@eik.bme.hu> Cc: David Mehler <dave.mehler@gmail.com>, freebsd-jail <freebsd-jail@freebsd.org> Subject: Re: FreeBSD 12.1, vnet jail, and internet access Message-ID: <5EFBD910.7040909@gmail.com> In-Reply-To: <20200629084150.GC65151@eik.bme.hu> References: <CAPORhP7mU=4gMYWhkLPK-Sdyxcuhry4YTM%2B-vXOs27qeAc2a2Q@mail.gmail.com> <20200627204831.GC77414@eik.bme.hu> <CAPORhP4XmmT%2B2ZcDazZVAguBPAG2qYQaWFGWE73Sdgfk3htRVA@mail.gmail.com> <20200627213730.GE77414@eik.bme.hu> <5EF8F034.4040705@gmail.com> <20200629084150.GC65151@eik.bme.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
JÁKÓ András wrote: >>>> I was under the impression that the two stacks were separate? >>> They are. But I don't think your ISP knows anything about your private >>> subnet, so they won't send IP packets with your private destination >>> address to you. And most probably they won't accept IP packets with your >>> private source address from you. So you have to translate these private >>> addresses if you want your ISP (and others) to forward them. >>> >>>> Should I nat on the bridge or epair? >>> On the bridge, I guess. >>> >> Have 2 questions. >> >> If there were no ip addresses on the bridge and the epair0b in the vnet jail >> would packets pass out the bridge member external interface? > > It's a 802.1 bridge, it can pass frames to the external interface > (according to its MAC address table). > >> How would I setup a public domain name to target the vnet jail? > > A public domain name should point to a public IP address. If your jail's > IP address is a private one, and you do NAT, then use your public IP > address (the one that is translated to the jail's private address). If > you have a public address in the jail and you don't use address > translation, then use the jail's public IP address in the DNS. > > András > I think I have determined what your talking about. All the vnet literature talks about a vnet jail having it's own separate ip stack. I interpreted this to mean that the vnet jail's stack was connected directly to the epair0b / bridge0 / host external interface WITHOUT the host's firewall knowing anything about that vnet traffic. Now for the first time I hear you saying that this is not correct. That all external interface traffic passes through the hosts firewall including vnet traffic before its handed off to the vnet stack. I am running FBSD 12.1-p6 on real hardware. em0 is the host interface connected to the public network with a dynamic ip address by DHCP. To populate my working vnet jail directory tree I did this. # download the base.txz file to the host cd /usr fetch -avrA http://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/12.1-RELEASE/base.txz # unpack base.txz to directory tree mkdir -p /usr/jails/jailname cd /usr/jails xzdec base.txz | tar --unlink -xpJf - -C /usr/jails/jailname # prep jail directory cp /etc/localtime jailname/etc cp /etc/resolv.conf jailname/etc echo "sendmail_enable="none"" > jailname/etc/rc.conf echo "sendmail_submit_enable="none"" >> jailname/etc/rc.conf echo "sendmail_outbound_enable="none"" >> jailname/etc/rc.conf echo "sendmail_msp_queue_enable="none"" >> jailname/etc/rc.conf /etc/jail.conf # # Using manual command method FBSD 12.1 # with assigned ip address for epairb and bridge. # start and stop vnet jail works without crashing the host because # of the embedded sleep commands that work around the teardown bug that # is now fixed in soon to be released FBSD 13. # From within the vnet jail can ping the bridge private ip, # host public ip and the public internet. ping -c 2 1.1.1.1 0% packet loss # # Very important detail; host firewall must NAT the private # ip addresses used. # # Issue the following console commands to prep the bridge instead of # cloned_interfaces="bridge0" # ifconfig_bridge0="inet 10.0.100.1/24 addm em0 up" # in rc.conf # # ifconfig bridge0 create up # ifconfig bridge0 inet 10.0.100.1/24 addm em0 # # using native jail command for start and stop of vnet jail # -v = verbose outputs log of what start process is really doing # jail -vc jailname to start jail -vr jailname to stop # service jail [start stop] jailname works also. # # jexec jailname login -f root to login to the vnet jail from host # testjail { host.hostname = "vnet_testjail"; path = "/usr/jails/testjail"; exec.consolelog = "/var/log/vnet_testjail.console.log"; mount.devfs = "true"; devfs_ruleset = "4"; vnet = "new"; vnet.interface = "epair1b"; exec.prestart = "ifconfig epair1 create up"; exec.prestart += "ifconfig bridge0 addm epair1a"; exec.start = "/bin/sh /etc/rc"; exec.start += "ifconfig epair1b inet 10.0.100.55 netmask 255.255.255.0"; exec.start += "route add default 10.0.100.1"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.poststop = "sleep 2"; exec.poststop += "ifconfig bridge0 deletem epair1a"; exec.poststop += "sleep 2"; exec.poststop += "ifconfig epair1a destroy"; } Now to get back to your post statement that a 802.1 bridge can pass frames to the external interface according to MAC address table. I interpreted this to mean that ip addresses are not needed in the jail.conf jail definitions to accomplish this. I think that what you are talking about is the jib method shown in /usr/share/examples/jails. I have tried getting this jib method to work many times without any success. There is no bridge to begin with because the jib will create it on the first vnet jail being started. This is the jail.conf I tried. testjail2 { host.hostname = "vnet_testjail2"; path = "/usr/jails/testjail2"; exec.consolelog = "/var/log/vnet_testjail2.console.log"; mount.devfs = "true"; devfs_ruleset = "4"; vnet = "new"; vnet.interface = "e0b_testjail2"; exec.prestart = "jib addm testjail2 em0"; exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.poststop = "jib destroy testjail2"; } I can start and stop this jib jail but when I login to the this vnet jail and issue ping -c2 1.1.1.1 I get this message ping: sendto: Network is unreachable. What changes to the above jib vnet jail config are needed to make it an MAC address driven vnet jail? Thanks for the info you have already provided and for your continued help.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5EFBD910.7040909>