From owner-freebsd-jail@freebsd.org Wed Jul 1 00:30:12 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BA6533595FC for ; Wed, 1 Jul 2020 00:30:12 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-qt1-x843.google.com (mail-qt1-x843.google.com [IPv6:2607:f8b0:4864:20::843]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49xMZC58Yjz485r for ; Wed, 1 Jul 2020 00:30:11 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-qt1-x843.google.com with SMTP id x62so17159097qtd.3 for ; Tue, 30 Jun 2020 17:30:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=mKQE4y/T87OZHj3Afcl1kD/6t4DVaCZdR3mTPOUgT3Q=; b=XwoM7rcr14rhRic8zaATKEduP8QlaMZeMw/B2Yljp9CQd2r8Pk0t1hXxBsmda48dJI hCuJCImUW8cL05QQYMn+QXAiC85AsYZ0TA669TngrIqTgkkzjV5U/26RbgBq6saJbhwr 2Rn1NNwh4186gj1XlRDNJbwvRBVo3MF6ge8YpHbC9IO8RIRORODKUaQ58znTWpxeWSlU ejiEYWYSPks5snD0t8TNXVc6CQhjs1M0iiliHFYXwgHygyB1LuJeT4eDiJ/2wu/yVj4C dpwUWXXHl7Bf5kDOrrN4Cr/lihWCXsnC2WeRI4Cxk9FGZkw3wL5/RhBYM5IyYQittNNe Eb5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=mKQE4y/T87OZHj3Afcl1kD/6t4DVaCZdR3mTPOUgT3Q=; b=bRLomnUXzy2I9KUcaceMCoAkmo5dt7Q+Kfx2zoRiPGt6OmwYKAREWnvgndddXyRkBx jA7c/Oo4X+bI3gjquBd6e46nmUe1mrBi0Z32xdJIwJ0hcotbefJMwQLWeTDsl+1VHuk5 OHINGEpU9JK8mrvhy6jMO14yljRugjkEAVrAH8pTv4Z1G600tkWxbfAeA6GgG7o5Sp51 UIF21UuJepnSsARdoBBYYTDg60sX3KMNQXcm2ygV/8/LrYVAk7mB6iehYQ9+WfFuP2y4 3KTMlVTkuqywsheD8+JOfFGfEN/kWAwJFTTYVrdAOcxhbrTP9jTINFExs4Y8IkguZKvW BxTQ== X-Gm-Message-State: AOAM530zxjV/ooiygGAYZaNKocY6YQwiTgTMsKbU2eTueVHl04Yxh1my ot/w940BzP4KYREV+w0XQP0= X-Google-Smtp-Source: ABdhPJyN1BYdhJeh+AwFCWhugfx49OA19ieeNHCeEYtj2ZLv5PLmqDqd7QNRmW+9V7ypqoG++r6TtQ== X-Received: by 2002:aed:2ba1:: with SMTP id e30mr24736225qtd.357.1593563410320; Tue, 30 Jun 2020 17:30:10 -0700 (PDT) Received: from [10.0.10.8] (cpe-65-25-48-225.neo.res.rr.com. [65.25.48.225]) by smtp.googlemail.com with ESMTPSA id g1sm4812241qkl.86.2020.06.30.17.30.09 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 30 Jun 2020 17:30:09 -0700 (PDT) Message-ID: <5EFBD910.7040909@gmail.com> Date: Tue, 30 Jun 2020 20:30:08 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: =?ISO-8859-1?Q?J=C1K=D3_Andr=E1s?= CC: David Mehler , freebsd-jail Subject: Re: FreeBSD 12.1, vnet jail, and internet access References: <20200627204831.GC77414@eik.bme.hu> <20200627213730.GE77414@eik.bme.hu> <5EF8F034.4040705@gmail.com> <20200629084150.GC65151@eik.bme.hu> In-Reply-To: <20200629084150.GC65151@eik.bme.hu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 49xMZC58Yjz485r X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=XwoM7rcr; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of luzar722@gmail.com designates 2607:f8b0:4864:20::843 as permitted sender) smtp.mailfrom=luzar722@gmail.com X-Spamd-Result: default: False [-3.22 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-0.26)[-0.255]; RECEIVED_SPAMHAUS_PBL(0.00)[65.25.48.225:received]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.97)[-0.969]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-0.998]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::843:from]; FREEMAIL_CC(0.00)[gmail.com,freebsd.org]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jul 2020 00:30:12 -0000 JÁKÓ András wrote: >>>> I was under the impression that the two stacks were separate? >>> They are. But I don't think your ISP knows anything about your private >>> subnet, so they won't send IP packets with your private destination >>> address to you. And most probably they won't accept IP packets with your >>> private source address from you. So you have to translate these private >>> addresses if you want your ISP (and others) to forward them. >>> >>>> Should I nat on the bridge or epair? >>> On the bridge, I guess. >>> >> Have 2 questions. >> >> If there were no ip addresses on the bridge and the epair0b in the vnet jail >> would packets pass out the bridge member external interface? > > It's a 802.1 bridge, it can pass frames to the external interface > (according to its MAC address table). > >> How would I setup a public domain name to target the vnet jail? > > A public domain name should point to a public IP address. If your jail's > IP address is a private one, and you do NAT, then use your public IP > address (the one that is translated to the jail's private address). If > you have a public address in the jail and you don't use address > translation, then use the jail's public IP address in the DNS. > > András > I think I have determined what your talking about. All the vnet literature talks about a vnet jail having it's own separate ip stack. I interpreted this to mean that the vnet jail's stack was connected directly to the epair0b / bridge0 / host external interface WITHOUT the host's firewall knowing anything about that vnet traffic. Now for the first time I hear you saying that this is not correct. That all external interface traffic passes through the hosts firewall including vnet traffic before its handed off to the vnet stack. I am running FBSD 12.1-p6 on real hardware. em0 is the host interface connected to the public network with a dynamic ip address by DHCP. To populate my working vnet jail directory tree I did this. # download the base.txz file to the host cd /usr fetch -avrA http://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/12.1-RELEASE/base.txz # unpack base.txz to directory tree mkdir -p /usr/jails/jailname cd /usr/jails xzdec base.txz | tar --unlink -xpJf - -C /usr/jails/jailname # prep jail directory cp /etc/localtime jailname/etc cp /etc/resolv.conf jailname/etc echo "sendmail_enable="none"" > jailname/etc/rc.conf echo "sendmail_submit_enable="none"" >> jailname/etc/rc.conf echo "sendmail_outbound_enable="none"" >> jailname/etc/rc.conf echo "sendmail_msp_queue_enable="none"" >> jailname/etc/rc.conf /etc/jail.conf # # Using manual command method FBSD 12.1 # with assigned ip address for epairb and bridge. # start and stop vnet jail works without crashing the host because # of the embedded sleep commands that work around the teardown bug that # is now fixed in soon to be released FBSD 13. # From within the vnet jail can ping the bridge private ip, # host public ip and the public internet. ping -c 2 1.1.1.1 0% packet loss # # Very important detail; host firewall must NAT the private # ip addresses used. # # Issue the following console commands to prep the bridge instead of # cloned_interfaces="bridge0" # ifconfig_bridge0="inet 10.0.100.1/24 addm em0 up" # in rc.conf # # ifconfig bridge0 create up # ifconfig bridge0 inet 10.0.100.1/24 addm em0 # # using native jail command for start and stop of vnet jail # -v = verbose outputs log of what start process is really doing # jail -vc jailname to start jail -vr jailname to stop # service jail [start stop] jailname works also. # # jexec jailname login -f root to login to the vnet jail from host # testjail { host.hostname = "vnet_testjail"; path = "/usr/jails/testjail"; exec.consolelog = "/var/log/vnet_testjail.console.log"; mount.devfs = "true"; devfs_ruleset = "4"; vnet = "new"; vnet.interface = "epair1b"; exec.prestart = "ifconfig epair1 create up"; exec.prestart += "ifconfig bridge0 addm epair1a"; exec.start = "/bin/sh /etc/rc"; exec.start += "ifconfig epair1b inet 10.0.100.55 netmask 255.255.255.0"; exec.start += "route add default 10.0.100.1"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.poststop = "sleep 2"; exec.poststop += "ifconfig bridge0 deletem epair1a"; exec.poststop += "sleep 2"; exec.poststop += "ifconfig epair1a destroy"; } Now to get back to your post statement that a 802.1 bridge can pass frames to the external interface according to MAC address table. I interpreted this to mean that ip addresses are not needed in the jail.conf jail definitions to accomplish this. I think that what you are talking about is the jib method shown in /usr/share/examples/jails. I have tried getting this jib method to work many times without any success. There is no bridge to begin with because the jib will create it on the first vnet jail being started. This is the jail.conf I tried. testjail2 { host.hostname = "vnet_testjail2"; path = "/usr/jails/testjail2"; exec.consolelog = "/var/log/vnet_testjail2.console.log"; mount.devfs = "true"; devfs_ruleset = "4"; vnet = "new"; vnet.interface = "e0b_testjail2"; exec.prestart = "jib addm testjail2 em0"; exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.poststop = "jib destroy testjail2"; } I can start and stop this jib jail but when I login to the this vnet jail and issue ping -c2 1.1.1.1 I get this message ping: sendto: Network is unreachable. What changes to the above jib vnet jail config are needed to make it an MAC address driven vnet jail? Thanks for the info you have already provided and for your continued help.