Date: Wed, 23 Dec 2009 06:37:10 -0900 From: Mel Flynn <mel.flynn+fbsd.hackers@mailing.thruhere.net> To: freebsd-hackers@freebsd.org, freebsd-jail@freebsd.org Subject: Re: Jail on 2 interfaces? Message-ID: <200912230637.10093.mel.flynn%2Bfbsd.hackers@mailing.thruhere.net> In-Reply-To: <20091223100943.T86040@maildrop.int.zabbadoz.net> References: <200912221734.05795.mel.flynn%2Bfbsd.hackers@mailing.thruhere.net> <20091223100943.T86040@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 23 December 2009 01:19:23 Bjoern A. Zeeb wrote:
> On Tue, 22 Dec 2009, Mel Flynn wrote:
>
> Hi,
>
> first of all this would find more people to help on freebsd-jail as it
> has nothing to do with hackers ;-)
Yes, that was pretty braindead of me, especially since the intention was
questions@.
> > I don't see this documented in jail(8) nor rc(8) nor defaults/rc.conf, so
> > is it possible to have 2 IP's on 2 ethernet interfaces? And if so, is it
> > settable for rc(8)?
> >
> > The usage case is to have the same jailed proxy server on two seperate
> > internal networks. Ideally, the proxy will use one address for outgoing,
> > so I guess I'll need a default route or dive into the squid config.
> >
> > At present I have:
> > ifconfig_bge0="inet 192.168.177.60 netmask 255.255.255.0"
> > ifconfig_em0="inet 192.168.176.60 netmask 255.255.255.0"
> > ifconfig_em0_alias0="inet 192.168.176.62 netmask 255.255.255.255"
> > jail_squid_rootdir="/usr/squid"
> > jail_squid_ip="192.168.177.62"
> > jail_squid_ip_multi0="192.168.176.62"
> > jail_squid_interface="bge0"
> >
> > But this created the IP on bge0 even though one exists on em0. Is it as
> > simple as not specifying the interface and add the 177.62 alias on bge0?
> > Ideally I'd have a jail_$jail_ip_multi$aliasno_interface="foo0", but my
> > main worry is that the jail infrastructure understands the routing
> > involved.
> >
> >From what you are writing I assume that you are on FreeBSD 7.2-Release
>
> or later; no official FreeBSD version before had supported
> multiple-IPs with a jail.
8.0-p3, yes.
> What it did was what you were asking for. That's the problem.
>
> 1) either use ifconfig
> 2) or use jail + interfaces
> 3) but do not mix them (especially not overlapping)
>
> So I would suggest to do it like this:
>
> # Base system IPs.
> ifconfig_bge0="inet 192.168.177.60/24"
> ifconfig_em0="inet 192.168.176.60/24"
>
> jail_squid_rootdir="/usr/squid"
> # Either use:
> jail_squid_ip="bge0|192.168.177.62/32,em0|192.168.176.62/32"
> # or:
> jail_squid_ip="bge0|192.168.177.62/32"
> jail_squid_ip_multi0="em0|192.168.176.62/32"
>
> but do not use jail_squid_interface=".." as that will be a global
> default for that jail.
Is it a global *default* or a global? For example, could I specify:
jail_squid_interface="bge0"
jail_squid_ip="192.168.177.62/32"
jail_squid_ip_multi0="192.168.177.63/32"
jail_squid_ip_multi1="em0|192.168.177.62/32"
Below is a patch against HEAD to document the $interface|$ip syntax.
--
Mel
Index: etc/defaults/rc.conf
===================================================================
--- etc/defaults/rc.conf (revision 200901)
+++ etc/defaults/rc.conf (working copy)
@@ -648,6 +648,7 @@
#jail_example_fib="0" # Routing table for setfib(1)
#jail_example_ip="192.0.2.10,2001:db8::17" # Jail's primary IPv4 and IPv6 address
#jail_example_ip_multi0="2001:db8::10" # and another IPv6 address
+#jail_example_ip_multi1="em0|192.0.3.10/32" # and another IPv4 address on a specific interface
#jail_example_exec_start="/bin/sh /etc/rc" # command to execute in jail for starting
#jail_example_exec_afterstart0="/bin/sh command" # command to execute after the one for
# starting the jail. More than one can be
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200912230637.10093.mel.flynn%2Bfbsd.hackers>