Date: Fri, 02 Oct 2009 12:14:35 -0700 From: Julian Elischer <julian@elischer.org> To: remodeler <remodeler@alentogroup.org> Cc: freebsd-net@freebsd.org Subject: Re: vimage-assigning interface to jail Message-ID: <4AC6511B.2050508@elischer.org> In-Reply-To: <20091002181509.M38849@alentogroup.org> References: <20091001173851.M50386@alentogroup.org> <4AC4FD98.3000301@elischer.org> <20091002181509.M38849@alentogroup.org>
next in thread | previous in thread | raw e-mail | index | archive | help
remodeler wrote: > Thank you to Julian for his kind response on my original question. I have > succeeded with the "jail [...] vnet [...]" syntax Julian suggested. I looked > through the /etc/rc.d/jail script and discovered why I cannot start a vnet > jail with the rc mechanism - the vnet parameter to jail requires the -c flag, > and the /etc/rc.d/jail script uses alternate syntax precluding the -c flag > (instead of named parameters, it uses the four fixed parameters of path, > hostname, ip, and command). > > I wonder if someone might help with a problem I am unable to resolve. I have > no network connectivity from the vnet jail. I have opened the jail completely > up for testing, mounting the host devfs, procfs, allowing raw sockets, and > setting socket_unixiproute_only=0. I get the error message: > > PING 192.168.0.16 (192.168.0.16): 56 data bytes > ping: sendto: No route to host > you need to assign an interface to the jail, either a real one, or a dummy one which connects to the main/base jail, where the packets can be routed. The ifconfig command is used for this in both cases but differently. what do you see when you type 'ifconfig' and 'netstat -rn' ine the jail? > and > > vimage testvnet route get default > route: writing to routing socket: No such process > > I've read some of Julian's work on implementing FIB's (multiple kernel routing > tables) - do I need to create and bind a route table (and socket) to the vnet? > How do I do so? > no you do not. The FIBS are all in a single jail. each jail comes with its own completely separate set of FIBs. > Also, I developed a local rc.d script that flexibly combines starting my > vnet'd service jails and initiating the netgraph subsystem to bridge the > virtual network stacks (jails) and physical ethernet interface using ng_ether, > ng_eiface, and ng_bridge nodes. I intend to migrate the various security > checks from /etc/rc.d/jail into my local script. That script uses a local > configuration file with syntax similar to rc.conf for the jail values, but I > don't see a clean way to load a netgraph configuration (and also notice there > isn't a netgraph rc script, but examples for setting up local scripts). Is it > a reasonable thought to parse a vizgraph dot file for netgraph configuration > in my script? not sure what that last one means :-) there is no netgraph rc feature, because netgraph is expected to be controlled by other facilities as an underlying method.. sorry I can't help more... time constraints.. > > Thank you in advance. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AC6511B.2050508>