From owner-freebsd-net@FreeBSD.ORG Fri Oct 2 19:14:33 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 96EE41065679 for ; Fri, 2 Oct 2009 19:14:33 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outG.internet-mail-service.net (outg.internet-mail-service.net [216.240.47.230]) by mx1.freebsd.org (Postfix) with ESMTP id 7CC8C8FC1B for ; Fri, 2 Oct 2009 19:14:33 +0000 (UTC) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 862E496EF5; Fri, 2 Oct 2009 12:14:33 -0700 (PDT) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id E763A2D6016; Fri, 2 Oct 2009 12:14:32 -0700 (PDT) Message-ID: <4AC6511B.2050508@elischer.org> Date: Fri, 02 Oct 2009 12:14:35 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: remodeler References: <20091001173851.M50386@alentogroup.org> <4AC4FD98.3000301@elischer.org> <20091002181509.M38849@alentogroup.org> In-Reply-To: <20091002181509.M38849@alentogroup.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: vimage-assigning interface to jail X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 19:14:33 -0000 remodeler wrote: > Thank you to Julian for his kind response on my original question. I have > succeeded with the "jail [...] vnet [...]" syntax Julian suggested. I looked > through the /etc/rc.d/jail script and discovered why I cannot start a vnet > jail with the rc mechanism - the vnet parameter to jail requires the -c flag, > and the /etc/rc.d/jail script uses alternate syntax precluding the -c flag > (instead of named parameters, it uses the four fixed parameters of path, > hostname, ip, and command). > > I wonder if someone might help with a problem I am unable to resolve. I have > no network connectivity from the vnet jail. I have opened the jail completely > up for testing, mounting the host devfs, procfs, allowing raw sockets, and > setting socket_unixiproute_only=0. I get the error message: > > PING 192.168.0.16 (192.168.0.16): 56 data bytes > ping: sendto: No route to host > you need to assign an interface to the jail, either a real one, or a dummy one which connects to the main/base jail, where the packets can be routed. The ifconfig command is used for this in both cases but differently. what do you see when you type 'ifconfig' and 'netstat -rn' ine the jail? > and > > vimage testvnet route get default > route: writing to routing socket: No such process > > I've read some of Julian's work on implementing FIB's (multiple kernel routing > tables) - do I need to create and bind a route table (and socket) to the vnet? > How do I do so? > no you do not. The FIBS are all in a single jail. each jail comes with its own completely separate set of FIBs. > Also, I developed a local rc.d script that flexibly combines starting my > vnet'd service jails and initiating the netgraph subsystem to bridge the > virtual network stacks (jails) and physical ethernet interface using ng_ether, > ng_eiface, and ng_bridge nodes. I intend to migrate the various security > checks from /etc/rc.d/jail into my local script. That script uses a local > configuration file with syntax similar to rc.conf for the jail values, but I > don't see a clean way to load a netgraph configuration (and also notice there > isn't a netgraph rc script, but examples for setting up local scripts). Is it > a reasonable thought to parse a vizgraph dot file for netgraph configuration > in my script? not sure what that last one means :-) there is no netgraph rc feature, because netgraph is expected to be controlled by other facilities as an underlying method.. sorry I can't help more... time constraints.. > > Thank you in advance. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"