From owner-freebsd-jail@freebsd.org Wed Oct 14 13:52:10 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CB3D443A283 for ; Wed, 14 Oct 2020 13:52:10 +0000 (UTC) (envelope-from xeper000@gmail.com) Received: from mail-il1-x136.google.com (mail-il1-x136.google.com [IPv6:2607:f8b0:4864:20::136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CBDP63cR6z41pD; Wed, 14 Oct 2020 13:52:10 +0000 (UTC) (envelope-from xeper000@gmail.com) Received: by mail-il1-x136.google.com with SMTP id p9so5204024ilr.1; Wed, 14 Oct 2020 06:52:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VCXIo7FvqfUGGeEEgVTfsJZipf8KUs+hogbFVznAv0A=; b=QczlMgM9gozA7kHh/WvDOKLZh2YLw+xWwnLctOzf20AnDUB7o7yQIo6rCNKCZG1KwQ 5LA9I9ktf/ntKU95cMegiEclhR7eGIA81DJ55w8ep8D2DmZFcoENt0iz7MAVeVPWh+Mq b7YrgTDF5v89S/qO8cWRAMIy9sPX8IUUnYSaKcRX0hG0TEZGMnSCcwcZqP0YoRUNYWEQ XyxRNSdhP+m16TD/T1UCjBh+CCtY7M+TR1wrd3meklLs5z1ydDhtaAPVrpJ/PvBmdfE2 5f5Yo+KtagzQRwNLpifx9JDaKpBvWAwg+Etgppz2Oyej8DpII7M0p2Bh39Im0LTPHd4N bF/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VCXIo7FvqfUGGeEEgVTfsJZipf8KUs+hogbFVznAv0A=; b=SHYvww+V3zc560tGBy+PfyrIl2Osi9a0zKM+r7ijfPY9nF1cHYIxQJpqDYdT/T7m8Q 6lm4vh57sb2NKgQ/hK/lSeQuIyd6vTj51s0hbMROwmH8Q0m0DOl9vHx5PzJ7F7sAsumJ lD5ifxxWvu2kQ3y1MlPIm32FiAhzLVONdOnbvfdabaJ7RT7dsgQb8YuwQmzaG800MAd/ f/vPKPU0664yASHpWXorYeubO6XiXTjxPJFoJqoMjNilyXZhq7BE1qEnyvO4epDAR8S2 Zt4fyjgyCXj8USigoigg1xek1v9zWCpXD8RrmIZyvODYec5l6PMiXV5FRXeHLnGITkp7 jK8Q== X-Gm-Message-State: AOAM533kRg+LJ0NJXMzoq/Ce32Scn3mh4t4nSy0ieF/UiATUIwGNw0Wi DaIsKjqZaDGmZMJtpUbFyEt+FikC/rogmksEWd0iCp/K X-Google-Smtp-Source: ABdhPJye/Os9mVPDb3mig2Z/9PKRai4fq0IRByrDh4D+RfvqnmdC4CAZ5qsP7eq7wwAzqrOffvl+E0qR1t829wHgrFo= X-Received: by 2002:a92:ce45:: with SMTP id a5mr3812912ilr.308.1602683528830; Wed, 14 Oct 2020 06:52:08 -0700 (PDT) MIME-Version: 1.0 References: <3F8DAE0C-0EA1-40C5-9825-262F547E1954@FreeBSD.org> In-Reply-To: From: Arsenij Solovjev Date: Wed, 14 Oct 2020 15:51:57 +0200 Message-ID: Subject: Re: vnet Jail on a non-dedicated network interface To: Kristof Provost Cc: freebsd-jail@freebsd.org X-Rspamd-Queue-Id: 4CBDP63cR6z41pD X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; REPLY(-4.00)[] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Oct 2020 13:52:10 -0000 On Wed, 14 Oct 2020 at 15:41, Kristof Provost wrote: > On 14 Oct 2020, at 15:36, Arsenij Solovjev wrote: > > On Wed, 14 Oct 2020 at 14:42, Kristof Provost wrote: > > > >> On 14 Oct 2020, at 14:18, Arsenij Solovjev wrote: > >>> Hi all! > >>> Does anybody know if it's possible to run a vnet jail on a > >>> non-dedicated > >>> interface? I have the Lucas book on jails. In it he says that for > >>> vnet > >>> you > >>> need to pick a dedicated interface, remove all networking IP > >>> configuration > >>> and only bring it up. Afterwards you set up jib and whatnot. > >>> > >>> All works well if I use a dedicated secondary interface (let's call > >>> it > >>> em1). If I use em0 however I cannot ping the jail. > >>> > >>> I would like to have a host with that has a single network interface > >>> which > >>> is used for both normal networking stuff as well as having the vnet > >>> jail > >>> run on it. > >>> > >>> Maybe I could create some sort of virtual interface and run vnet on > >>> it? > >>> > >>> Any ideas here? Thanks in advance! > >>> > >> Look at epair interfaces. > >> > >> You can put em0 and epair0a in a bridge together and add epair0b to > >> the > >> vnet jail. > >> That gets the vnet jail connected to your LAN. > >> > >> Or you can skip the bridge, assign an IP to epair0a and route between > >> the jail and your LAN. > >> > >> Regards, > >> Kristof > >> > > > > Hi Kristof, > > > > Thanks for your reply! > > > > considering your first idea. I did this, the jail gets created > > seemingly > > fine. However I cannot ping the ip of epair0b (this works when using a > > dedicated interface). > > Also I cannot reach my gateway from within the jail. This too works > > when > > using a dedicated interface. > > Btw I have "sysctl security.jail.allow_raw_sockets=1". > > Here is my host ifconfig when putting em0 and epair0a in a bridge: > > > > em0: flags=8943 metric > > 0 > >> mtu 1500 > >> > > > options=812099 > > > > ether 9a:4c:eb:b5:95:bf > > > > inet 172.18.20.145 netmask 0xffffff00 broadcast 172.18.20.255 > > > > media: Ethernet autoselect (1000baseT ) > > > > status: active > > > > nd6 options=29 > > > > jailether: flags=8843 metric 0 > > mtu > >> 1500 > >> > > > options=81209b > > > > ether 56:39:b7:c5:2e:ec > > > > media: Ethernet autoselect (1000baseT ) > > > > status: active > > > > nd6 options=29 > > > > lo0: flags=8049 metric 0 mtu 16384 > >> > > options=680003 > > > > inet6 ::1 prefixlen 128 > > > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 > > > > inet 127.0.0.1 netmask 0xff000000 > > > > inet 10.43.84.1 netmask 0xffffff00 > > > > groups: lo > > > > nd6 options=21 > > > > em0bridge: flags=8843 metric 0 > > mtu > >> 1500 > >> > > ether 02:13:0b:48:53:00 > > > > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 > > > > maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 > > > > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 > > > > member: e0a_sambaad flags=143 > > > > ifmaxaddr 0 port 5 priority 128 path cost 2000 > > > > member: em0 flags=143 > > > > ifmaxaddr 0 port 1 priority 128 path cost 20000 > > > > groups: bridge > > > > nd6 options=1 > > > > e0a_sambaad: > > flags=8943 > >> metric 0 mtu 1500 > >> > > options=8 > > > > ether 02:a4:c4:b5:95:bf > > > > hwaddr 02:78:fd:34:e8:0a > > > > groups: epair > > > > media: Ethernet 10Gbase-T (10Gbase-T ) > > > > status: active > > > > nd6 options=29 > > > > > > > > Here's the ifconfig from my within my jail: > > > > lo0: flags=8049 metric 0 mtu 16384 > >> > > options=680003 > > > > inet6 ::1 prefixlen 128 > > > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 > > > > inet 127.0.0.1 netmask 0xff000000 > > > > groups: lo > > > > nd6 options=21 > > > > e0b_sambaad: flags=8843 metric > > 0 > >> mtu 1500 > >> > > options=8 > > > > ether 0e:a4:c4:b5:95:bf > > hwaddr 02:78:fd:34:e8:0b > > > This is odd. Are you assigning a new MAC address to the epair interfaces > somewhere? Both ends of the epair seem to have a new MAC address, and > the same one at that. > > Regards, > Kristof > Not explicitly, no, I let the jib script do the epair creation.