Date: Wed, 01 Jul 2020 09:02:52 +0200 From: Alexander Leidinger <Alexander@leidinger.net> To: Dan Langille <dan@langille.org>, luzar722@gmail.com Cc: Alexander Leidinger via freebsd-jail <freebsd-jail@freebsd.org> Subject: Re: FreeBSD 12.1, vnet jail, and internet access Message-ID: <20200701090252.Horde.mi_2CHy8fPTbshXGR4iLyBE@webmail.leidinger.net> In-Reply-To: <c15d53c8-ddc8-408e-bd04-400b6f2ba3f7@www.fastmail.com> References: <CAPORhP7mU=4gMYWhkLPK-Sdyxcuhry4YTM%2B-vXOs27qeAc2a2Q@mail.gmail.com> <20200627204831.GC77414@eik.bme.hu> <CAPORhP4XmmT%2B2ZcDazZVAguBPAG2qYQaWFGWE73Sdgfk3htRVA@mail.gmail.com> <20200627213730.GE77414@eik.bme.hu> <5EF8F034.4040705@gmail.com> <20200629084150.GC65151@eik.bme.hu> <5EFBD910.7040909@gmail.com> <c15d53c8-ddc8-408e-bd04-400b6f2ba3f7@www.fastmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format and has been PGP signed.
--=_Ev3jO_wzWYW_SbNTXhf_vFS
Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Quoting Dan Langille <dan@langille.org> (from Tue, 30 Jun 2020=20=20
21:02:24=20-0400):
> On Tue, Jun 30, 2020, at 8:30 PM, Ernie Luzar wrote:
>
>> I think I have determined what your talking about. All the vnet
>> literature talks about a vnet jail having it's own separate ip stack. I
>> interpreted this to mean that the vnet jail's stack was connected
>> directly to the epair0b / bridge0 / host external interface WITHOUT the
>> host's firewall knowing anything about that vnet traffic.
>
> FYI, you are not alone. I have tried to get this working.
>
> A colleague too. We are not novices.
>
> When we get this figured out, it will get documented with a simple
> working example. I promise that.
Think about the host as your hypervisor on steroids.
And with this in mind:
- Your host has a network stack "N0".
- Your vnet jail has a seperate network stack "N1".
- The kernel of the "hypervisor" has a firewall and automatically=20=20
makes=20it see all physical hardware (remember, it depends upon the=20=20
rules=20if it does something there or not).
- Without doing anything, they are not connected (=3D separate), and=20=
=20
N1=20not even to hardware.
- On the host you create a virtual network device "bridge0". By=20=20
creating=20it, it is created in the "namespace of the hypervisor" =3D=20=20
inside=20N0. This means the firewall of the host is able to do something=20=
=20
there,=20if the rules are setup accordingly.
- When you create the epair, it is also created in N0, like the=20=20
bridge.=20On the host all commands you do are operating in the namespace=20=
=20
of=20the "hypervisor". The firewall sees both ends of the epair and can=20=
=20
react=20to it.
- When you then give epairXb to N1, you remove it from the N0, which mean=
s:
* you have a P2P connection between N0 and N1
* the host firewall can not inspect packets on epairXb but still on epa=
irXa
* you could give an IP to epairXa and have only the host=20=20
communicate=20with the jail, or do some other things like giving epairXa=20=
=20
to=20another jail and have a P2P connection between jails (host firewall=20=
=20
doesn't=20see both epair ends anymore) or e.g. the next point
- Then you connect epairXa to the bridge. If there are other jails=20=20
connected=20you can have them communicate between each other in this=20=20
virtual=20network, with the host being able to intercept packets which=20=
=20
show=20up on the bridge (it is still in the N0 namespace).
- If you want to communicate with the outside, you can:
* connect a network interface (which is inside the namespace of=20=20
the=20host) to the bridge and the packets leaving the physical device=20=20
have=20the IP from the jail.
* give the bridge an IP address and have the host route between=20=20
the=20bridge and the outside (or have it route between bridge A and=20=20
bridge=20B but not to the outside).
- In all the above cases, the bridge(s) and the physical interface=20=20
live=20in the namespace of N0. As such the firewall of N0 can inspect=20=20
packets=20there, and you can do NAT (the jail doesn't know what is=20=20
outside,=20so it makes sense to do the NAT on the host).
Bye,
Alexander.
--=20
http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF
--=_Ev3jO_wzWYW_SbNTXhf_vFS
Content-Type: application/pgp-signature
Content-Description: Digitale PGP-Signatur
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJe/DUcAAoJEBINsJsD+NiGCkMP/RYey9uvb0KHEuzATwgnw/if
+stltGnVH/J+9SdHMjIGjk+P6NmMscj9uaZfj6LySnBRIfCY1nd7j+haABTxoaXQ
/N8izf4xOpi8fxwgXNSvPQ5V4H9tdvgzq33yWp/x9C+EQv5MlCdpdyhNr397rHVy
vqsAIwxfUjSZqSo8XSgFLUhi6bCCgriC1SvLaZeSTZTekrJE1lGgp1DUcLlDOdN7
8NX03Vpae1EJhhTRq4rmH7GvMIG/F5j2N4kyaIqlxBRnSYix/M42OFWqUswAn92Z
V3WvRxZzJciaSmi5gKXetesdMv2f0iJ+hWEUde31LTJV8QoqWbPThmvJhPzwYHZ8
c8cS9N9S+zd6qO/XKpQ68U8CvylyCDEBOFpatTO6QsNLPTqnVMqTCO5fxMlgvPfE
mxLfw1RgzNqT9cLE0QwNyyM+PJcjuET2MIh67qFmVlLpR80rCFk2N6WEYZw4N3aa
5CRBz1k/xr+McJAo8XmxpP9MnRcZfQl1437FN40caWkzg+TLw+3DltScH7e3HiAF
EnlwwYhqpxmK4YaFOm9HgAejyHyXxx50HAUjpwekMoJOLH+qm0rKMh3H97dyWsWR
sjpjvttZ8MTkhe43sWz2rkZ2hkiE4C3K5D3arw/Uo6uHc4oL+lsnCin31/3d3sG6
KijGS/hV1PM5PB7QQ3JF
=J+rs
-----END PGP SIGNATURE-----
--=_Ev3jO_wzWYW_SbNTXhf_vFS--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200701090252.Horde.mi_2CHy8fPTbshXGR4iLyBE>