Date: Thu, 28 Feb 2019 10:43:30 -0700 From: James Gritton <jamie@freebsd.org> To: freebsd-jail@freebsd.org Subject: Re: how to determine primary (source) IP address in jail Message-ID: <80473893b119a7f602ff7efb72416561@freebsd.org> In-Reply-To: <781124ab-ca3e-f410-1a60-649e216cded6@quip.cz> References: <781124ab-ca3e-f410-1a60-649e216cded6@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2019-02-28 03:58, Miroslav Lachman wrote: > Is there some easy way to determine the primary (source) address which > is used in jail with multiple IP addresses? > > I came to this problem with running local_unbound in jail. Unbound > refuses queries originating in this jail because the do not come from > real 127.0.0.1 (which is the only one allowed by default). Unbound in > jail see requests come from jails IP. It is easy to determine (in > shell script) if jail has only one IP. > But what in case where jail has multiple IPs? Is there some sysctl or > some call to ifconfig or any other util to get the IP which will be > used as source address for queries on local services in jail? > > I know I can allow all IPs of jail in > access-control: a.b.c.d/32 allow > access-control: e.f.g.h/32 allow > > I am just curios if there is some way to get "primary" IP in jail > without calling anything from the host environment. There's nothing reliable that I know of. Lists of address like that from "ifconfig -a" or "netstat -rn" are in the order that they exist on the host, filtered so only in-jail addresses show up. While this may work for jails that always create aliases for their addresses in the defined order (as jail(8) will). they don't work in cases where the address already exists. It will also have problems when the addresses are on different interfaces. - Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?80473893b119a7f602ff7efb72416561>