From owner-freebsd-net@freebsd.org Sun Jun 26 15:43:55 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 92668B81845 for ; Sun, 26 Jun 2016 15:43:55 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-oi0-x22f.google.com (mail-oi0-x22f.google.com [IPv6:2607:f8b0:4003:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4B3F82865 for ; Sun, 26 Jun 2016 15:43:55 +0000 (UTC) (envelope-from asomers@gmail.com) Received: by mail-oi0-x22f.google.com with SMTP id r2so172828112oih.2 for ; Sun, 26 Jun 2016 08:43:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=LSAkmvobz3+QO1wgOayo65LW+4OUmKLQXHgwYuAfPHM=; b=AYnIPzWFKhTGSNxQxJ6iW+QH5xxj90zmeoXl/ZbRc5QVLilKZdsl9ko0IOqJvL6ACk co//yo0I78jePuTAz+jAyZKDD2czuLqnASYNW/EppfssGTcurWUYnaSZiHQHV/M7ESfK HLkDxHuncBlhBM0jwyw7ZFO4BygS9KOIx4Xp0bfwWsnlHLAOQnvpygGtbD+cED4IazHa YJbz9Tjv43P8GkVRz8KpLH0TP/Zxn6x+Ws+7a1d82Cr128gPWF7zVUJk9HkwpXrnkfLe Dn9SEeITs1n1Ycq3SKpFiXzIw47SoTVRAxtfFhUU800W/kZGcOht3qQYc7zNDLl0BeY9 H7gQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=LSAkmvobz3+QO1wgOayo65LW+4OUmKLQXHgwYuAfPHM=; b=F23h3IQeRO1xvHRxS24mwHlQxNBbGRYgrkXpe6yuMW/FxG7Jkr0yilC8nljMTi4VHv QOWbnUv+7UDhgXcxqWI7RDpECdxUqGo0laebFRtIIP/LKn0KFSftuJ2Bri/UXNR1eEm9 X2bsjdJtPhfREKpR8/TMGETN0eNUOJNhFMzk9dJUL60iZROPXAEknoMpuGOZ4bu8f2Ul yJSyhdzFqgTnnZakhKMy+gHBROly0AIFDZiqfZvwp7iUnv8/YGNykEZn1FRfykIY9wpz BXjMF+YfpSsaNd93139zzGNhtuPl7g4XPyXQGRPagtvbcS5gIf7l2MW+hdhdv08j5LCR xOvA== X-Gm-Message-State: ALyK8tIXF7zEXNVkulkFONltfw36MbR7+2HzCDj0SjOxp1IbMFeI9ooudGECQ/yjtJVBtkzISWc7UdG3BIwmyg== X-Received: by 10.157.29.106 with SMTP id m97mr8538251otm.164.1466955834444; Sun, 26 Jun 2016 08:43:54 -0700 (PDT) MIME-Version: 1.0 Sender: asomers@gmail.com Received: by 10.202.168.149 with HTTP; Sun, 26 Jun 2016 08:43:53 -0700 (PDT) In-Reply-To: <20160626093754.5e534ff4@copperhead.int.arc7.info> References: <20160625164240.7cea7587@copperhead.int.arc7.info> <20160625234636.2f086908@x23> <20160625220551.646eccb6@copperhead.int.arc7.info> <20160626093754.5e534ff4@copperhead.int.arc7.info> From: Alan Somers Date: Sun, 26 Jun 2016 09:43:53 -0600 X-Google-Sender-Auth: 3mGaK05oGmiM0P5e7Y4jGqrcuf0 Message-ID: Subject: Re: ifconfig: BRDGADD lo1: invalid argument To: org.freebsd.security@io7m.com Cc: FreeBSD Net Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Jun 2016 15:43:55 -0000 On Sun, Jun 26, 2016 at 3:37 AM, wrote: > Hello. > > On 2016-06-25T18:13:18 -0600 > Alan Somers wrote: > >> On Sat, Jun 25, 2016 at 4:05 PM, wrote: >> > I'm not using vnet jails. I'm actually just trying to get filtering of >> > outbound traffic (see the other mail I sent to this list a few seconds >> > before you responded). >> >> Based on my experience, I highly recommend vnet jails if you want >> outbound filtering. It's much simpler than trying to filter outbound >> traffic from shared-IP jails. > > I'm trying to look at vnet jails, but they still seem to be mostly > undocumented and not entirely supported. Lots of fairly recent posts > online regarding panics in day-to-day use. Using them in production > seems risky. Is there something I should be looking at in particular? I'm not sure how many known bugs they have. Adrian Chadd (adrian@) is the best person to ask. > > When you say shared-IP jails, what exactly are you referring to? I'm > not sure what's shared in this case; I have one public IP (it's a VPS) > but individual jails are on their own private loopback addresses. A shared-IP jail is the traditional, non-vnet type. You assign an alias address to one of the host's network interfaces, and then assign that address to the jail. It's called "shared-IP" because both host and jail can see a network interface with that IP address. > > M