From owner-freebsd-jail@FreeBSD.ORG Sat Nov 22 01:24:32 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1FB0A1065670; Sat, 22 Nov 2008 01:24:32 +0000 (UTC) (envelope-from ruben@verweg.com) Received: from erg.verweg.com (unknown [IPv6:2001:980:fff:96::c0a8:181]) by mx1.freebsd.org (Postfix) with ESMTP id 86AB08FC14; Sat, 22 Nov 2008 01:24:31 +0000 (UTC) (envelope-from ruben@verweg.com) Received: from neon.niet.verweg.com (helium.xs4all.nl [194.109.251.55]) (authenticated bits=0) by erg.verweg.com (8.14.3/8.14.3) with ESMTP id mAM1O0pb050222 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Sat, 22 Nov 2008 01:24:01 GMT (envelope-from ruben@verweg.com) X-Authentication-Warning: erg.verweg.com: Host helium.xs4all.nl [194.109.251.55] claimed to be neon.niet.verweg.com Message-Id: <7CE62E42-B1C2-4D4E-860B-C4F2F5849ABE@verweg.com> From: Ruben van Staveren To: Ruslan Ermilov In-Reply-To: <20081121202316.GB28339@edoofus.dev.vega.ru> Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-27--98242926" Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v929.2) Date: Sat, 22 Nov 2008 02:24:19 +0100 References: <20081116101126.T61259@maildrop.int.zabbadoz.net> <20081116135929.S61259@maildrop.int.zabbadoz.net> <20081121202316.GB28339@edoofus.dev.vega.ru> X-Pgp-Agent: GPGMail d52 (v52, Leopard) X-Mailer: Apple Mail (2.929.2) X-Spam-Status: No, score=3.9 required=5.0 tests=DATE_IN_FUTURE_96_XX, SPF_PASS autolearn=no version=3.2.5 X-Spam-Level: *** X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on erg.verweg.com X-Virus-Scanned: ClamAV 0.94.1/8661/Fri Nov 21 15:39:30 2008 on erg.verweg.com X-Virus-Status: Clean X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1 (erg.verweg.com [192.168.1.129]); Sat, 22 Nov 2008 01:24:06 +0000 (UTC) Cc: "Bjoern A. Zeeb" , freebsd-jail@freebsd.org Subject: Re: can jail use 2 NICS? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Nov 2008 01:24:32 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --Apple-Mail-27--98242926 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Hi, On 21 Nov 2008, at 21:23, Ruslan Ermilov wrote: > Hi, > > Have been traveling, hence long "no reply"... > > On Sun, Nov 16, 2008 at 02:10:35PM +0000, Bjoern A. Zeeb wrote: >> So the basic idea could be to only have >> jail__ip="" >> jail__ip6="" >> >> and each of them would have a format like: >> >> [iface|]address[/prefix] > > I'd suggest [iface:] instead. This will get a bit ambiguous when IPv6 addresses are used... >> where iface and prefix are optional and prefix only makes sense if >> iface is given? >> >> If iface is given it means configure the address with prefix to the >> given interface; if prefix is not given the default would be /32 for >> ipv4 and /128 for ipv6. Yes, and I prefer the prefix notation above the subnet mask one. Related, I still need to look at ifconfig canonicalizing stuff like 2001:888:1029::192.168.1.129 before operating on the interface structure. This helps in ifconfig delete 2001:888:1029::192.168.1.129 currently this does not work because on ifconfig up the value is converted to 2001:888:1029::c0a8:181 >> So now this would give really long and complicated lines in rc.conf. >> Do you think we could have something like the _alias for interface >> addresses so that it would be like: >> >> jail__ip="" # default >> jail__ip_multi0="" # second IP of the jail >> jail__ip_multi1="" # third IP of the jail >> jail__ip_multi2="" # 4th IP of the jail >> >> and similar for IPv6? >> >> (multi might not be the best suffix) >> >> Something along those lines? From a user point of view, it will make a messy configuration. it might be more preferable then to have something in the order of jail "" { iface prefix addr [] [/] addr [] [/] ... } For Bjoern I think something like this in an /etc/jail.conf will mark a clear separation between rc.conf and jail management ? >> Ruslan, what do you think about something like that? We could have >> that for HEAD and 7 just now and add the _multi support with the >> multi-IP jail patches? Could you and Ruben work together to build >> this? >> > I think this is a good idea. My workaround with routes > I mentioned doesn't actually work, so currently we use > a version from HEAD on our production servers, and the > modified version of ezjail port that supports netmasks. The route thing, is that the setfib configuration from HEAD ? > > Cheers, > -- > Ruslan Ermilov > ru@FreeBSD.org > FreeBSD committer Regards, Ruben --Apple-Mail-27--98242926 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iD8DBQFJJ19EZ88+mcQxRw0RAvuIAJ0ak9RtTpZF4Tx0QTpGLJE4QJ8rqwCeO2yJ SDpUKkbItqVrG2OGDBPAUdM= =MoUk -----END PGP SIGNATURE----- --Apple-Mail-27--98242926--