From owner-freebsd-jail@freebsd.org  Fri Mar  1 11:43:11 2019
Return-Path: <owner-freebsd-jail@freebsd.org>
Delivered-To: freebsd-jail@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 52748151057B
 for <freebsd-jail@mailman.ysv.freebsd.org>;
 Fri,  1 Mar 2019 11:43:11 +0000 (UTC)
 (envelope-from dch@skunkwerks.at)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com
 [66.111.4.26])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 558F172F02
 for <freebsd-jail@freebsd.org>; Fri,  1 Mar 2019 11:43:10 +0000 (UTC)
 (envelope-from dch@skunkwerks.at)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47])
 by mailout.nyi.internal (Postfix) with ESMTP id BE72C22115
 for <freebsd-jail@freebsd.org>; Fri,  1 Mar 2019 06:43:09 -0500 (EST)
Received: from imap6 ([10.202.2.56])
 by compute7.internal (MEProxy); Fri, 01 Mar 2019 06:43:09 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at;
 h=message-id:in-reply-to:references:date:from:to:subject
 :content-type; s=fm1; bh=cr6J5TRC5AWgv4X57z31tSIGVFB5+A0mKsCO47z
 tDXs=; b=o6n02rLA3YTTvrMYUHjnCvzK2Lgtt4UtNLXvgQ4kQdIXhlySP4r71JB
 sgLrXAaS9hBH9X3YPEexqWL+wen+1fA5gs8JWyvYcsWuK2bLo8xbahI/XfE/cPoO
 EUVS58zA7phZcAP8dYb8zyBjl/WWoXzgOKYTGLBDVAl9ZABA4mRGVFLj0PBpgbeC
 nM6jifc5hmi9m6joipzJiRO/q6LF3hvhAGesnTdsptUl78l7UOxHj7vhG31xQpbk
 l8yVeQxopJ17vMAHFQmxUCIXnRIiw99hSX4dzbcZsLnAvlhov9PKtLk94BpdRitM
 HB4P2ImFDEVvTWMcEdB9gnQsAMJs2jQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:in-reply-to
 :message-id:references:subject:to:x-me-proxy:x-me-proxy
 :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=cr6J5TRC5AWgv4X57
 z31tSIGVFB5+A0mKsCO47ztDXs=; b=o/jAN4fAw+beo+YkpASjm5JKkTLwt7peL
 AvnGtTrxb+w8APC2z+T+KhI1dDUKLfYJG78Z2AoJOUb0DP44Hy+QXDxaDxkM7/V9
 g846jUTappUwWOhxmELwgQYdhjXT8k+3OhSv/qguCzUXHDsv4SjdcMYXS9a7SkA1
 g2wsUQ8u3n2GD0+hNGoVWRZAHpuzJyDmzyHq3ypJxY8URRVjgUIZivZNNHyHnyVI
 2MRY3t+aEJJVcZ9+QBgs8Zx4y9k5pPMmXzxZFlJijE4A/M/R1Fc3rQssHgQ72kje
 We/pu/gPRMmJUwDk8XfGcahNqbmCygVS22sZgmsIEKO+CTsmwOO0g==
X-ME-Sender: <xms:zRp5XNn7SHmtrxNCk4Aa4HPL4wsSQRz5xb2z5xd4qVpwBPeLo6P0fg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddrvdehgdefudcutefuodetggdotefrodftvf
 curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
 uegrihhlohhuthemuceftddtnecunecujfgurhepofgfkfgjfhffhffvufgtsehttdertd
 erredtnecuhfhrohhmpedfffgrvhgvucevohhtthhlvghhuhgsvghrfdcuoegutghhsehs
 khhunhhkfigvrhhkshdrrghtqeenucffohhmrghinhepnhhlnhgvthhlrggsshdrnhhlne
 curfgrrhgrmhepmhgrihhlfhhrohhmpegutghhsehskhhunhhkfigvrhhkshdrrghtnecu
 vehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:zRp5XLxPZaCyQVZFDLT8T2VdD36oYPp1J6T81UFouaqTe4e-Akph4g>
 <xmx:zRp5XL0v3jZ0Vhq796p2eO-dFDctIpJxUji_0uv8o1w9xDnxVMnbeA>
 <xmx:zRp5XMbFs4CYjGSSd7hGB3I87FPqwN6SRXRSFE1CFb8VP6NqX8-T_w>
 <xmx:zRp5XJ_UVt-DOawE4CMIpX6UtT3oIKL0wiNwoGSXa9n4e9jgiSM-bA>
Received: by mailuser.nyi.internal (Postfix, from userid 501)
 id 4028782678; Fri,  1 Mar 2019 06:43:09 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.5-925-g644bf8c-fmstable-20190228v5
X-Me-Personality: 20903217
Message-Id: <0439c792-dbb7-49cb-aed2-37aa9e5e1689@www.fastmail.com>
In-Reply-To: <781124ab-ca3e-f410-1a60-649e216cded6@quip.cz>
References: <781124ab-ca3e-f410-1a60-649e216cded6@quip.cz>
Date: Fri, 01 Mar 2019 06:43:08 -0500
From: "Dave Cottlehuber" <dch@skunkwerks.at>
To: freebsd-jail@freebsd.org
Subject: Re: how to determine primary (source) IP address in jail
Content-Type: text/plain
X-Rspamd-Queue-Id: 558F172F02
X-Spamd-Bar: ------
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=skunkwerks.at header.s=fm1 header.b=o6n02rLA;
 dkim=pass header.d=messagingengine.com header.s=fm2 header.b=o/jAN4fA;
 spf=pass (mx1.freebsd.org: domain of dch@skunkwerks.at designates 66.111.4.26
 as permitted sender) smtp.mailfrom=dch@skunkwerks.at
X-Spamd-Result: default: False [-6.40 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[skunkwerks.at:s=fm1,messagingengine.com:s=fm2];
 XM_UA_NO_VERSION(0.01)[]; FROM_HAS_DN(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip4:66.111.4.26];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org];
 TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[4];
 DMARC_NA(0.00)[skunkwerks.at];
 DKIM_TRACE(0.00)[skunkwerks.at:+,messagingengine.com:+];
 MX_GOOD(-0.01)[cached: in2-smtp.messagingengine.com];
 NEURAL_HAM_SHORT(-0.95)[-0.945,0]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[];
 ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US];
 IP_SCORE(-3.35)[ip: (-8.57), ipnet: 66.111.4.0/24(-4.60), asn: 11403(-3.51),
 country: US(-0.07)]; MID_RHS_WWW(0.50)[];
 RCVD_IN_DNSWL_LOW(-0.10)[26.4.111.66.list.dnswl.org : 127.0.5.1]
X-BeenThere: freebsd-jail@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail/>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2019 11:43:11 -0000

On Thu, 28 Feb 2019, at 11:59, Miroslav Lachman wrote:
> Is there some easy way to determine the primary (source) address which 
> is used in jail with multiple IP addresses?

 I came to this problem with running local_unbound in jail. Unbound 
> refuses queries originating in this jail because the do not come from 
> real 127.0.0.1 (which is the only one allowed by default). Unbound in 
> jail see requests come from jails IP. It is easy to determine (in shell 
> script) if jail has only one IP.
> But what in case where jail has multiple IPs? Is there some sysctl or 
> some call to ifconfig or any other util to get the IP which will be used 
> as source address for queries on local services in jail?

Specifically for unbound, try interface-automatic and see if that helps.

       interface-automatic: <yes or no>
              Detect source interface on UDP queries and copy them to replies.
              This  feature  is experimental, and needs support in your OS for
              particular socket options.  Default value is no.

# /etc/unbound/conf.d/secure.conf
server:
    interface-automatic:  yes
    access-control:       127.0.0.0/8   allow
    access-control:        10.0.0.0/8 allow
    access-control:       0.0.0.0/0     refuse
    access-control:       ::1/64        allow
    access-control:       ::/8          refuse
...


I dont use it quite the same way as you though, and it doesn't solve the
generic problem.  I run a single unbound instance in the host system,
and only allow jails to resolve via that.

https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/

A+
Dave