Date: Fri, 01 Mar 2019 06:43:08 -0500 From: "Dave Cottlehuber" <dch@skunkwerks.at> To: freebsd-jail@freebsd.org Subject: Re: how to determine primary (source) IP address in jail Message-ID: <0439c792-dbb7-49cb-aed2-37aa9e5e1689@www.fastmail.com> In-Reply-To: <781124ab-ca3e-f410-1a60-649e216cded6@quip.cz> References: <781124ab-ca3e-f410-1a60-649e216cded6@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 28 Feb 2019, at 11:59, Miroslav Lachman wrote:
> Is there some easy way to determine the primary (source) address which
> is used in jail with multiple IP addresses?
I came to this problem with running local_unbound in jail. Unbound
> refuses queries originating in this jail because the do not come from
> real 127.0.0.1 (which is the only one allowed by default). Unbound in
> jail see requests come from jails IP. It is easy to determine (in shell
> script) if jail has only one IP.
> But what in case where jail has multiple IPs? Is there some sysctl or
> some call to ifconfig or any other util to get the IP which will be used
> as source address for queries on local services in jail?
Specifically for unbound, try interface-automatic and see if that helps.
interface-automatic: <yes or no>
Detect source interface on UDP queries and copy them to replies.
This feature is experimental, and needs support in your OS for
particular socket options. Default value is no.
# /etc/unbound/conf.d/secure.conf
server:
interface-automatic: yes
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 0.0.0.0/0 refuse
access-control: ::1/64 allow
access-control: ::/8 refuse
...
I dont use it quite the same way as you though, and it doesn't solve the
generic problem. I run a single unbound instance in the host system,
and only allow jails to resolve via that.
https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/
A+
Dave
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0439c792-dbb7-49cb-aed2-37aa9e5e1689>