Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 11 Mar 2019 11:45:19 +0100
From:      Miroslav Lachman <000.fbsd@quip.cz>
To:        freebsd-jail@freebsd.org
Subject:   Re: how to determine primary (source) IP address in jail
Message-ID:  <1179aae6-614e-b02e-9cf5-dc71003604f7@quip.cz>
In-Reply-To: <0439c792-dbb7-49cb-aed2-37aa9e5e1689@www.fastmail.com>
References:  <781124ab-ca3e-f410-1a60-649e216cded6@quip.cz> <0439c792-dbb7-49cb-aed2-37aa9e5e1689@www.fastmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Dave Cottlehuber wrote on 2019/03/01 12:43:
> On Thu, 28 Feb 2019, at 11:59, Miroslav Lachman wrote:
>> Is there some easy way to determine the primary (source) address which
>> is used in jail with multiple IP addresses?
> 
>   I came to this problem with running local_unbound in jail. Unbound
>> refuses queries originating in this jail because the do not come from
>> real 127.0.0.1 (which is the only one allowed by default). Unbound in
>> jail see requests come from jails IP. It is easy to determine (in shell
>> script) if jail has only one IP.
>> But what in case where jail has multiple IPs? Is there some sysctl or
>> some call to ifconfig or any other util to get the IP which will be used
>> as source address for queries on local services in jail?
> 
> Specifically for unbound, try interface-automatic and see if that helps.
> 
>         interface-automatic: <yes or no>
>                Detect source interface on UDP queries and copy them to replies.
>                This  feature  is experimental, and needs support in your OS for
>                particular socket options.  Default value is no.
> 
> # /etc/unbound/conf.d/secure.conf
> server:
>      interface-automatic:  yes
>      access-control:       127.0.0.0/8   allow
>      access-control:        10.0.0.0/8 allow
>      access-control:       0.0.0.0/0     refuse
>      access-control:       ::1/64        allow
>      access-control:       ::/8          refuse
> ...
> 
> 
> I dont use it quite the same way as you though, and it doesn't solve the
> generic problem.  I run a single unbound instance in the host system,
> and only allow jails to resolve via that.
> 
> https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/

Thanks to all for the replies. It seems that is easier to list all 
jail's IPs in the access-control with /32 mask than try to find the 
source address.
I can live with it ;)

Miroslav Lachman

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1179aae6-614e-b02e-9cf5-dc71003604f7>