Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 24 Jul 2021 13:38:16 +0200
From:      Jacques Foucry <jacques+freebsd@foucry.net>
To:        infoomatic <infoomatic@gmx.at>
Cc:        freebsd-jail@freebsd.org
Subject:   Re: iocage, vnet jail does not go outside
Message-ID:  <YPv7qCwQ18cF%2B5Ba@mithril.foucry.net>
In-Reply-To: <40b7782d-9d5c-099a-ed58-4476b3523d7a@gmx.at>
References:  <YPrwCW44LdKfHxIk@mithril.foucry.net> <40b7782d-9d5c-099a-ed58-4476b3523d7a@gmx.at>
next in thread | previous in thread | raw e-mail | index | archive | help 
Le vendredi 23 juil. 2021 à 23:06:41 (+0200), infoomatic à écrit:

Hello Robert,

Thanks for your answer.

> iocage autoatically creates a bridge with your physical interface and
> the vnet interface. Imho this is wrong behaviour so I quit using iocage,
> however, there is a workaround, for more info see [1]


I read carfully the issue your pointed and it appears that the
vnet_default_interface parameter set to auto, em0 is added to the bridge, set
to none, em0 is not added to the bridge.

So I stopped my jail, destroy bridge0 interface, set vnet_default_interface to
none and restart the jail.

As exepected em0 is not in the bridge any more:

bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	description: jails-bridge
	ether 58:9c:fc:10:ed:66
	inet 10.0.10.1 netmask 0xffffff00 broadcast 10.0.10.255
	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
	maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
	member: vnet0.657 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
	        ifmaxaddr 0 port 6 priority 128 path cost 2000
	groups: bridge
	nd6 options=9<PERFORMNUD,IFDISABLED>

Since from the jail I cannot ping anything, from outside I cannot connect to
the jail and from the jail I cannot connect to outside host.

In fact, see quickly, the situation is worst.

I did not look at the routing tables yet (too many other things to do).

As I understood your did not use iocage any more. Did you use the "raw"
method (ie /etc/jail.conf)? If yes, I am really interested of "picture" of
your configurætion.

To be honest, I used to try the "raw" method whithout success before tring
iocage. 

Thanks for your time and advices.
-- 
Jacques Foucry

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YPv7qCwQ18cF%2B5Ba>