From owner-freebsd-net@freebsd.org  Wed Mar 18 15:37:52 2020
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 328B0263B22;
 Wed, 18 Mar 2020 15:37:52 +0000 (UTC)
 (envelope-from SRS0=E3hR=5D=quip.cz=000.fbsd@elsa.codelab.cz)
Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 48jDgx4V3Xz3yTM;
 Wed, 18 Mar 2020 15:37:49 +0000 (UTC)
 (envelope-from SRS0=E3hR=5D=quip.cz=000.fbsd@elsa.codelab.cz)
Received: from elsa.codelab.cz (localhost [127.0.0.1])
 by elsa.codelab.cz (Postfix) with ESMTP id 6A9E82842B;
 Wed, 18 Mar 2020 16:37:46 +0100 (CET)
Received: from illbsd.quip.test (ip-62-24-92-232.net.upcbroadband.cz
 [62.24.92.232])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by elsa.codelab.cz (Postfix) with ESMTPSA id 7323528416;
 Wed, 18 Mar 2020 16:37:45 +0100 (CET)
Subject: Re: IPv6 in jails
To: Victor Sudakov <vas@sibptus.ru>, freebsd-questions@freebsd.org
Cc: freebsd-net@freebsd.org
References: <20200318151556.GA64871@admin.sibptus.ru>
From: Miroslav Lachman <000.fbsd@quip.cz>
Message-ID: <2dd539ed-0ee3-079b-27b2-28126056c69a@quip.cz>
Date: Wed, 18 Mar 2020 16:37:45 +0100
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
 Firefox/52.0 SeaMonkey/2.49.3
MIME-Version: 1.0
In-Reply-To: <20200318151556.GA64871@admin.sibptus.ru>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 48jDgx4V3Xz3yTM
X-Spamd-Bar: ++++
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of
 SRS0=E3hR=5D=quip.cz=000.fbsd@elsa.codelab.cz has no SPF policy when checking
 94.124.105.4) smtp.mailfrom=SRS0=E3hR=5D=quip.cz=000.fbsd@elsa.codelab.cz
X-Spamd-Result: default: False [4.04 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[];
 IP_SCORE(0.84)[ip: (0.30), ipnet: 94.124.104.0/21(0.15), asn: 42000(3.64),
 country: CZ(0.09)]; MIME_GOOD(-0.10)[text/plain];
 RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[quip.cz];
 AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(1.00)[1.000,0];
 RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 NEURAL_SPAM_LONG(1.00)[1.000,0];
 RCVD_IN_DNSWL_NONE(0.00)[4.105.124.94.list.dnswl.org : 127.0.10.0];
 R_SPF_NA(0.00)[];
 FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=E3hR=5D=quip.cz=000.fbsd@elsa.codelab.cz];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ];
 FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=E3hR=5D=quip.cz=000.fbsd@elsa.codelab.cz];
 MID_RHS_MATCH_FROM(0.00)[]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2020 15:37:52 -0000

Victor Sudakov wrote on 2020/03/18 16:15:
> Dear Colleagues,
> 
> Is IPv6 in jails supposed to work? Does not work for me, what am I doing
> wrong?
> 
> Here is a test jail:
> 
> test4 {
>          path = /d02/jails/test4 ;
>          mount.devfs;
>          ip4 = new;
>          ip6 = new;
>          ip4.addr = 192.168.4.204/24;
>          ip6.addr = 2001:470:ecba:3::4/64;
>          host.hostname = test4.vas.sibptus.ru ;
>          interface = re1 ;
>          allow.raw_sockets = true ;
>          exec.start = "/bin/sh /etc/rc";
>          exec.stop = "/bin/sh /etc/rc.shutdown";
> }
> 
> However when I look from inside the jail, I see the daemons listening
> only on IPv4:
> 
> root@test4:/ # sockstat -l
> USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
> root     sendmail   17178 3  tcp4   192.168.4.204:25      *:*
> root     sshd       17175 3  tcp4   192.168.4.204:22      *:*
> root     syslogd    17110 5  udp4   192.168.4.204:514     *:*
> 
> If I "ssh 2001:470:ecba:3::4" from outside, I get into the host instead
> of the jail (because 2001:470:ecba:3::4 *is* assigned to re1, but not
> available inside the jail).

If sshd in the host is configured to listen on all available interfaces 
and addresses (the default) then it will catch your jails IP too.
You must configure sshd in the host to listen only on hosts IP and then 
you will connect to the jails sshd.

What is you sshd_config in the host and in the jail? Following the 
configuration directives must be set right.

Port
AddressFamily
ListenAddress


Miroslav Lachman