Jail on 2 interfaces?
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Wed Dec 23 10:25:07 UTC 2009
On Wed, 23 Dec 2009, Matthew Seaman wrote:
> Mel Flynn wrote:
>> I don't see this documented in jail(8) nor rc(8) nor defaults/rc.conf, so
>> is it possible to have 2 IP's on 2 ethernet interfaces? And if so, is it
>> settable for rc(8)?
>> The usage case is to have the same jailed proxy server on two seperate
>> internal networks. Ideally, the proxy will use one address for outgoing, so
>> I guess I'll need a default route or dive into the squid config.
>> At present I have:
>> ifconfig_bge0="inet 192.168.177.60 netmask 255.255.255.0"
>> ifconfig_em0="inet 192.168.176.60 netmask 255.255.255.0"
>> ifconfig_em0_alias0="inet 192.168.176.62 netmask 255.255.255.255"
>> But this created the IP on bge0 even though one exists on em0. Is it as
>> simple as not specifying the interface and add the 177.62 alias on bge0?
>> Ideally I'd have a jail_$jail_ip_multi$aliasno_interface="foo0", but my
>> main worry is that the jail infrastructure understands the routing
> To do this directly is now possible in 8.0-RELEASE or better. You will
> need a custom kernel with 'options VIMAGE' and I believe the standard jail
> startup scripts need a bit of work in order for them to start the jail with
> the correct command line arguments to enable the vnet functionality.
No, that's wrong. FreeBSD 7.2-R and later can do multi-IP jails and
have the IPs on multiple interfaces; there is no need for a dedicated
The routing is no much different than if you would do it in the base
system with two IPs. if it works there, just putting it in a multi-IP
jail with the adresses on the right interface will just work as well.
If you want different routing for a jail use setfib with a multi-FIB
based kernel (you may need to recompile the kernel for that) but you
still won't need mutliple network stacks.
> Alternatively, you can achieve much the same effect that you want by using
> a simple one-ip jail and writing firewall rules to redirect traffic into it,
> and NAT traffic coming out of it.
Using firewall NAT with jails is something I often see and usually
never understand unless people only have a single IP and want to share
that between lots of jails (though if not duplicate services exist,
that will just work as well by default these days as well).
Bjoern A. Zeeb It will not break if you know what you are doing.
More information about the freebsd-hackers