Jail on 2 interfaces?

Bjoern A. Zeeb bzeeb-lists at lists.zabbadoz.net
Wed Dec 23 10:25:07 UTC 2009 

On Wed, 23 Dec 2009, Matthew Seaman wrote:

> Mel Flynn wrote:
>> Hi,
>> 
>> I don't see this documented in jail(8) nor rc(8) nor defaults/rc.conf, so 
>> is it possible to have 2 IP's on 2 ethernet interfaces? And if so, is it 
>> settable for rc(8)?
>> 
>> The usage case is to have the same jailed proxy server on two seperate 
>> internal networks. Ideally, the proxy will use one address for outgoing, so 
>> I guess I'll need a default route or dive into the squid config.
>> 
>> At present I have:
>> ifconfig_bge0="inet 192.168.177.60  netmask 255.255.255.0"
>> ifconfig_em0="inet 192.168.176.60 netmask 255.255.255.0"
>> ifconfig_em0_alias0="inet 192.168.176.62 netmask 255.255.255.255"
>> jail_squid_rootdir="/usr/squid"
>> jail_squid_ip="192.168.177.62"
>> jail_squid_ip_multi0="192.168.176.62"
>> jail_squid_interface="bge0"
>> 
>> But this created the IP on bge0 even though one exists on em0. Is it as 
>> simple as not specifying the interface and add the 177.62 alias on bge0?
>> Ideally I'd have a jail_$jail_ip_multi$aliasno_interface="foo0", but my 
>> main worry is that the jail infrastructure understands the routing 
>> involved.
>
> To do this directly is now possible in 8.0-RELEASE or better.  You will
> need a custom kernel with 'options VIMAGE' and I believe the standard jail
> startup scripts need a bit of work in order for them to start the jail with
> the correct command line arguments to enable the vnet functionality.

No, that's wrong.  FreeBSD 7.2-R and later can do multi-IP jails and
have the IPs on multiple interfaces; there is no need for a dedicated
network stack.

The routing is no much different than if you would do it in the base
system with two IPs.  if it works there, just putting it in a multi-IP
jail with the adresses on the right interface will just work as well.

If you want different routing for a jail use setfib with a multi-FIB
based kernel (you may need to recompile the kernel for that) but you
still won't need mutliple network stacks.


> Alternatively, you can achieve much the same effect that you want by using
> a simple one-ip jail and writing firewall rules to redirect traffic into it,
> and NAT traffic coming out of it.

Using firewall NAT with jails is something I often see and usually
never understand unless people only have a single IP and want to share
that between lots of jails (though if not duplicate services exist,
that will just work as well by default these days as well).

-- 
Bjoern A. Zeeb         It will not break if you know what you are doing.

More information about the freebsd-hackers mailing list