Jail on 2 interfaces?

Mel Flynn mel.flynn+fbsd.hackers at mailing.thruhere.net
Wed Dec 23 15:37:17 UTC 2009 

On Wednesday 23 December 2009 01:19:23 Bjoern A. Zeeb wrote:
> On Tue, 22 Dec 2009, Mel Flynn wrote:
> 
> Hi,
> 
> first of all this would find more people to help on freebsd-jail as it
> has nothing to do with hackers ;-)

Yes, that was pretty braindead of me, especially since the intention was
questions at .

> > I don't see this documented in jail(8) nor rc(8) nor defaults/rc.conf, so
> > is it possible to have 2 IP's on 2 ethernet interfaces? And if so, is it
> > settable for rc(8)?
> >
> > The usage case is to have the same jailed proxy server on two seperate
> > internal networks. Ideally, the proxy will use one address for outgoing,
> > so I guess I'll need a default route or dive into the squid config.
> >
> > At present I have:
> > ifconfig_bge0="inet 192.168.177.60  netmask 255.255.255.0"
> > ifconfig_em0="inet 192.168.176.60 netmask 255.255.255.0"
> > ifconfig_em0_alias0="inet 192.168.176.62 netmask 255.255.255.255"
> > jail_squid_rootdir="/usr/squid"
> > jail_squid_ip="192.168.177.62"
> > jail_squid_ip_multi0="192.168.176.62"
> > jail_squid_interface="bge0"
> >
> > But this created the IP on bge0 even though one exists on em0. Is it as
> > simple as not specifying the interface and add the 177.62 alias on bge0?
> > Ideally I'd have a jail_$jail_ip_multi$aliasno_interface="foo0", but my
> > main worry is that the jail infrastructure understands the routing
> > involved.
> >
> >From what you are writing I assume that you are on FreeBSD 7.2-Release
> 
> or later; no official FreeBSD version before had supported
> multiple-IPs with a jail.

8.0-p3, yes.

> What it did was what you were asking for.  That's the problem.
> 
> 1) either use ifconfig
> 2) or use jail + interfaces
> 3) but do not mix them (especially not overlapping)
> 
> So I would suggest to do it like this:
> 
> # Base system IPs.
> ifconfig_bge0="inet 192.168.177.60/24"
> ifconfig_em0="inet 192.168.176.60/24"
> 
> jail_squid_rootdir="/usr/squid"
> # Either use:
> jail_squid_ip="bge0|192.168.177.62/32,em0|192.168.176.62/32"
> # or:
> jail_squid_ip="bge0|192.168.177.62/32"
> jail_squid_ip_multi0="em0|192.168.176.62/32"
> 
> but do not use jail_squid_interface=".." as that will be a global
> default for that jail.

Is it a global *default* or a global? For example, could I specify:
jail_squid_interface="bge0"
jail_squid_ip="192.168.177.62/32"
jail_squid_ip_multi0="192.168.177.63/32"
jail_squid_ip_multi1="em0|192.168.177.62/32"

Below is a patch against HEAD to document the $interface|$ip syntax.
-- 
Mel

Index: etc/defaults/rc.conf
===================================================================
--- etc/defaults/rc.conf        (revision 200901)
+++ etc/defaults/rc.conf        (working copy)
@@ -648,6 +648,7 @@
 #jail_example_fib="0"                          # Routing table for setfib(1)
 #jail_example_ip="192.0.2.10,2001:db8::17"     # Jail's primary IPv4 and IPv6 address
 #jail_example_ip_multi0="2001:db8::10"         #  and another IPv6 address
+#jail_example_ip_multi1="em0|192.0.3.10/32"    #  and another IPv4 address on a specific interface
 #jail_example_exec_start="/bin/sh /etc/rc"             # command to execute in jail for starting
 #jail_example_exec_afterstart0="/bin/sh command"       # command to execute after the one for
                                                        # starting the jail. More than one can be

More information about the freebsd-hackers mailing list