From nobody Sat Jul 24 21:48:26 2021 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 5F32412A33CC for ; Sat, 24 Jul 2021 21:48:35 +0000 (UTC) (envelope-from infoomatic@gmx.at) Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GXKZC0WT8z4VWx for ; Sat, 24 Jul 2021 21:48:34 +0000 (UTC) (envelope-from infoomatic@gmx.at) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1627163307; bh=170X5AFFJ/EzwJAGGytw60Z4BbsebEENOj+VfPT3r9I=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=Wp/PoY5yAfd06+mJMdptyK9hXgVfW3xNcZldtzImbf5U/CwY7JFctIwOLlqlzAt9p RbZMuQKyAy/WdFSPM7D+7DpgomZX9gPL3wrDkblm2lxN+WLm+VJSvpp8hvIk3Cj5L8 /FTDn2Y31Gzqy4LktlYTK6OJPs2MuzvEuwehTBwU= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [10.0.1.209] ([178.114.235.19]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MFbVu-1lrVSe3v5y-00H5hx for ; Sat, 24 Jul 2021 23:48:27 +0200 Subject: Re: iocage, vnet jail does not go outside To: freebsd-jail@freebsd.org References: <40b7782d-9d5c-099a-ed58-4476b3523d7a@gmx.at> From: infoomatic Message-ID: <3c0bcf3e-541f-5add-47cd-9457d4e5dc85@gmx.at> Date: Sat, 24 Jul 2021 23:48:26 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0 List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-US X-Provags-ID: V03:K1:Rhm4MlbMdAbDUM30CKh7Tu70wmTmr/CwzE6PT55izIM2tgfG63P pPjGtabDquU1VapfUc34JxavACU/jpIKqBv3wFXxj5XM3WEshEk/6Snda+PZkd4Krg6WpgX URJwgwHNx3b6CU0TuPs8BWyOtCainsBf2psgud4T/8nDgvyhDX+9fmq/XkJh9H22AyhLS+E AsLrLJACb3WwmuAmILynQ== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:UaaBMcL4MrQ=:mcSkyjnSCbgc/CuZ3nxrwH mk3TDG+Um456E8fP+vkZkWydBZk5/52V5nVwHkuinLhq8a83Xwpgp8xkBC3Lzm1FihLzfwDFJ J/2py6J4soZFaabTfydmF5qIWLVH+wd3VcJCW8FdH8I28Whe2OJQYAuQ4dw4HAosNsHVVWiDN 3xzT31M5M9TT9fGPamwMBdV1HgDWKS18/IkJMaBqd5jDN8VY5i/3XP/wnuWxWpGpblOnG5uDq aqYx9RG8Mp1Nxj3N3x5V1SGmWfW2htyFuHJmYpNm77yndVa6+g/tM87DKHVVt9uB7gBxZZ5GL ryL7EQpzHLaz+/zqpaid5xYfRIrQDWIRFE8IF0hQQ61DIgd3Y5KIHS+dOjrCKAE8ST/3knrl6 gFzQfNhlYUQZGcvohYlYqbA+AQi4XtV2UqhyP38r6o1K5S/n9WsqBrrOeEfB0ZQ6hbQOVfbWT u4HpupYULrdAsvOOxIU3OwunTZhPdM2AbQKSVJRzCLthlzZQ32PxZJUkgZ+5FLe4tKkjxkz3G WbBm0EnqSL+CJvXHBfDz6vJlGVQPzVnkV9OxBo9tCrdMzYGvuKxws1TtEWZZm3QnxJKtCRu37 MqSSdoVfIsl7Lt7cRWi1spgox+LVWd0vVU5+YnX3T+9WBoefTVVu6Ju3JFdA34gih0w5ENmyD erLUtoXhPI0+A4TEKIkcUfBY+Oef58LF6m0xG8PCBPtUG0Q4T/Ca+xaCR1KPUeTmhTpaefp94 nEATB0w8veGMsdeKNHY/LoJAP3kDLW21LoBSyMcCBmEbGATTuXBQuJ/XrHuh3CzBC02LFUkUu dL4VzC+lcpUnNNUKLxKOvl6NeBRU/5JHVWK6e7Kq6YgTMIJxXgqkBayqRLPzgpRUWq86VeInH RwSe9yfisVGNn+pvrZHPrGjzRogvoPdqs4MJXY3vzCnyp3eJjiAOWYNPT3ZCFrAy6N+JvQW3I +yC4JqtfjKkxFlWOJu06g8Xrh6RoqnpMCj/iXV0SkJ53no5VTMVTPH9C4fgtXbbZ4IltpArNx iiiBdlgVYSrFh3DZ990fzA0f4zGr+bEtO/OWYFqDkr3onOGN3rac0fzbwSYlbrU2/qxVpxTYs sAPEZp8bfPzmhLMjwECpPSXpzJKCvptM24Q X-Rspamd-Queue-Id: 4GXKZC0WT8z4VWx X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N Hi, sorry to hear that. I use the tools from the FreeBSD base system, they work great, and I encourage all newbies to use the tools from the base systems - and recommend reading the parts of the handbook and the man pages of jail and jail.conf Here are the relevant parts of my config: rc.conf: cloned_interfaces=3D"bridge0" ifconfig_bridge0=3D"inet 192.168.1.1 netmask 255.255.255.0 up" pf.conf: nat pass on em0 proto tcp from {192.168.1.201} to any -> pu.bl.ic.ip and the jail.conf: example { =C2=A0=C2=A0=C2=A0 host.hostname =3D example; =C2=A0=C2=A0=C2=A0 vnet; =C2=A0=C2=A0=C2=A0 vnet.interface =3D "epair201b"; =C2=A0=C2=A0=C2=A0 path =3D"/jails/$name"; =C2=A0=C2=A0=C2=A0 exec.prestart +=3D "ifconfig epair201 create"; =C2=A0=C2=A0=C2=A0 exec.prestart +=3D "ifconfig epair201a up"; =C2=A0=C2=A0=C2=A0 exec.prestart +=3D "ifconfig bridge0 addm epair201a"; =C2=A0=C2=A0=C2=A0 exec.prestop +=3D "ifconfig epair201b -vnet $name"; =C2=A0=C2=A0=C2=A0 exec.poststop +=3D "ifconfig epair201a destroy"; } and the /jails/example/etc/rc.conf: ifconfig_epair201b=3D"inet 192.168.1.201 netmask 255.255.255.0" defaultrouter=3D"192.168.1.1" hope this helps, Robert On 24.07.21 13:38, Jacques Foucry wrote: > Le vendredi 23 juil. 2021 =C3=A0 23:06:41 (+0200), infoomatic =C3=A0 =C3= =A9crit: > > Hello Robert, > > Thanks for your answer. > >> iocage autoatically creates a bridge with your physical interface and >> the vnet interface. Imho this is wrong behaviour so I quit using iocage= , >> however, there is a workaround, for more info see [1] > > I read carfully the issue your pointed and it appears that the > vnet_default_interface parameter set to auto, em0 is added to the bridge= , set > to none, em0 is not added to the bridge. > > So I stopped my jail, destroy bridge0 interface, set vnet_default_interf= ace to > none and restart the jail. > > As exepected em0 is not in the bridge any more: > > bridge0: flags=3D8843 metric 0 m= tu 1500 > description: jails-bridge > ether 58:9c:fc:10:ed:66 > inet 10.0.10.1 netmask 0xffffff00 broadcast 10.0.10.255 > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 > maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 > member: vnet0.657 flags=3D143 > ifmaxaddr 0 port 6 priority 128 path cost 2000 > groups: bridge > nd6 options=3D9 > > Since from the jail I cannot ping anything, from outside I cannot connec= t to > the jail and from the jail I cannot connect to outside host. > > In fact, see quickly, the situation is worst. > > I did not look at the routing tables yet (too many other things to do). > > As I understood your did not use iocage any more. Did you use the "raw" > method (ie /etc/jail.conf)? If yes, I am really interested of "picture" = of > your configur=C3=A6tion. > > To be honest, I used to try the "raw" method whithout success before tri= ng > iocage. > > Thanks for your time and advices.