Re: iocage, vnet jail does not go outside

From: Jacques Foucry <jacques+freebsd_at_foucry.net>
Date: Mon, 26 Jul 2021 21:15:20 +0200
Le samedi 24 juil. 2021 à 23:48:26 (+0200), infoomatic à écrit:
Hello,
> Hi,
> 
> sorry to hear that.

That's life :-) and I learn a lot form my mistake and your help.
> 
> I use the tools from the FreeBSD base system, they work great, and I
> encourage all newbies to use the tools from the base systems - and
> recommend reading the parts of the handbook and the man pages of jail
> and jail.conf


I use to. I alose read Michael W. Lucas Mastery Jails bookṡ

> 
> Here are the relevant parts of my config:
> 
> rc.conf:
> 
> cloned_interfaces="bridge0"
> 
> ifconfig_bridge0="inet 192.168.1.1 netmask 255.255.255.0 up"
> 
> pf.conf:
> 
> nat pass on em0 proto tcp from {192.168.1.201} to any -> pu.bl.ic.ip
> 
> and the jail.conf:
> 
> example {
>     host.hostname = example;
>     vnet;
>     vnet.interface = "epair201b";
>     path ="/jails/$name";
>     exec.prestart += "ifconfig epair201 create";
>     exec.prestart += "ifconfig epair201a up";
>     exec.prestart += "ifconfig bridge0 addm epair201a";
>     exec.prestop += "ifconfig epair201b -vnet $name";
>     exec.poststop += "ifconfig epair201a destroy";
> 
> }
> 
> and the /jails/example/etc/rc.conf:
> 
> ifconfig_epair201b="inet 192.168.1.201 netmask 255.255.255.0"
> defaultrouter="192.168.1.1"
> hope this helps,


Of course it helps. And as I understood about إaving or not em0 into the
bridge. Without your are sure that your jail CANNOT communicate with the
external world (useful for a database jail for example), and with your jail
CAN communicate with the external world (useful for a weⅺsie ou mail jail).

In my case, I would like to have a VNET jail that can dialog with the World.

So, from your sample I add em0 the bridge and give it an IPv4 address, but it
did not work.


In any case, thanks for your help and the time you spent on my stupid problem.
Btw I read all the other answer and try to make a mixupo on my brain with all
this informations. Thanks to all.

> >
> >> iocage autoatically creates a bridge with your physical interface and
> >> the vnet interface. Imho this is wrong behaviour so I quit using iocage,
> >> however, there is a workaround, for more info see [1]
> >
> > I read carfully the issue your pointed and it appears that the
> > vnet_default_interface parameter set to auto, em0 is added to the bridge, set
> > to none, em0 is not added to the bridge.
> >
> > So I stopped my jail, destroy bridge0 interface, set vnet_default_interface to
> > none and restart the jail.
> >
> > As exepected em0 is not in the bridge any more:
> >
> > bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> > 	description: jails-bridge
> > 	ether 58:9c:fc:10:ed:66
> > 	inet 10.0.10.1 netmask 0xffffff00 broadcast 10.0.10.255
> > 	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
> > 	maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
> > 	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
> > 	member: vnet0.657 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
> > 	        ifmaxaddr 0 port 6 priority 128 path cost 2000
> > 	groups: bridge
> > 	nd6 options=9<PERFORMNUD,IFDISABLED>
> >
> > Since from the jail I cannot ping anything, from outside I cannot connect to
> > the jail and from the jail I cannot connect to outside host.
> >
> > In fact, see quickly, the situation is worst.
> >
> > I did not look at the routing tables yet (too many other things to do).
> >
> > As I understood your did not use iocage any more. Did you use the "raw"
> > method (ie /etc/jail.conf)? If yes, I am really interested of "picture" of
> > your configurætion.
> >
> > To be honest, I used to try the "raw" method whithout success before tring
> > iocage.
> >
> > Thanks for your time and advices.
> 

-- 
Jacques Foucry
Received on Mon Jul 26 2021 - 19:15:20 UTC

Original text of this message