multiple interfaces for jail.conf(1) and jail_set(2)

Thu Dec 15 20:09:31 UTC 2016

Michael Grimm wrote on 2016/12/15 19:36:
> [cc'd to freebsd-jail at FreeBSD.org where that thread originated]
>
> Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:
>
>> On Wed, December 14, 2016 2:30 pm, Michael Grimm wrote:
>
>>> #
>>> # network settings to apply/destroy during start/stop of every jail
>>> #
>>> exec.prestart		 = "sleep 2";
>>> exec.prestart		+= "/sbin/ifconfig epair${jailID} create up";
>>> exec.prestart		+= "/sbin/ifconfig bridge0 addm epair${jailID}a";
>>> exec.start		 = "/sbin/sysctl net.inet6.ip6.dad_count=0";
>>> exec.start		+= "/sbin/ifconfig lo0 127.0.0.1 up";
>>> exec.start		+= "/sbin/ifconfig epair${jailID}b inet ${ip4_addr}";
>>> exec.start		+= "/sbin/ifconfig epair${jailID}b inet6 ${ip6_addr}";
>>> exec.start		+= "/sbin/route add default -gateway 10.1.1.254";
>>> exec.start		+= "/sbin/route add -inet6 default -gateway ${ip6prefixLOCAL}::254";
>>> exec.stop		 = "/sbin/route del default";
>>> exec.stop		+= "/sbin/route del -inet6 default";
>>> exec.stop		+= "/bin/sh /etc/rc.shutdown";
>>> exec.poststop 		 = "/sbin/ifconfig epair${jailID}a destroy";
>>>
>>> #
>>> # individual jail settings
>>> #
>>> dns {
>>> 	$jailID		 = 1;
>>> 	$ip4_addr	 = 10.1.1.1;
>>> 	$ip4_addr_2	 = 10.1.1.2;
>
> […]
>
>> Michael, is it possible to have two addresses belonging to two different
>> networks (through two different network interfaces)?
>>
>> Say, on host system:
>>
>> ifconfig_igb0="inet 172.20.9.22 ...
>> ifconfig_igb1="inet 10.1.1.17 ...
>>
>>
>> and in some jail
>>
>> 	$ip4_addr	 = 172.20.9.22;
>> 	$ip4_addr_2	 = 10.1.1.17;
>>
>> - will that work? This is what didn't work for me in the past when
>> configured jails old style in /etc/rc.conf
>
> I can't answer that because I have never tried it before.

More IP addresses on more interfaces works for me for many years even in 
old rc.conf style jails.

Converted to new jail.conf is something like this

costa {
host.hostname = "costa.example.com";
ip4.addr = 94.104.135.21;
ip4.addr += 192.168.222.57;
}

As you can see, IPs are from different networks.
We are not using auto add / remove IP on interfaces. We don't want to 
have something else to manage IP addresses. All IPs are defined in 
rc.conf on their proper interfaces.
In this case, first jail's IP is in bge1 and the second is on nfe0 (LAN 
interface)

I already made jail using VPN assigned IP on tun0 OpenVPN interface.

In another words - jail doesn't care about interfaces. If there is an IP 
in the system (on whatever interface) then you can assign it to jail and 
you can assign as many IPs as you want (up to some really high limit).

Miroslav Lachman