how to determine primary (source) IP address in jail

[Bjoern A. Zeeb]

On 28 Feb 2019, at 10:58, Miroslav Lachman wrote:

> Is there some easy way to determine the primary (source) address which 
> is used in jail with multiple IP addresses?
>
> I came to this problem with running local_unbound in jail. Unbound 
> refuses queries originating in this jail because the do not come from 
> real 127.0.0.1 (which is the only one allowed by default). Unbound in 
> jail see requests come from jails IP. It is easy to determine (in 
> shell script) if jail has only one IP.
> But what in case where jail has multiple IPs? Is there some sysctl or 
> some call to ifconfig or any other util to get the IP which will be 
> used as source address for queries on local services in jail?

Bind the listen socket of the local unbound to any IP of your jail and 
other services (unless the source port got bound) will select the same 
IP address as the destination if both are in the same jail.


> I know I can allow all IPs of jail in
> access-control: a.b.c.d/32 allow
> access-control: e.f.g.h/32 allow
>
> I am just curios if there is some way to get "primary" IP in jail 
> without calling anything from the host environment.

Open a UDP socket; bind to 127.1; call getsockname;    
https://reviews.freebsd.org/D19218   is currently having a similar issue 
solving it exactly that way.


There were people who in the past added a 127.{2,3,4,5,..}  for each 
jail and then used that one instead of 127.1 but I’ve never been a 
huge fan of that, especially given one  may run the resolver for other 
services outside that jail (maybe in others) as well and they need to be 
able to reach that in a reliable way.


/bz