jail and networking

[Shane Ambler]

On 22/02/2013 05:52, Devin Teske wrote:

> What I find strange is that:
>
> 1. I knew about ListenAddress w/respect to jails, but...
>
> 2. We are not changing it (sshd_config has no ListenAddress -- leading to
> default values used), yet...
>
> 3. Base machine and jails both work fine
>
> Not sure when it's required versus not, because we're running fine without that
> change here with over a dozen jails.
>
> The only thing I've ever noticed is that we tend to use
> jail_NAME_ip="iface|addr" while most everybody else seems to be using
> jail_NAME_ip="addr".
>

We may need to expand out from that. I use jail_NAME_ip="addr" but also

ipv4_addrs_re0="10.0.0.254/24 10.0.0.1-5/24"
route_jaillan0="-net 10.0.0.0/24 10.0.0.254"
static_routes="jaillan0"

Don't recall where I got that from but think it was an easy way to alias 
a number of ip's whereas ifconfig_<iface>_alias0 sets one ip at a time 
and is also deprecated.

If you use jail_NAME_ip="iface|addr" does this mean you don't have ip 
addresses aliased to the iface on startup and they get aliased as the 
jail starts? That would be why sshd isn't bound to the address before.

man rc.conf for jail_<jname>_ip says "... Additionally each address can 
be prefixed by the name of an interface followed by a pipe to overwrite" 
does that mean it clears the ip from the base system and re-creates it 
for the jail?

I also see jail_<jname>_interface "...When set, sets the interface to 
use when setting IP address alias. Note that the alias is created at 
jail startup and removed at jail shutdown."

Which is what sounds like the solution to not have ip's available when 
sshd starts so it isn't bound to them.

Also what sys version were these options added?