Jails, loopback-addresses and IPv6

Arthur Chance freebsd at qeng-ho.org
Fri Feb 26 12:57:05 UTC 2016

On 26/02/2016 11:53, Sascha Biberhofer wrote:
> When setting up jails, the handbook mentions [1] that the
> loopback-address is an "alias" for the first IP-address assigned to that
> jail. In particular, listening on the loopback-address seems to be
> equivalent to listening on that IP, which might well be a globally
> reachable address. This - as far as I have understood this - leads one
> to create another loopback-device (e.g. lo1) and assign
> loopback-addresses like lo1|127.0.1.* to the jail and use stuff like pf
> to prevent other jails from accessing loopback-addresses not belonging
> to them (please correct me if I'm wrong on this).

That's pretty much it. If you look at the networking code, in a jail an 
address of, either as source or destination, is rewritten as 
the primary address of the jail.

Ignoring jails, the IPv4 networking code knows of both loopback 
addresses (127.*) and loopback devices (lo*) and ensures that packets 
containing loopback addresses (in either source or destination fields) 
are dropped on non-loopback devices. This means jails on 127.* can only 
talk to the outside world if you have NAT in place.

If all jails are assigned lo1|127.0.1.*/24 addresses then they can all 
talk to each other freely (and the host if it has such an address). If 
you wish to control communication between jails you need a firewall. If 
however you simply don't want jails to be able to talk to each other, I 
think giving them 127.0.1.*/32 addresses should work, alternatively give 
them 127.x.y.1/24 addresses.

> However, with IPv6, one has exactly one loopback-address (::1/128),
> hence such a setup can't easily be replicated. Is there any commonplace
> way to solve this? I could probably assign ULAs to each jail as the
> first IPv6-address, but this seems like a cumbersome workaround. People
> have also suggested switching to VIMAGE, which - as far as I can tell -
> isn't ready for production.
> Any thoughts/ideas/suggestions on this would be greatly appreciated.

Warning: I haven't yet converted my systems to use IPv6 (my ISP has only 
just started supporting it and I have to find time to sort it out) so 
the following is purely theoretical on my part.

Yes, there's only one loopback address, and for most purposes it's just 
another unicast address. ULAs are also normal unicast addresses, they 
merely have the qualification that they should not be seen outside your 
administrative domain. A badly configured router might let them through, 
which is why 40 bits of the 48 bit prefix are supposed to be randomly 
generated, to avoid collisions. There are also link local addresses 
(fe80::/10, the equivalent of 169.254.*/16) which can only be seen on 
the one interface. These might be useful for jails, depending on what 
you want to do.

As for VIMAGE, many people are happily using it but officially it's not 
ready for production work. The latest news was in the January FreeBSD 
Foundation newsletter 
https://www.freebsdfoundation.org/press/2016janupdate.pdf (PDF). TL;DR 
version: probably in Release 11.0.

Moore's Law of Mad Science: Every eighteen months, the minimum IQ
necessary to destroy the world drops by one point.

More information about the freebsd-questions mailing list