Jails, loopback-addresses and IPv6
freebsd at qeng-ho.org
Fri Feb 26 12:57:05 UTC 2016
On 26/02/2016 11:53, Sascha Biberhofer wrote:
> When setting up jails, the handbook mentions  that the
> loopback-address is an "alias" for the first IP-address assigned to that
> jail. In particular, listening on the loopback-address seems to be
> equivalent to listening on that IP, which might well be a globally
> reachable address. This - as far as I have understood this - leads one
> to create another loopback-device (e.g. lo1) and assign
> loopback-addresses like lo1|127.0.1.* to the jail and use stuff like pf
> to prevent other jails from accessing loopback-addresses not belonging
> to them (please correct me if I'm wrong on this).
That's pretty much it. If you look at the networking code, in a jail an
address of 127.0.0.1, either as source or destination, is rewritten as
the primary address of the jail.
Ignoring jails, the IPv4 networking code knows of both loopback
addresses (127.*) and loopback devices (lo*) and ensures that packets
containing loopback addresses (in either source or destination fields)
are dropped on non-loopback devices. This means jails on 127.* can only
talk to the outside world if you have NAT in place.
If all jails are assigned lo1|127.0.1.*/24 addresses then they can all
talk to each other freely (and the host if it has such an address). If
you wish to control communication between jails you need a firewall. If
however you simply don't want jails to be able to talk to each other, I
think giving them 127.0.1.*/32 addresses should work, alternatively give
them 127.x.y.1/24 addresses.
> However, with IPv6, one has exactly one loopback-address (::1/128),
> hence such a setup can't easily be replicated. Is there any commonplace
> way to solve this? I could probably assign ULAs to each jail as the
> first IPv6-address, but this seems like a cumbersome workaround. People
> have also suggested switching to VIMAGE, which - as far as I can tell -
> isn't ready for production.
> Any thoughts/ideas/suggestions on this would be greatly appreciated.
Warning: I haven't yet converted my systems to use IPv6 (my ISP has only
just started supporting it and I have to find time to sort it out) so
the following is purely theoretical on my part.
Yes, there's only one loopback address, and for most purposes it's just
another unicast address. ULAs are also normal unicast addresses, they
merely have the qualification that they should not be seen outside your
administrative domain. A badly configured router might let them through,
which is why 40 bits of the 48 bit prefix are supposed to be randomly
generated, to avoid collisions. There are also link local addresses
(fe80::/10, the equivalent of 169.254.*/16) which can only be seen on
the one interface. These might be useful for jails, depending on what
you want to do.
As for VIMAGE, many people are happily using it but officially it's not
ready for production work. The latest news was in the January FreeBSD
https://www.freebsdfoundation.org/press/2016janupdate.pdf (PDF). TL;DR
version: probably in Release 11.0.
Moore's Law of Mad Science: Every eighteen months, the minimum IQ
necessary to destroy the world drops by one point.
More information about the freebsd-questions