Jails, loopback-addresses and IPv6

Sascha Biberhofer s.biberhofer at sphericalelephant.com
Fri Feb 26 21:14:19 UTC 2016


Arthur Chance <freebsd at qeng-ho.org> wrote:
> [...]
> Ignoring jails, the IPv4 networking code knows of both loopback addresses
> (127.*) and loopback devices (lo*) and ensures that packets containing
> loopback addresses (in either source or destination fields) are dropped on
> non-loopback devices. This means jails on 127.* can only talk to the outside
> world if you have NAT in place.
My jails also have an address in a private RFC 1918 address space which
is used for nat, so that's fine for me. :)

> If all jails are assigned lo1|127.0.1.*/24 addresses then they can all talk
> to each other freely (and the host if it has such an address). If you wish
> to control communication between jails you need a firewall. If however you
> simply don't want jails to be able to talk to each other, I think giving
> them 127.0.1.*/32 addresses should work, alternatively give them
> 127.x.y.1/24 addresses.
That's actually an interesting idea, I'll see how that works out. Since
I'll be running pf anyway to limit jail communication on the internal
network, filtering loopback-traffic isn't much of a problem in any case. 

> [...]
> Yes, there's only one loopback address, and for most purposes it's just
> another unicast address. ULAs are also normal unicast addresses, they merely
> have the qualification that they should not be seen outside your
> administrative domain. A badly configured router might let them through,
> which is why 40 bits of the 48 bit prefix are supposed to be randomly
> generated, to avoid collisions. There are also link local addresses
> (fe80::/10, the equivalent of 169.254.*/16) which can only be seen on the
> one interface. These might be useful for jails, depending on what you want
> to do.
Using link-local addresses is actually a really good idea, I don't know
why I didn't think of that. This should be more than sufficient for my
needs  and less of a hassle than ULAs. 

> As for VIMAGE, many people are happily using it but officially it's not
> ready for production work. The latest news was in the January FreeBSD
> Foundation newsletter
> https://www.freebsdfoundation.org/press/2016janupdate.pdf (PDF). TL;DR
> version: probably in Release 11.0.
Thanks for the heads up, I'll probably use the "standard" jail
networking for now and switch to vimage as soon as it's officially ready
for prime time. 

Also, thank you for the detailed response, this really helped a lot. :)


More information about the freebsd-questions mailing list