Network namespaces in FreeBSD

Arthur Chance freebsd at
Thu Dec 24 16:22:19 UTC 2020

On 24/12/2020 16:14, Ihor Antonov wrote:
> On 12/24/20 1:07 AM, Arthur Chance wrote:
>> On 23/12/2020 18:40, Ihor Antonov wrote:
>>> On 12/23/20 10:32 AM, Kristof Provost wrote:
>>>> On 23 Dec 2020, at 19:22, Steve O'Hara-Smith wrote:
>>>>> On Wed, 23 Dec 2020 16:48:11 +0000
>>>>> Ameya Deshpande via freebsd-questions <freebsd-questions at>
>>>>> wrote:
>>>>>> Hi,
>>>>>> I am new to FreeBSD. I was wondering if there is concept like Network
>>>>>> Namespaces in FreeBSD, like it is in Linux?
>>>>>      There is something similar see man setfib for details.
>>>> I’ve only briefly played with linux network namespaces, but aren’t
>>>> vnet jails much closer to that?
>>> I have more experience with Linux than with FreeBSD, so I don't know for
>>> sure what setfib is about.
>>> VNET jails is the closest thing that comes to mind when comparing to
>>> Linux network namespaces. Unlike Linux, in a jail you will get all other
>>> namespaces separated too (e.g. mount, pid etc.)
>>> Unfortunately I don't know if it is possible to get exactly same
>>> behavior as in Linux - share all other namespaces except for network
>>> stack. I imagine you can get something like this with Capsicum, but it
>>> would require making changes to the app.
>> Wouldn't a VNET jail rooted at / effectively be that?
> Last time I played with jails setting jail's root to '/' was not allowed
> for some reason. I don't remember exact error message though.

I think that must have changed. Using a jail rooted at / used to be the
recommended way of preventing rpcbind's wildcard listen from being a
security loophole.

I do remember that you can't nullfs mount / under itself.

> I remember that I ended up null-mounting every directory in / (like bin,
> sbin, etc,) to jail's root directory, and that was quite painful to do
> manually.

I'm increasingly thinking that the file system layout needs a rethink to
be able to handle jails and minimal app style devices like firewalls.
Sadly inertia (and standards) will prevent that from happening.

The number of people predicting the demise of Moore's Law doubles
every 18 months.

More information about the freebsd-questions mailing list