Re: iocage, vnet jail does not go outside

Reply: Jacques Foucry : "Re: iocage, vnet jail does not go outside"
In reply to: Jacques Foucry : "Re: iocage, vnet jail does not go outside"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: infoomatic <infoomatic_at_gmx.at>
Date: Sat, 24 Jul 2021 21:48:26 UTC

Hi,

sorry to hear that.

I use the tools from the FreeBSD base system, they work great, and I
encourage all newbies to use the tools from the base systems - and
recommend reading the parts of the handbook and the man pages of jail
and jail.conf

Here are the relevant parts of my config:

rc.conf:

cloned_interfaces="bridge0"

ifconfig_bridge0="inet 192.168.1.1 netmask 255.255.255.0 up"

pf.conf:

nat pass on em0 proto tcp from {192.168.1.201} to any -> pu.bl.ic.ip

and the jail.conf:

example {
    host.hostname = example;
    vnet;
    vnet.interface = "epair201b";
    path ="/jails/$name";
    exec.prestart += "ifconfig epair201 create";
    exec.prestart += "ifconfig epair201a up";
    exec.prestart += "ifconfig bridge0 addm epair201a";
    exec.prestop += "ifconfig epair201b -vnet $name";
    exec.poststop += "ifconfig epair201a destroy";

}

and the /jails/example/etc/rc.conf:

ifconfig_epair201b="inet 192.168.1.201 netmask 255.255.255.0"
defaultrouter="192.168.1.1"


hope this helps,

Robert


On 24.07.21 13:38, Jacques Foucry wrote:
> Le vendredi 23 juil. 2021 à 23:06:41 (+0200), infoomatic à écrit:
>
> Hello Robert,
>
> Thanks for your answer.
>
>> iocage autoatically creates a bridge with your physical interface and
>> the vnet interface. Imho this is wrong behaviour so I quit using iocage,
>> however, there is a workaround, for more info see [1]
>
> I read carfully the issue your pointed and it appears that the
> vnet_default_interface parameter set to auto, em0 is added to the bridge, set
> to none, em0 is not added to the bridge.
>
> So I stopped my jail, destroy bridge0 interface, set vnet_default_interface to
> none and restart the jail.
>
> As exepected em0 is not in the bridge any more:
>
> bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> 	description: jails-bridge
> 	ether 58:9c:fc:10:ed:66
> 	inet 10.0.10.1 netmask 0xffffff00 broadcast 10.0.10.255
> 	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
> 	maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
> 	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
> 	member: vnet0.657 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
> 	        ifmaxaddr 0 port 6 priority 128 path cost 2000
> 	groups: bridge
> 	nd6 options=9<PERFORMNUD,IFDISABLED>
>
> Since from the jail I cannot ping anything, from outside I cannot connect to
> the jail and from the jail I cannot connect to outside host.
>
> In fact, see quickly, the situation is worst.
>
> I did not look at the routing tables yet (too many other things to do).
>
> As I understood your did not use iocage any more. Did you use the "raw"
> method (ie /etc/jail.conf)? If yes, I am really interested of "picture" of
> your configurætion.
>
> To be honest, I used to try the "raw" method whithout success before tring
> iocage.
>
> Thanks for your time and advices.