Re: Bind fails in jail with assigned IP address
- Reply: Bjoern A. Zeeb: "Re: Bind fails in jail with assigned IP address"
- In reply to: Steffen Christgau : "Bind fails in jail with assigned IP address"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 13 Jan 2023 15:13:20 UTC
On 08/01/2023 18:52, Steffen Christgau wrote:
>> ip4.addr
>> A list of IPv4 addresses assigned to the jail. If this is set, the
>> jail is restricted to using only these addresses. [...] Attempts to
>> use wildcard addresses silently use the jailed address instead. For
>> IPv4 the first address given will be used as the source address when
>> source address selection on unbound sockets cannot find a better match.
> The effect of the silently changed wildcard address in my case is that
> the changed address prevents the required binding of the second/sending
> socket. This is inconsistent with the behavior outside a jail. Is this
> actually intended? If so, what can be done to bind both sockets to their
> required ports?
>
> I also tried to set ip4.saddrsel = 1 in the jail config, but it appeared
> that nothing changed. If the IP address configuration is omitted for the
> jail, the service does not encounter the error of an address that is
> already in use.
>
> If there is a solution to have the daemon run in a jail, I would be
> happy to discuss this. If jails are not suitable for this use case, let
> me know as well. 😉
>
Did you try using vnet style jails? These have their own, separate,
loopback interface and a separate network interface, typically using
epair(4) so you should avoid the silent rewriting of wildcard addresses
that is causing you such difficulty.
See: https://wiki.freebsd.org/Jails/VNET
/usr/src/share/examples/jails/jib
Cheers,
Matthew