Re: Bind fails in jail with assigned IP address

From: Matthew Seaman <matthew_at_FreeBSD.org>
Date: Fri, 13 Jan 2023 15:13:20 UTC
On 08/01/2023 18:52, Steffen Christgau wrote:
>> ip4.addr
>> A list of IPv4 addresses assigned to the jail.  If this is set, the 
>> jail is restricted to using only these addresses. [...] Attempts to 
>> use wildcard addresses silently use the jailed address instead. For 
>> IPv4 the first address given will be used as the source address when
>> source address selection on unbound sockets cannot find a better match.
> The effect of the silently changed wildcard address in my case is that 
> the changed address prevents the required binding of the second/sending 
> socket. This is inconsistent with the behavior outside a jail. Is this 
> actually intended? If so, what can be done to bind both sockets to their 
> required ports?
> 
> I also tried to set ip4.saddrsel = 1 in the jail config, but it appeared 
> that nothing changed. If the IP address configuration is omitted for the 
> jail, the service does not encounter the error of an address that is 
> already in use.
> 
> If there is a solution to have the daemon run in a jail, I would be 
> happy to discuss this. If jails are not suitable for this use case, let 
> me know as well. 😉
> 

Did you try using vnet style jails? These have their own, separate, 
loopback interface and a separate network interface, typically using 
epair(4) so you should avoid the silent rewriting of wildcard addresses 
that is causing you such difficulty.

See: https://wiki.freebsd.org/Jails/VNET
      /usr/src/share/examples/jails/jib

	Cheers,

	Matthew