Re: Bind fails in jail with assigned IP address

From: Bjoern A. Zeeb <bzeeb-lists_at_lists.zabbadoz.net>
Date: Sat, 14 Jan 2023 23:48:13 UTC
On Fri, 13 Jan 2023, Matthew Seaman wrote:

> On 08/01/2023 18:52, Steffen Christgau wrote:
>>> ip4.addr
>>> A list of IPv4 addresses assigned to the jail.  If this is set, the jail 
>>> is restricted to using only these addresses. [...] Attempts to use

I think someone needs to add the word "unicast" to these sentences.

In classic plain old IP jails there is no MC support.  You need, as
Matthew points out below, a vnet enabled jail for that.


>>> wildcard addresses silently use the jailed address instead. For IPv4 the 
>>> first address given will be used as the source address when
>>> source address selection on unbound sockets cannot find a better match.
>> The effect of the silently changed wildcard address in my case is that the 
>> changed address prevents the required binding of the second/sending socket. 
>> This is inconsistent with the behavior outside a jail. Is this actually 
>> intended? If so, what can be done to bind both sockets to their required 
>> ports?
>> 
>> I also tried to set ip4.saddrsel = 1 in the jail config, but it appeared 
>> that nothing changed. If the IP address configuration is omitted for the 
>> jail, the service does not encounter the error of an address that is 
>> already in use.
>> 
>> If there is a solution to have the daemon run in a jail, I would be happy 
>> to discuss this. If jails are not suitable for this use case, let me know 
>> as well. 😉
>> 
>
> Did you try using vnet style jails? These have their own, separate, loopback 
> interface and a separate network interface, typically using epair(4) so you 
> should avoid the silent rewriting of wildcard addresses that is causing you 
> such difficulty.
>
> See: https://wiki.freebsd.org/Jails/VNET
>     /usr/src/share/examples/jails/jib
>
> 	Cheers,
>
> 	Matthew
>
>

-- 
Bjoern A. Zeeb                                                     r15:7