Jail on 2 interfaces?

Matthew Seaman m.seaman at infracaninophile.co.uk
Wed Dec 23 09:06:46 UTC 2009 

Mel Flynn wrote:
> Hi,
> 
> I don't see this documented in jail(8) nor rc(8) nor defaults/rc.conf, so is 
> it possible to have 2 IP's on 2 ethernet interfaces? And if so, is it settable 
> for rc(8)?
> 
> The usage case is to have the same jailed proxy server on two seperate 
> internal networks. Ideally, the proxy will use one address for outgoing, so I 
> guess I'll need a default route or dive into the squid config.
> 
> At present I have:
> ifconfig_bge0="inet 192.168.177.60  netmask 255.255.255.0"
> ifconfig_em0="inet 192.168.176.60 netmask 255.255.255.0"
> ifconfig_em0_alias0="inet 192.168.176.62 netmask 255.255.255.255"
> jail_squid_rootdir="/usr/squid"
> jail_squid_ip="192.168.177.62"
> jail_squid_ip_multi0="192.168.176.62"
> jail_squid_interface="bge0"
> 
> But this created the IP on bge0 even though one exists on em0. Is it as simple 
> as not specifying the interface and add the 177.62 alias on bge0?
> Ideally I'd have a jail_$jail_ip_multi$aliasno_interface="foo0", but my main 
> worry is that the jail infrastructure understands the routing involved.

To do this directly is now possible in 8.0-RELEASE or better.  You will
need a custom kernel with 'options VIMAGE' and I believe the standard jail
startup scripts need a bit of work in order for them to start the jail with
the correct command line arguments to enable the vnet functionality.

Note that vnet is /experimental/.  It may eat your homework and blame it on
your dog.  It is also known not to work yet with various subsystems which 
haven't had the necessary recoding to understand the new kernel structures.
Probably the most significant missing bit is pf(4).

Alternatively, you can achieve much the same effect that you want by using
a simple one-ip jail and writing firewall rules to redirect traffic into it,
and NAT traffic coming out of it.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20091223/ab9f6a26/signature.pgp

More information about the freebsd-hackers mailing list