can jail use 2 NICS?

Ruben van Staveren ruben at verweg.com
Fri Nov 21 17:24:32 PST 2008 

Hi,

On 21 Nov 2008, at 21:23, Ruslan Ermilov wrote:

> Hi,
>
> Have been traveling, hence long "no reply"...
>
> On Sun, Nov 16, 2008 at 02:10:35PM +0000, Bjoern A. Zeeb wrote:
>> So the basic idea could be to only have
>> jail_<name>_ip=""
>> jail_<name>_ip6=""
>>
>> and each of them would have a format like:
>>
>>   [iface|]address[/prefix]
>
> I'd suggest [iface:] instead.

This will get a bit ambiguous when IPv6 addresses are used...

>> where iface and prefix are optional and prefix only makes sense if
>> iface is given?
>>
>> If iface is given it means configure the address with prefix to the
>> given interface; if prefix is not given the default would be /32 for
>> ipv4 and /128 for ipv6.

Yes, and I prefer the prefix notation above the subnet mask one.
Related, I still need to look at ifconfig canonicalizing stuff like  
2001:888:1029::192.168.1.129 before operating on the interface  
structure.

This helps in ifconfig delete <iface> 2001:888:1029::192.168.1.129
currently this does not work because on ifconfig up the value is  
converted to 2001:888:1029::c0a8:181

>> So now this would give really long and complicated lines in rc.conf.
>> Do you think we could have something like the _alias<N> for interface
>> addresses so that it would be like:
>>
>> jail_<name>_ip=""		# default
>> jail_<name>_ip_multi0=""	# second IP of the jail
>> jail_<name>_ip_multi1=""	# third IP of the jail
>> jail_<name>_ip_multi2=""	# 4th IP of the jail
>>
>> and similar for IPv6?
>>
>> (multi might not be the best suffix)
>>
>> Something along those lines?

 From a user point of view, it will make a messy configuration. it  
might be more preferable then to have something in the order of

jail "<name>" {
  iface <iface>
  prefix <pfxlen>
  addr [<iface>] <addr1>[/<pfxlen>]
  addr [<iface>] <addr1>[/<pfxlen>]
  ...
}

For Bjoern I think something like this in an /etc/jail.conf will mark  
a clear separation between rc.conf and jail management ?


>> Ruslan, what do you think about something like that? We could have
>> that for HEAD and 7 just now and add the _multi<N> support with the
>> multi-IP jail patches? Could you and Ruben work together to build
>> this?
>>
> I think this is a good idea.  My workaround with routes
> I mentioned doesn't actually work, so currently we use
> a version from HEAD on our production servers, and the
> modified version of ezjail port that supports netmasks.

The route thing, is that the setfib configuration from HEAD ?

>
> Cheers,
> -- 
> Ruslan Ermilov
> ru at FreeBSD.org
> FreeBSD committer

Regards,
	Ruben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20081122/ff509c36/PGP.pgp

More information about the freebsd-jail mailing list