Jail on 2 interfaces?

[Bjoern A. Zeeb]

On Wed, 23 Dec 2009, Mel Flynn wrote:

>> or later; no official FreeBSD version before had supported
>> multiple-IPs with a jail.
>
> 8.0-p3, yes.

ok

>> What it did was what you were asking for.  That's the problem.
>>
>> 1) either use ifconfig
>> 2) or use jail + interfaces
>> 3) but do not mix them (especially not overlapping)
>>
>> So I would suggest to do it like this:
>>
>> # Base system IPs.
>> ifconfig_bge0="inet 192.168.177.60/24"
>> ifconfig_em0="inet 192.168.176.60/24"
>>
>> jail_squid_rootdir="/usr/squid"
>> # Either use:
>> jail_squid_ip="bge0|192.168.177.62/32,em0|192.168.176.62/32"
>> # or:
>> jail_squid_ip="bge0|192.168.177.62/32"
>> jail_squid_ip_multi0="em0|192.168.176.62/32"
>>
>> but do not use jail_squid_interface=".." as that will be a global
>> default for that jail.
>
> Is it a global *default* or a global? For example, could I specify:

It's a global default; a more specific interface name that comes with
an address will override it. So you could do what you drafted below.
The entire "ifconfig" feature in rc.d/jail does not really belong
there but people started using it after it was introduced so we lost
that race.

> jail_squid_interface="bge0"
> jail_squid_ip="192.168.177.62/32"
> jail_squid_ip_multi0="192.168.177.63/32"
> jail_squid_ip_multi1="em0|192.168.177.62/32"
>
> Below is a patch against HEAD to document the $interface|$ip syntax.

That wasn't done on purpose; man rc.conf has it, if you lookup jail_<jname>_ip .

/bz

-- 
Bjoern A. Zeeb         It will not break if you know what you are doing.